Creating an External Script Automatic Reaction
To add an External Script:
Create the script.
Put the script on the SmartEvent Server Dedicated Check Point server with the enabled SmartEvent Software Blade that hosts the events database.
$RTDIR/bin, create the folder
Put the script in
$RTDIR/bin/ext_commands/or in a folder under that location.
The path and script name must not contain any spaces.
Give the script executable permissions:
chmod +x $RTDIR/bin/ext_commands/<script_filename>
In the SmartEvent GUI client Policy tab, in Automatic Reactions, select Add > External Script.
In the Add Automatic Reaction window:
Give the automatic reaction object a significant name.
In Command line, enter the name of the script to run.
Specify the name of the script that is in
Use the relative path if needed.
Do not specify the full path of
Guidelines for creating the script
Run the script manually and make sure it works as expected
Make sure the script runs for no longer than 10 minutes, otherwise it will be terminated by the SmartEvent Server.
Use the event Record of a security or network incident that is based on one or more logs, and on a customizable set of rules that are defined in the Event Policy. fields in the script:
To refer to the event in the script, define this environment variable:
Use line editor commands like
sedto parse the event and refer to specific fields. You can print the
$EVENTone time to see its format.
The format of the event content is a name-value set - a structured set of fields that have the form:
(name: value ;* );
where name is a string and value is either free text until a semicolon, or a nested name-value set.
This is a sample event:
(Name: Check Point administrator credential guessing; RuleID:
<42135c9c,00000000,2e1510ac,131c07b6>; NumOfUpdates: 0; IsLast: 0;
StartTime: 16Feb2015 16:45:45; EndTime: Not Completed; DetectionTime:
16Feb2015 16:45:48; LastUpdateTime: 0; TimeInterval: 600;
MaxNumOfConnections: 3; TotalNumOfConnections: 3; DetectedBy: 2886735150;
Origin: (IP: 192.0.2.4; repetitions: 3; countryname: United States;
hostname: theHost) ; ProductName: SmartDashboard; User: XYZ; Source:
(hostname: theHost; repetitions: 3; IP: 192.0.2.4; countryname: United
States) ; Severity: Critical; EventNumber: EN00000184; State: 0;
NumOfRejectedConnections: 0; NumOfAcceptedConnections: 0) ;
If you need to add more fields to the event:
In the SmartEvent GUI client, in the Policy tab, right-click the event, and select Properties > Event Format tab.
In the Display column, select the Event fields to have in the Event.
Install the Event Policy Set of rules that define the behavior of SmartEvent. on the SmartEvent Correlation Unit SmartEvent software component on a SmartEvent Server that analyzes logs and detects events..