This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Jeroen_Deckers
Participant
‎2023-03-03 03:05 AM

Mail alert with variable

Hi there,

I know how to create an email alert when a rule is hit.
Now I want to add a variable in the script so I know which rule has been hit.


Is this possible?2023-03-03 12_04_49-Window.png

0 Kudos
6 Replies
Danny
MVP Diamond
MVP Diamond
‎2023-03-03 03:46 AM

If it's only three different rules you could define three different UserDefined 1,2,3 mail alerts and assign these to the different rules.

0 Kudos
Jeroen_Deckers
Participant
‎2023-03-03 04:17 AM
In response to Danny

No, the thing is, I want to add for example the rule name as varialbe in the mail alert.

PhoneBoy
Admin
Admin
‎2023-03-03 04:23 PM
In response to Jeroen_Deckers

The log entry should be passed as input to the script.
It should contain this information.

Jeroen_Deckers
Participant
‎2023-03-04 04:41 AM
In response to PhoneBoy

Hi PhoneBoy,
Thanks for your answer.
How can I pass the log entry as input in the script?

PhoneBoy
Admin
Admin
‎2023-03-06 09:14 AM
In response to Jeroen_Deckers

It's already being passed via stdin.
I confirmed this by writing a very simple script that merely echoes the input received to an output file.
You should get a line that looks something like this:

HeaderDateHour: 6Mar2023 11:08:28; ContentVersion: 5; HighLevelLogKey: N/A; Uuid: {0x64061e0b,0x10000,0xe5624173,0xcec9fff8}; SequenceNum: -1; Action: accept; Origin: MyGateway; IfDir: >; InterfaceName: eth0; Alert: alert; OriginSicName: cn=cp_mgmt,o=MyGateway..3o8s6z; inzone: External; outzone: Local; service_id: https; src: x.y.z.w; dst: MyGateway; proto: tcp; security_inzone: ExternalZone; security_outzone: ; user: ; src_user_name: ; src_machine_name: ; src_user_dn: ; snid: ; dst_user_name: ; dst_machine_name: ; dst_user_dn: ; UP_match_table: TABLE_START; ROW_START: 0; match_id: 1; layer_uuid: 6a5b4108-a94e-4f5d-974b-8d8c431fdd5f; layer_name: Network; rule_uid: eda54453-4aee-4358-9f2c-0da5c29dc16d; rule_name: ; ROW_END: 0; UP_match_table: TABLE_END; UP_alert_table: TABLE_START; ROW_START: 0; alert: alert; ROW_END: 0; UP_alert_table: TABLE_END; ProductName: VPN-1 & FireWall-1; svc: https; sport_svc: 51585; ProductFamily: Network

Note: the actual data received will depend on the log entry in question.

0 Kudos
guilhermevi
Explorer
‎2023-03-06 12:25 PM

Hello, 

I know you can do this via Python and CheckPoint API, But I do not know how to perform this via SmartConsole.

I will share it below, it may be helpful for you friend.

import requests
import json
import time

from requests.packages.urllib3.exceptions import InsecureRequestWarning

requests.packages.urllib3.disable_warnings(InsecureRequestWarning)

url = 'https://XXX.XXX.XXX.XXX/web_api/login'

headers = {"Content-Type": "application/json"}
credentials = {"apiuser" : 'APIKEY'}
data = json.dumps(credentials)
payload = requests.post(url=url, headers=headers, data=data, verify=False)
json_response = json.loads(payload.text)

sid = json_response['sid']
#print("\nThe ID of session is: ", sid)

url = 'https://XXX.XXX.XXX.XXX/web_api/show-package'

headers = {"Content-Type": "application/json", "X-chkp-sid": sid}
package = {'name' : 'Standard'}
data = json.dumps(package)
payload = requests.post(url=url, headers=headers, data=data, verify=False)
json_response = json.loads(payload.text)

for package in json_response["access-layers"]:
    package_name = package['name']
    package_uid = package['uid']

print("\nThe name of the packet show-package is: ", package_name)
print("The UID of package show-package is: ", package_uid, "\n")

url = 'https://XXX.XXX.XXX.XXX/web_api/show-access-rulebase'

headers = {"Content-Type": "application/json", "X-chkp-sid": sid}
filter = {'uid' : package_uid, 'show-hits' : 'true',}
data = json.dumps(filter)
payload = requests.post(url=url, headers=headers, data=data, verify=False)
json_response = json.loads(payload.text)

for policy in json_response["rulebase"]:

    name_policy = policy["name"]
    hits = policy['hits']

    if hits['value'] > 740000:

        hitsNumber =  hits['value']

        email_subject = "Alert: Rule violated in Check Point policy"
        email_message = "The '{0}' rule was hit with {1} hits.".format(name_policy,hitsNumber)

        print(email_subject)
        print(email_message,"\n")

 

It is worth remembering that it is necessary to change some information, such as IP, user, password, name of policies and etc.

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events