Creating an External Script Automatic Reaction

To add an External Script:

  1. Create the script.

  2. Put the script on the SmartEvent ServerClosed Dedicated Check Point server with the enabled SmartEvent Software Blade that hosts the events database.

    1. In $RTDIR/bin, create the folder ext_commands:

      mkdir $RTDIR/bin/ext_commands

    2. Put the script in $RTDIR/bin/ext_commands/ or in a folder under that location.

      The path and script name must not contain any spaces.

    3. Give the script executable permissions:

      chmod +x $RTDIR/bin/ext_commands/<script_filename>

  3. In the SmartEvent GUI client Policy tab, in Automatic Reactions, select Add > External Script.

  4. In the Add Automatic Reaction window:

    1. Give the automatic reaction object a significant name.

    2. In Command line, enter the name of the script to run.

      Specify the name of the script that is in $RTDIR/bin/ext_commands/ directory.

      Use the relative path if needed.

      Do not specify the full path of $RTDIR/bin/ext_commands/.

    3. Select Save.

Guidelines for creating the script

  • Run the script manually and make sure it works as expected

  • Make sure the script runs for no longer than 10 minutes, otherwise it will be terminated by the SmartEvent Server.

  • Use the eventClosed Record of a security or network incident that is based on one or more logs, and on a customizable set of rules that are defined in the Event Policy. fields in the script:

    To refer to the event in the script, define this environment variable:

    EVENT=$(cat)

    and use $EVENT

    Use line editor commands like awk or sed to parse the event and refer to specific fields. You can print the $EVENT one time to see its format.

    The format of the event content is a name-value set - a structured set of fields that have the form:

    (name: value ;* );

    where name is a string and value is either free text until a semicolon, or a nested name-value set.

    This is a sample event:

    (Name: Check Point administrator credential guessing; RuleID:
    {F182D6BC-A0AA-444a-9F31-C0C22ACA2114}; Uuid:
    <42135c9c,00000000,2e1510ac,131c07b6>; NumOfUpdates: 0; IsLast: 0;
    StartTime: 16Feb2015 16:45:45; EndTime: Not Completed; DetectionTime:
    16Feb2015 16:45:48; LastUpdateTime: 0; TimeInterval: 600;
    MaxNumOfConnections: 3; TotalNumOfConnections: 3; DetectedBy: 2886735150;
    Origin: (IP: 192.0.2.4; repetitions: 3; countryname: United States;
    hostname: theHost) ; ProductName: SmartDashboard; User: XYZ; Source:
    (hostname: theHost; repetitions: 3; IP: 192.0.2.4; countryname: United
    States) ; Severity: Critical; EventNumber: EN00000184; State: 0;
    NumOfRejectedConnections: 0; NumOfAcceptedConnections: 0) ;

If you need to add more fields to the event:

  1. In the SmartEvent GUI client, in the Policy tab, right-click the event, and select Properties > Event Format tab.

  2. In the Display column, select the Event fields to have in the Event.

  3. Install the Event PolicyClosed Set of rules that define the behavior of SmartEvent. on the SmartEvent Correlation UnitClosed SmartEvent software component on a SmartEvent Server that analyzes logs and detects events..