Automatic Reactions

When detected, an event can activate an Automatic Reaction. The SmartEvent administrator can create and configure one Automatic Reaction, or many, according to the needs of the system.

For example: A Mail Reaction can be defined to tell the administrator of events to which it is applied. Multiple Automatic Mail Reactions can be created to tell a different responsible party for each type of event.

To create an automatic reaction:

  1. Create an automatic reaction object in the Event definition, or from General Settings > Objects > Automatic Reactions.

  2. Assign the Automatic Reaction to an event (or to an exception to the event).

  3. To save the Event Policy, click File > Save

  4. To install the Event Policy on the SmartEvent Correlation Unit, click Actions > Install Event Policy.

These are the types of Automatic Reactions:

  • Mail - Tell an administrator by email that the event occurred. See Creating a Mail Reaction.

  • Block Source - Instruct the Security Gateway to block the source IP address from which this event was detected for a configurable timeframe . Select a timeframe from one minute to more than three weeks. See Creating a Block Source Reaction.

  • Block Event activity - Instruct the Security Gateway to block a distributed attack that emanates from multiple sources, or attacks multiple destinations for a configurable timeframe. Select a timeframe from one minute to more than three weeks). See Creating a Block Event Activity Reaction.

  • External Script - Run a script that you provide. See Creating an External Script Automatic Reaction to write a script that can exploit SmartEvent data.

  • SNMP Trap - Generate an SNMP Trap. See Creating an SNMP Trap Reaction.

    You can send event fields in the SNMP Trap message. The format for such an event field is [seam_event_table_field]. This list represents the possible seam_event table fields:

    AdditionalInfo varchar(1024)

    AutoReactionStatus varchar(1024)

    Category varchar(1024)

    DetectedBy integer

    DetectionTime integer

    Direction integer

    DueDate integer

    EndTime integer

    EventNumber integer

    FollowUp integer

    IsLast integer

    LastUpdateTime integer

    MaxNumOfConnections integer

    Name varchar(1024), NumOfAcceptedConnections integer

    NumOfRejectedConnections integer

    NumOfUpdates integer

    ProductCategory varchar(1024)

    ProductName varchar(1024)

    Remarks varchar(1024)

    RuleID varchar(48)

    Severity integer

    StartTime integer

    State integer

    TimeInterval integer

    TotalNumOfConnections varchar(20)

    User varchar(1024)

    Uuid varchar(48)

    aba_customer varchar(1024)

    jobID varchar(48)

    policyRuleID varchar(48)

Creating a Mail Reaction

  1. Select Add > Mail.

  2. Give the automatic reaction a significant name.

  3. Fill out the Mail Parameters of From, To and cc.

  4. To add multiple recipients, separate each email address with a semi-colon.

    Note - the Subject field has the default variables of [EventNumber] - [Severity] - [Name]. These variables automatically adds to the mail subject the event number, severity and name of the event that triggered this reaction. These variables can be removed at your discretion.

  5. Optional: Include your own standard text for each mail reaction.

  6. Enter the domain name of the SMTP server.

  7. Select Save.

Creating an SNMP Trap Reaction

  1. Select Add > SNMP Trap.

  2. Give the automatic reaction a significant name.

  3. Fill out the SNMP Trap parameters of Host, Message, OID and Community name.

    The command send_snmp uses values that are found in the file chkpnnt.mib, in the directory $CPDIR/lib/snmp/. An OID value used in the SNMP Trap parameters window must be defined in chkpnnt.mib, or in a file that refers it. If the OID field is left blank, the value is determined from iso.org.dod.internet.private.enterprises.checkpoint.products.fw.fwEvent = 1.3.6.1.4.1.2620.1.1.11.

    When the automatic reaction occurs, the SNMP Trap is sent as a 256 byte DisplayString text. But, if the OID type is not text, the message is not sent.

  4. Select Save.

Creating a Block Source Reaction

  1. Select Add > Block Source.

  2. Give the automatic reaction a significant name.

  3. From the drop-down list, select the number of minutes to block this source.

  4. Select Save.

Creating a Block Event Activity Reaction

  1. Select Add > Block Event Activity.

  2. Give the automatic reaction a significant name.

  3. From the drop-down list, select the number of minutes to block this source.

  4. Select Save.

Creating an External Script Automatic Reaction

To add an External Script:

  1. Create the script.

  2. In the SmartEvent GUI client Policy tab, in Automatic Reactions, Select Add > External Script.

Guidelines for creating the script

  • Run the script manually and make sure it works as expected

  • Make sure the script runs for no longer than 10 minutes, otherwise it will be terminated by the SmartEvent Server.

  • Use the event fields in the script:

    To refer to the event in the script, define this environment variable:

    EVENT=$(cat)

    and use $EVENT

    Use line editor commands like awk or sed to parse the event and refer to specific fields. You can print the $EVENT one time to see its format.

    The format of the event content is a name-value set - a structured set of fields that have the form:

    (name: value ;* );

    where name is a string and value is either free text until a semicolon, or a nested name-value set.

    This is a sample event:

(Name: Check Pointadministrator credential guessing; RuleID:
{F182D6BC-A0AA-444a-9F31-C0C22ACA2114}; Uuid:
<42135c9c,00000000,2e1510ac,131c07b6>; NumOfUpdates: 0; IsLast: 0;
StartTime: 16Feb2015 16:45:45; EndTime: Not Completed; DetectionTime:
16Feb2015 16:45:48; LastUpdateTime: 0; TimeInterval: 600;
MaxNumOfConnections: 3; TotalNumOfConnections: 3; DetectedBy: 2886735150;
Origin: (IP: 192.0.2.4; repetitions: 3; countryname: United States;
hostname: theHost) ; ProductName: SmartDashboard; User: XYZ; Source:
(hostname: theHost; repetitions: 3; IP: 192.0.2.4; countryname: United
States) ; Severity: Critical; EventNumber: EN00000184; State: 0;
NumOfRejectedConnections: 0; NumOfAcceptedConnections: 0) ;

If you need to add more fields to the event:

  1. In the SmartEvent GUI client, in the Policy tab, right-click the event, and select Properties > Event Format tab

  2. In the Display column, select the Event fields to have in the Event.

  3. Install the Event Policy on the SmartEvent Correlation Unit.

Assigning an Automatic Reaction to an Event

You can add an Automatic Reaction for SmartEvent to run when this type of event is detected.

  1. Select the icon [...].

  2. Select an Automatic Reaction that you created from the list, or select Add new?. For details on how to create each type of Automatic Reaction, see above section.

  3. Configure the Automatic Reaction.

  4. Select Save.

  5. Click OK.