Creating a Block Event Activity Reaction

1. Select Add > Block Event Activity.
2. Give the automatic reaction a significant name.
3. From the drop-down list, select the number of minutes to block this source.
4. Select Save.

Creating an External Script Automatic Reaction

To add an External Script:

1. Create the script. See the Guidelines for creating the script below.
2. Put the script on the SmartEvent Server:
   1. In $RTDIR/bin, create the folder ext_commands. Run:
      mkdir $RTDIR/bin/ext_commands
   2. Put the script in $RTDIR/bin/ext_commands/ or in a folder under that location. The path and script name must not contain any spaces.
   3. Give the script executable permissions. Run:
      chmod +x <script_filename>
3. In the SmartEvent GUI client Policy tab, in Automatic Reactions, Select Add > External Script.
4. In the Add Automatic Reaction window:
   1. Give the automatic reaction object a significant Name.
   2. In Command line, enter the name of the script to run. Specify the name of the script that is in $RTDIR/bin/ext_commands/ directory. Use the relative path if needed. Do not specify the full path of $RTDIR/bin/ext_commands/.
   3. Select Save.

Guidelines for creating the script

• Run the script manually and make sure it works as expected
• Make sure the script runs for no longer than 10 minutes, otherwise it will be terminated by the SmartEvent Server.
• Use the event fields in the script:

  To refer to the event in the script, define this environment variable:

  EVENT=$(cat)

  and use $EVENT

  Use line editor commands like awk or sed to parse the event and refer to specific fields. You can print the $EVENT one time to see its format.

  --------------------------------------------------------------------------------------------------

  The format of the event content is a name-value set – a structured set of fields that have the form:

  (name: value ;* );

  where name is a string and value is either free text until a semicolon, or a nested name-value set.

  The following is a sample event:

  (Name: Check Point administrator credential guessing; RuleID:
{F182D6BC-A0AA-444a-9F31-C0C22ACA2114}; Uuid:
<42135c9c,00000000,2e1510ac,131c07b6>; NumOfUpdates: 0; IsLast: 0;
StartTime: 16Feb2015 16:45:45; EndTime: Not Completed; DetectionTime:
16Feb2015 16:45:48; LastUpdateTime: 0; TimeInterval: 600;
MaxNumOfConnections: 3; TotalNumOfConnections: 3; DetectedBy: 2886735150;
Origin: (IP: 192.0.2.4; repetitions: 3; countryname: United States;
hostname: theHost) ; ProductName: SmartDashboard; User: XYZ; Source:
(hostname: theHost; repetitions: 3; IP: 192.0.2.4; countryname: United
States) ; Severity: Critical; EventNumber: EN00000184; State: 0;
NumOfRejectedConnections: 0; NumOfAcceptedConnections: 0) ;

  --------------------------------------------------------------------------------------------------

  If you need to refer to more fields, you can add them to the event:

  1. In the SmartEvent GUI client, in the Policy tab, right click the event, and select Properties > Event Format tab
  2. In the Display column, select the Event fields to have in the Event.
  3. Install the Event Policy on the SmartEvent Correlation Unit.