Automatic Reactions

When detected, an eventClosed Record of a security or network incident that is based on one or more logs, and on a customizable set of rules that are defined in the Event Policy. can activate an Automatic Reaction. The SmartEvent administrator can create and configure one Automatic Reaction, or many, according to the needs of the system.

For example: A Mail Reaction can be defined to tell the administrator of events to which it is applied. You can create multiple Automatic Mail Reactions to tell a different responsible party for each type of event.

Automatic Reaction Types

Creating an Automatic Reaction "Mail"

The Automatic Reaction "Mail" sends an email when the event occurs.

  1. In SmartConsoleClosed Check Point GUI application used to manage a Check Point environment - configure Security Policies, configure devices, monitor products and events, install updates, and so on., from the left navigation panel, click the Logs & Monitor view.

  2. At the top, click + to open a new tab.

  3. In the bottom section External Apps, click SmartEvent Settings & Policy.

  4. Click General Settings > Objects > Automatic Reactions.

  5. Click Add > Mail.

  6. In the Name field, enter a significant name.

  7. Optional: In the Comment field, enter a significant text.

  8. In the Mail Parameters section:

    1. In the From field, enter the applicable email address.

    2. In the To field, enter the applicable email addresses.

      To add multiple recipients, separate each email address with a semi-colon.

    3. In the Cc field, enter the applicable email addresses.

      To add multiple recipients, separate each email address with a semi-colon.

    4. In the Subject field, enter the applicable email subject.

      Note - The Subject field has the default variables of [EventNumber] - [Severity] - [Name]. These variables automatically add to the mail subject the event number, severity, and name of the event that triggered this reaction.

  9. In the Mail Server section, in the Outgoing mail server (SMTP) field, enter the IP address or FQDN of your SMTP server.

    Important - The SmartEvent ServerClosed Dedicated Check Point server with the enabled SmartEvent Software Blade that hosts the events database. must be able to reach your SMTP server. If you configure an FQDN, the DNS servers you configured on the SmartEvent Server must be able to resolve this FQDN.

  10. Click Save.

  11. Click Menu > File > Save.

  12. Click Menu > Actions > Install Event Policy.

Creating an Automatic Reaction "SNMP Trap"

The Automatic Reaction "SNMP Trap" sends an SNMP Trap when the event occurs.

  1. In SmartConsole, from the left navigation panel, click the Logs & Monitor view.

  2. At the top, click + to open a new tab.

  3. In the bottom section External Apps, click SmartEvent Settings & Policy.

  4. Click General Settings > Objects > Automatic Reactions.

  5. Click Add > SNMP Trap.

  6. In the Name field, enter a significant name.

  7. Optional: In the Comment field, enter a significant text.

  8. In the SNMP Trap Parameters section:

    1. In the Host field, enter the IP address or FQDN of your SMTP server.

      Important - The SmartEvent Server must be able to reach your SMTP server. If you configure an FQDN, the DNS servers you configured on the SmartEvent Server must be able to resolve this FQDN.

    2. In the Message field, enter the applicable text. If this field is empty, then the SmartEvent Server sends the text of the event.

    3. In the OID field, enter the applicable SNMP OID.

      This OID must be defined in the $CPDIR/lib/snmp/chkpnt.mib file or in the $CPDIR/lib/snmp/chkpnt-trap.mib file that is located on the SmartEvent Server.

      If this field is empty, then the SmartEvent Server uses the OID 1.3.6.1.4.1.2620.1.1.11 (iso.org.dod.internet.private.enterprises.checkpoint.products.fw.fwEvent)

    4. In the Community name field, enter the applicable SNMP Community name.

  9. Click Save.

  10. Click Menu > File > Save.

  11. Click Menu > Actions > Install Event Policy.

Notes:

  • The built-in command send_snmp on the SmartEvent Server send the SNMP Trap.

  • When the automatic reaction occurs, the SNMP Trap is sent as a 256 byte DisplayString text.

    If the OID type is not text, the message is not sent.

  • You can send event fields in the SNMP Trap message.

    AdditionalInfo varchar(1024)

    AutoReactionStatus varchar(1024)

    Category varchar(1024)

    DetectedBy integer

    DetectionTime integer

    Direction integer

    DueDate integer

    EndTime integer

    EventNumber integer

    FollowUp integer

    IsLast integer

    LastUpdateTime integer

    MaxNumOfConnections integer

    Name varchar(1024), NumOfAcceptedConnections integer

    NumOfRejectedConnections integer

    NumOfUpdates integer

    ProductCategory varchar(1024)

    ProductName varchar(1024)

    Remarks varchar(1024)

    RuleID varchar(48)

    Severity integer

    StartTime integer

    State integer

    TimeInterval integer

    TotalNumOfConnections varchar(20)

    User varchar(1024)

    Uuid varchar(48)

    aba_customer varchar(1024)

    jobID varchar(48)

    policyRuleID varchar(48)

Creating an Automatic Reaction "Block Source"

The Automatic Reaction "Block Source" instructs the Security Gateway to block the source IP address from which this event was detected for a configurable timeframe.

  1. In SmartConsole, from the left navigation panel, click the Logs & Monitor view.

  2. At the top, click + to open a new tab.

  3. In the bottom section External Apps, click SmartEvent Settings & Policy.

  4. Click General Settings > Objects > Automatic Reactions.

  5. Click Add > Block Source.

  6. In the Name field, enter a significant name.

  7. Optional: In the Comment field, enter a significant text.

  8. In the Blocking Timeout section, select for how long to block the source:

    • Next 10 Minutes

    • Next Hour

    • Next Day

    • Next Week

    • Enter a number from 1 to 32767.

  9. Click Save.

  10. Click Menu > File > Save.

  11. Click Menu > Actions > Install Event Policy.

Creating an Automatic Reaction "Block Event Activity"

The Automatic Reaction "Block Event activity" instructs the Security Gateway to block a distributed attack that emanates from multiple sources, or attacks multiple destinations for a configurable timeframe.

  1. In SmartConsole, from the left navigation panel, click the Logs & Monitor view.

  2. At the top, click + to open a new tab.

  3. In the bottom section External Apps, click SmartEvent Settings & Policy.

  4. Click General Settings > Objects > Automatic Reactions.

  5. Click Add > Block Event Activity.

  6. In the Name field, enter a significant name.

  7. Optional: In the Comment field, enter a significant text.

  8. In the Blocking Timeout section, select for how long to block the source:

    • Next 10 Minutes

    • Next Hour

    • Next Day

    • Next Week

    • Enter a number from 1 to 32767.

  9. From the drop-down list, select the number of minutes to block this source.

  10. Click Save.

  11. Click Menu > File > Save.

  12. Click Menu > Actions > Install Event Policy.

Creating an Automatic Reaction "External Script"

The Automatic Reaction "External Script" runs a script that you provide.

  1. Create the required shell script for Bash or C-Shell.

    • Run the script manually on the SmartEvent Server and make sure it works as expected.

    • Make sure the script runs for no longer than 10 minutes.

      Otherwise, the SmartEvent Server will terminate this script.

    • Use the event fields in the script:

      To refer to the event in the script, define this environment variable:

      EVENT=$(cat)

      and use $EVENT

      Use line editor commands like awk or sed to parse the event and refer to specific fields. You can print the $EVENT one time to see its format.

      The format of the event content is a name-value set - a structured set of fields that have the form:

      (name: value ;* );

      where name is a string and value is either free text until a semicolon, or a nested name-value set.

      This is a sample event:

      (Name: Check Point administrator credential guessing; RuleID:
      {F182D6BC-A0AA-444a-9F31-C0C22ACA2114}; Uuid:
      <42135c9c,00000000,2e1510ac,131c07b6>; NumOfUpdates: 0; IsLast: 0;
      StartTime: 16Feb2015 16:45:45; EndTime: Not Completed; DetectionTime:
      16Feb2015 16:45:48; LastUpdateTime: 0; TimeInterval: 600;
      MaxNumOfConnections: 3; TotalNumOfConnections: 3; DetectedBy: 2886735150;
      Origin: (IP: 192.0.2.4; repetitions: 3; countryname: United States;
      hostname: theHost) ; ProductName: SmartDashboard; User: XYZ; Source:
      (hostname: theHost; repetitions: 3; IP: 192.0.2.4; countryname: United
      States) ; Severity: Critical; EventNumber: EN00000184; State: 0;
      NumOfRejectedConnections: 0; NumOfAcceptedConnections: 0) ;

  2. Put the script on the SmartEvent Server:

    1. Connect to the command line on the SmartEvent Server.

    2. Log in to the Expert mode.

    3. In the directory $RTDIR/bin, create the directory "ext_commands":

      mkdir -v $RTDIR/bin/ext_commands

    4. Uplod the shell script file to the SmartEvent Server to the directory $RTDIR/bin/ext_commands/ (or to a nested directory in that directory).

      The path and script name must not contain any spaces.

    5. Assign the "execute" permissions to this script:

      chmod -v +x $RTDIR/bin/ext_commands/<script_filename>

    6. Make sure to save the script in the UNIX format.

      dos2unix $RTDIR/bin/ext_commands/<script_filename>

  3. In SmartConsole, from the left navigation panel, click the Logs & Monitor view.

  4. At the top, click + to open a new tab.

  5. In the bottom section External Apps, click SmartEvent Settings & Policy.

  6. Click General Settings > Objects > Automatic Reactions.

  7. Click Add > External Script.

  8. In the Name field, enter a significant name.

  9. In the Command line field, enter the relative path (relative to the directory $RTDIR/bin/ext_commands/) and the name of the script.

    Examples:

    • If the script is located in the directory $RTDIR/bin/ext_commands/:

      MyExternalScript.sh

    • If the script is located in the directory $RTDIR/bin/ext_commands/ in a nested directory MyScripts:

      MyScripts/MyExternalScript.sh

  10. Optional: In the Comment field, enter a significant text.

  11. Click Save.

  12. Click Menu > File > Save.

  13. Click Menu > Actions > Install Event Policy.

Assigning an Automatic Reaction to an Event

You can add an Automatic Reaction for SmartEvent to run when this type of event is detected.

  1. In SmartConsole, from the left navigation panel, click the Logs & Monitor view.

  2. At the top, click + to open a new tab.

  3. In the bottom section External Apps, click SmartEvent Settings & Policy.

  4. In the Event Policy folder, select and click the relevant event object.

  5. In the Automatic Reactions field, click the icon [...].

  6. Select the relevant Automatic Reactions and click OK.

    If the relevant Automatic Reaction is not in this list, then click Add new?. See Automatic Reaction Types.

  7. Click OK.

  8. Click Menu > File > Save.

  9. Click Menu > Actions > Install Event Policy.

Adding More Fields to an Event

  1. In the SmartEvent GUI client, in the Policy tab, right-click the event, click Properties.

  2. At the top, click the Event Format tab.

  3. In the Display column, select the Event fields to have in the Event.

  4. Click Menu > File > Save.

  5. Click Menu > Actions > Install Event Policy.