Automatic Reactions

When detected, an event Record of a security or network incident that is based on one or more logs, and on a customizable set of rules that are defined in the Event Policy. can activate an Automatic Reaction. The SmartEvent administrator can create and configure one Automatic Reaction, or many, according to the needs of the system.

For example: A Mail Reaction can be defined to tell the administrator of events to which it is applied. Multiple Automatic Mail Reactions can be created to tell a different responsible party for each type of event.

To create an automatic reaction:

1. Create an automatic reaction object in the Event definition, or from General Settings > Objects > Automatic Reactions.

2. Assign the Automatic Reaction to an event (or to an exception to the event).

3. To save the Event Policy Set of rules that define the behavior of SmartEvent., click File > Save

4. To install the Event Policy on the SmartEvent Correlation Unit SmartEvent software component on a SmartEvent Server that analyzes logs and detects events., click Actions > Install Event Policy.

These are the types of Automatic Reactions:

• Mail - Tell an administrator by email that the event occurred. See Creating a Mail Reaction.

• Block Source - Instruct the Security Gateway Dedicated Check Point server that runs Check Point software to inspect traffic and enforce Security Policies for connected network resources. to block the source IP address from which this event was detected for a configurable timeframe . Select a timeframe from one minute to more than three weeks. See Creating a Block Source Reaction.

• Block Event activity - Instruct the Security Gateway to block a distributed attack that emanates from multiple sources, or attacks multiple destinations for a configurable timeframe. Select a timeframe from one minute to more than three weeks). See Creating a Block Event Activity Reaction.

• External Script - Run a script that you provide. See Creating an External Script Automatic Reaction to write a script that can exploit SmartEvent data.

• SNMP Trap - Generate an SNMP Trap. See Creating an SNMP Trap Reaction.

  You can send event fields in the SNMP Trap message.

  The format for such an event field is [seam_event_table_field].

  This list represents the possible seam_event table fields:

  AdditionalInfo varchar(1024)

  AutoReactionStatus varchar(1024)

  Category varchar(1024)

  DetectedBy integer

  DetectionTime integer

  Direction integer

  DueDate integer

  EndTime integer

  EventNumber integer

  FollowUp integer

  IsLast integer

  LastUpdateTime integer

  MaxNumOfConnections integer

  Name varchar(1024), NumOfAcceptedConnections integer

  NumOfRejectedConnections integer

  NumOfUpdates integer

  ProductCategory varchar(1024)

  ProductName varchar(1024)

  Remarks varchar(1024)

  RuleID varchar(48)

  Severity integer

  StartTime integer

  State integer

  TimeInterval integer

  TotalNumOfConnections varchar(20)

  User varchar(1024)

  Uuid varchar(48)

  aba_customer varchar(1024)

  jobID varchar(48)

  policyRuleID varchar(48)

Creating a Mail Reaction

1. Select Add > Mail.

2. Give the automatic reaction a significant name.

3. Fill out the Mail Parameters of From, To and cc.

4. To add multiple recipients, separate each email address with a semi-colon.

   Note - The Subject field has the default variables of [EventNumber] - [Severity] - [Name]. These variables automatically adds to the mail subject the event number, severity and name of the event that triggered this reaction. These variables can be removed at your discretion.

5. Optional: Include your own standard text for each mail reaction.

6. Enter the domain name of the SMTP server.

7. Select Save.

Creating an SNMP Trap Reaction

1. Select Add > SNMP Trap.

2. Give the automatic reaction a significant name.

3. Fill out the SNMP Trap parameters of Host, Message, OID and Community name.

   The command send_snmp uses values that are found in the file chkpnnt.mib, in the directory $CPDIR/lib/snmp/. An OID value used in the SNMP Trap parameters window must be defined in chkpnnt.mib, or in a file that refers it. If the OID field is left blank, the value is determined from iso.org.dod.internet.private.enterprises.checkpoint.products.fw.fwEvent = 1.3.6.1.4.1.2620.1.1.11.

   When the automatic reaction occurs, the SNMP Trap is sent as a 256 byte DisplayString text. But, if the OID type is not text, the message is not sent.

4. Select Save.

Creating a Block Source Reaction

1. Select Add > Block Source.

2. Give the automatic reaction a significant name.

3. From the drop-down list, select the number of minutes to block this source.

4. Select Save.

Creating a Block Event Activity Reaction

1. Select Add > Block Event Activity.

2. Give the automatic reaction a significant name.

3. From the drop-down list, select the number of minutes to block this source.

4. Select Save.

Creating an External Script Automatic Reaction

To add an External Script:

1. Create the script.

2. Put the script on the SmartEvent Server Dedicated Check Point server with the enabled SmartEvent Software Blade that hosts the events database.

   1. In $RTDIR/bin, create the folder ext_commands:

      mkdir $RTDIR/bin/ext_commands

   2. Put the script in $RTDIR/bin/ext_commands/ or in a folder under that location.

      The path and script name must not contain any spaces.

   3. Give the script executable permissions:

      chmod +x <script_filename>

3. In the SmartEvent GUI client Policy tab, in Automatic Reactions, Select Add > External Script.

4. In the Add Automatic Reaction window

   1. Give the automatic reaction object a significant Name.

   2. In Command line, enter the name of the script to run. Specify the name of the script that is in $RTDIR/bin/ext_commands/ directory. Use the relative path if needed. Do not specify the full path of $RTDIR/bin/ext_commands/.

   3. Select Save.

Guidelines for creating the script

• Run the script manually and make sure it works as expected

• Make sure the script runs for no longer than 10 minutes, otherwise it will be terminated by the SmartEvent Server.

• Use the event fields in the script:

  To refer to the event in the script, define this environment variable:

  EVENT=$(cat)

  and use $EVENT

  Use line editor commands like awk or sed to parse the event and refer to specific fields. You can print the $EVENT one time to see its format.

  The format of the event content is a name-value set - a structured set of fields that have the form:

  (name: value ;* );

  where name is a string and value is either free text until a semicolon, or a nested name-value set.

  This is a sample event:

  (Name: Check Pointadministrator credential guessing; RuleID: {F182D6BC-A0AA-444a-9F31-C0C22ACA2114}; Uuid: <42135c9c,00000000,2e1510ac,131c07b6>; NumOfUpdates: 0; IsLast: 0; StartTime: 16Feb2015 16:45:45; EndTime: Not Completed; DetectionTime: 16Feb2015 16:45:48; LastUpdateTime: 0; TimeInterval: 600; MaxNumOfConnections: 3; TotalNumOfConnections: 3; DetectedBy: 2886735150; Origin: (IP: 192.0.2.4; repetitions: 3; countryname: United States; hostname: theHost) ; ProductName: SmartDashboard; User: XYZ; Source: (hostname: theHost; repetitions: 3; IP: 192.0.2.4; countryname: United States) ; Severity: Critical; EventNumber: EN00000184; State: 0; NumOfRejectedConnections: 0; NumOfAcceptedConnections: 0) ;

If you need to add more fields to the event:

1. In the SmartEvent GUI client, in the Policy tab, right-click the event, and select Properties > Event Format tab

2. In the Display column, select the Event fields to have in the Event.

3. Install the Event Policy on the SmartEvent Correlation Unit.

Assigning an Automatic Reaction to an Event

You can add an Automatic Reaction for SmartEvent to run when this type of event is detected.

1. Select the icon [...].

2. Select an Automatic Reaction that you created from the list, or select Add new?. For details on how to create each type of Automatic Reaction, see above section.

3. Configure the Automatic Reaction.

4. Select Save.

5. Click OK.