topic Re: Mail alert with variable in Firewall and Security Management

Mail alert with variable

Jeroen_Deckers — Fri, 03 Mar 2023 11:05:55 GMT

Hi there,

I know how to create an email alert when a rule is hit.
Now I want to add a variable in the script so I know which rule has been hit.

Is this possible?

Re: Mail alert with variable

Danny — Fri, 03 Mar 2023 11:46:20 GMT

If it's only three different rules you could define three different UserDefined 1,2,3 mail alerts and assign these to the different rules.

Re: Mail alert with variable

Jeroen_Deckers — Fri, 03 Mar 2023 12:17:28 GMT

No, the thing is, I want to add for example the rule name as varialbe in the mail alert.

Re: Mail alert with variable

PhoneBoy — Sat, 04 Mar 2023 00:23:44 GMT

The log entry should be passed as input to the script.
It should contain this information.

Re: Mail alert with variable

Jeroen_Deckers — Sat, 04 Mar 2023 12:41:52 GMT

Hi PhoneBoy,
Thanks for your answer.
How can I pass the log entry as input in the script?

Re: Mail alert with variable

PhoneBoy — Mon, 06 Mar 2023 17:14:49 GMT

It's already being passed via stdin.
I confirmed this by writing a very simple script that merely echoes the input received to an output file.
You should get a line that looks something like this:

HeaderDateHour: 6Mar2023 11:08:28; ContentVersion: 5; HighLevelLogKey: N/A; Uuid: {0x64061e0b,0x10000,0xe5624173,0xcec9fff8}; SequenceNum: -1; Action: accept; Origin: MyGateway; IfDir: >; InterfaceName: eth0; Alert: alert; OriginSicName: cn=cp_mgmt,o=MyGateway..3o8s6z; inzone: External; outzone: Local; service_id: https; src: x.y.z.w; dst: MyGateway; proto: tcp; security_inzone: ExternalZone; security_outzone: ; user: ; src_user_name: ; src_machine_name: ; src_user_dn: ; snid: ; dst_user_name: ; dst_machine_name: ; dst_user_dn: ; UP_match_table: TABLE_START; ROW_START: 0; match_id: 1; layer_uuid: 6a5b4108-a94e-4f5d-974b-8d8c431fdd5f; layer_name: Network; rule_uid: eda54453-4aee-4358-9f2c-0da5c29dc16d; rule_name: ; ROW_END: 0; UP_match_table: TABLE_END; UP_alert_table: TABLE_START; ROW_START: 0; alert: alert; ROW_END: 0; UP_alert_table: TABLE_END; ProductName: VPN-1 & FireWall-1; svc: https; sport_svc: 51585; ProductFamily: Network

Note: the actual data received will depend on the log entry in question.

Re: Mail alert with variable

guilhermevi — Mon, 06 Mar 2023 20:25:32 GMT

Hello,

I know you can do this via Python and CheckPoint API, But I do not know how to perform this via SmartConsole.

I will share it below, it may be helpful for you friend.

import requests import json import time from requests.packages.urllib3.exceptions import InsecureRequestWarning requests.packages.urllib3.disable_warnings(InsecureRequestWarning) url = 'https://XXX.XXX.XXX.XXX/web_api/login' headers = {"Content-Type": "application/json"} credentials = {"apiuser" : 'APIKEY'} data = json.dumps(credentials) payload = requests.post(url=url, headers=headers, data=data, verify=False) json_response = json.loads(payload.text) sid = json_response['sid'] #print("\nThe ID of session is: ", sid) url = 'https://XXX.XXX.XXX.XXX/web_api/show-package' headers = {"Content-Type": "application/json", "X-chkp-sid": sid} package = {'name' : 'Standard'} data = json.dumps(package) payload = requests.post(url=url, headers=headers, data=data, verify=False) json_response = json.loads(payload.text) for package in json_response["access-layers"]: package_name = package['name'] package_uid = package['uid'] print("\nThe name of the packet show-package is: ", package_name) print("The UID of package show-package is: ", package_uid, "\n") url = 'https://XXX.XXX.XXX.XXX/web_api/show-access-rulebase' headers = {"Content-Type": "application/json", "X-chkp-sid": sid} filter = {'uid' : package_uid, 'show-hits' : 'true',} data = json.dumps(filter) payload = requests.post(url=url, headers=headers, data=data, verify=False) json_response = json.loads(payload.text) for policy in json_response["rulebase"]: name_policy = policy["name"] hits = policy['hits'] if hits['value'] > 740000: hitsNumber = hits['value'] email_subject = "Alert: Rule violated in Check Point policy" email_message = "The '{0}' rule was hit with {1} hits.".format(name_policy,hitsNumber) print(email_subject) print(email_message,"\n")

It is worth remembering that it is necessary to change some information, such as IP, user, password, name of policies and etc.