SMS PASSCODE Authentication Failure Email Alerts
Written on August 3, 2016

SMS PASSCODE is a good tool, but it does not provide functionality to alert in the event of an authentication failure. It does, however, log quite verbosely to Windows event logs. Built-in Windows functionality can be used to receive email alerts when a login fails:

Create Send-FailedLoginAlert.ps1 script

Copy the following to a known location (in this example, C:\Scripts\Send-FailedLoginAlert.ps1).

# Fired when a SMSSec 2000 (AuthN failure) occurs
 
$SmtpDetails = @{
    "SmtpServer" = "smtp.margiestravel.com"
    "To" = "admin@margiestravel.com"
    "Subject" = ""
    "Body" = ""
    "From" = "alerts@margiestravel.com"
    "BodyAsHtml" = $true
    "Priority" = "High"
    }
 
# Get the latest 2000 event from the SMSSec log
$Event = Get-EventLog -LogName "SMSSec" -Newest 1 -InstanceId 2000
 
# Tear the details of the event apart into a hashtable we can work with
$EventDetails = @{}
$event.ReplacementStrings.Split("`n") | % {
    try { $EventDetails.Add($_.Split(":")[0].Trim(), $_.split(":")[1].Trim()) } catch { }
    }
     
$SmtpDetails.Subject = "'$($EventDetails.Login)': SMS PASSCODE Login Failure! "
$SmtpDetails.Body = @"
<strong>SMS PASSCODE Authentication Failure!</strong><br /><br />
Timestamp: $($Event.TimeGenerated)<br />
Username: $($EventDetails.Login)<br />
End-User IP: $($EventDetails.'End-user IP')<br />
Reason: $($EventDetails.Reason)<br /><br />
Session ID: $($EventDetails.'Session ID')<br />
"@
 
Send-MailMessage @SmtpDetails

Create the Scheduled Task

Create a scheduled task, configured as follows:

Now, any time event 2000 is fired in the SMS PASSCODE Security log, an email will be trigged using the parameters in the script.

Comments/questions

There's no commenting functionality here. If you'd like to comment, please either mention me (@chris@aus.social) on Mastodon or email me. I don't have any logging or analytics running on this website, so if you found something useful or interesting it would mean a lot to hear from you.