About default notification rules

Trust Protection Platform provides several default Notification Rule templates. You can implement these Notification RulesClosed Stores the criteria the [%=_Variables-Generic.CompanyName_Simple% ] Log Server uses to select system events and provide responses to them. or use them as a guide to create your own Notification Rule objects. To learn about customizing the default download notification, see .

IMPORTANT  The Notification Rule objects are not functional until you configure the associated Channel object. For example, you cannot receive certificate expiration notifications until you configure the associated Simple Mail Transfer Protocol (SMTP) server. For more information, see SMTP channel.

Default notification rules

Notification Rule

Description

ACME certificate enrolled

Alerts the owner that a certificate has been enrolled via ACME.

Adaptable Script Modified

Alerts the system administrator if any adaptable script has been modified, as this may represent an unauthorized change, which could potentially pose a security risk.

Application Needs Restart

If a Web server needs to be restarted after a certificate or private key is installed, the application driver generates an event. When the Venafi Log server logs the event, the event triggers this Notification Rule so the target channel sends an email notification message to the Contact identities assigned to the corresponding Application object.

CA Authentication Failure

If Trust Protection Platform cannot authenticate with a configured Certificate Authority, it generates an event. When the Venafi Log server logs the event, the event triggers this Notification Rule so the target channel sends an email notification message to the Contact identities assigned to the corresponding CA Template object.

CA Communications Failure

If Trust Protection Platform cannot communicate with a configured Certificate Authority, it generates an event. When the Venafi Log server logs the event, the event triggers this Notification Rule so the target channel sends an email notification message to the Contact identities assigned to the corresponding CA Template object.

CA Manual Approval Pending

If a Certificate Authority is configured to require manual approval for submitted CSRs, the administrator must log in to the CA to manually approve renewing certificates.

When the CA requires approval for a certificate renewal, Trust Protection Platform generates an event. When the Venafi Log server logs the event, the event triggers this Notification Rule so the target channel sends an email notification message to the Contact identities assigned to the corresponding CA Template object.

Certificate Escalation Expiring in <X> Days

Trust Protection Platform generates escalated certificate expiration events according to the time parameters configured in the TLS Protect object (Monitoring tab) in the Platform tree.

When a certificate triggers the configured expiration escalation threshold, the Certificate Monitor module generates an escalated certificate expiration event. When the Venafi Log server logs the event, the event triggers this Notification Rule so the target channel sends an email notification message to the Contact identities assigned to the corresponding Certificate object, the Contact identities assigned to the applications that consume the certificate, and the local master administrator.

Certificate Expired

When a certificate expires, the Certificate Monitor module generates an event. When the Venafi Log server logs the event, the event triggers this Notification Rule so the target channels send an email notification message to the Contact identities assigned to the corresponding Certificate object, the Contact identities assigned to the applications that consume the certificate, and the local master administrator.

Certificate Expiring

Trust Protection Platform generates certificate expiration events according to the parameters configured in one of the following locations:

  • The TLS Protect object (Monitoring tab) in the Platform tree
  • The Policy object’s Monitoring tab
  • The individual Certificate, SSH Key, or Symmetric Key object

Certificate expiration notices may be triggered at 90, 45, 30, 15, 10, 5, and 1 day to expiration.

NOTE  The default certificate expiration notification period is 30 days.

When a certificate triggers the configured expiration threshold, the Certificate Monitor module generates a certificate expiration event. When the Venafi Log server logs the event, the event triggers the corresponding Notification Rule so the target channel sends an email notification message to the Contact identities assigned to the corresponding Certificate object and the applications that consume the certificate.

NOTE  The 5-day Notification Rule sends the email notification message also to the local master administrator.

Certificate in Error

The certificate is in an error state. A problem was encountered during certificate processing.

Certificate Installed

When an application driver installs a certificate on the consumer application—stage 800 of the certificate lifecycle—it generates a certificate installation event. When the Venafi Log server logs the event, the event triggers this Notification Rule so the target channel sends an email notification message to the Contact identities assigned to the Application object.

Certificate Ready to Download

Certificate processing is complete and the certificate is ready to download.

Certificate Renewal Started

When the TLS Protect module initiates stage 0 of the certificate lifecycle, it generates a certificate renewal event. When the Venafi Log server logs the event, the event triggers this Notification Rule so the target channel sends an email notification message to the Contact identities assigned to the corresponding Certificate object and the applications that consume the certificate.

Certificate Renewed Not Installed

When TLS Protect has renewed a certificate, but the application owner hasn't installed it on any servers, this notification rule template can trigger an email to the certificate owner.

Certificate Revoked

The certificate was revoked.

Certificate Signing Request (CSR) Needed

A CSR is needed before certificate processing can begin.

Device Communication Failure

If Trust Protection Platform cannot connect to a server where a certificate is installed, it generates a communication failure event. When the Venafi Log server logs the event, the event triggers this Notification Rule so the target channel sends an email notification message to the Contact identities assigned to the corresponding Device object.

Discovery Completed

When the Discovery Manager module completes a discovery survey, it generates a discovery event. When the Venafi Log server logs the event, the event triggers this Notification Rule so the target channel sends an email notification message to the Contact identities assigned to the Discovery object in the Discovery tree.

Discovery Started

When the Discovery Manager module begins a discovery survey, it generates a discovery event. When the Venafi Log server logs the event, the event triggers this Notification Rule so the target channel sends an email notification message to the Contact identities assigned to the Discovery object in the Discovery tree.

Login Failure

Triggers anytime a user attempts to log in to Venafi Platform but fails. This may be due to an incorrect password, or another authentication issue. This notification goes to the user whose login was used in the login attempt, and includes the IP address of the user attempting to log in. If a user receives a notification and they weren't the ones who triggered the failure, this alerts them that somebody is attempting to access their Venafi Platform account. For additional information and configuration details, see Configuring your system for login notifications.

Login Successful from Unknown Source

Triggers anytime a user successfully logs in to Venafi Platform from an unknown location (as determined by IP address). This notification goes to the user who successfully logged in, and includes information about the login, including the IP address of the user who successfully logged in. This notification is important because it helps users monitor logins from remote locations. If a user doesn't recognize a location, their account information may be compromised. For additional information and configuration details, see Configuring your system for login notifications.

Expired CRL (Certificate Revocation List)

The current Certificate Revocation List has expired and needs to be updated.

Notification Channel Failure

If Trust Protection Platform cannot connect to a server where a certificate is installed, it generates a communication failure event. When the Venafi Log server logs the event, the event triggers this Notification Rule so the target channel sends an email notification message to the local master administrator.

SSH

The set of agentless discovery, key, keyset and certificate notifications for SSH.

  • Agentless SSH Discovery Complete
  • Agentless SSH Discovery Started
  • New SSH Key Detected
  • SSH Key Change Completed
  • SSH Key Expired
  • SSH Key Remote Change Detected
  • SSH Key Violation Detected
  • SSH Keyset Rotation Completed
  • SSH Keyset Rotation Started
  • Certificate Ready to Download
  • Certificate Renewal Started
  • SSH Keyset Rotation Suspended

System Errors

If errors occur while events are expiring, the Log server event triggers this Notification rule.

Validation Failure

If the Validation Manager cannot complete a Network or Onboard validation, it generates a validation error event. When the Venafi Log server logs the event, the event triggers this Notification Rule so the target channel sends an email notification message to the Contact identities assigned to the Application or Certificate object that the Validation was conducted on.

Workflow Approval Pending

When Trust Protection Platform issues a workflow ticket for a certificate approval or workflow injection command, it generates a workflow ticket event. When the Venafi Log server logs the event, the event triggers this Notification Rule so the target channel sends an email notification message to the ticket approver.

Workflow Ticket Rejected

The Notification Rule that manages events from rejected Workflow tickets.