This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
David_Herselman
Advisor
‎2022-12-20 07:16 AM
Jump to solution

How to unhide 'user_name: ******;' when calling custom script as a SmartEvent correlation rule?

I'm just not finding references to unhiding additional fields when calling a custom correlation rule, as detailed here:

https://sc1.checkpoint.com/documents/R81/WebAdminGuides/EN/CP_R81_LoggingAndMonitoring_AdminGuide/To...

 

I essentially have a script which will simply log all input passed to it:

[Expert@checkpoint-management:0]# cat $RTDIR/bin/ext_commands/block_on_clearpass
#!/bin/bash
EVENT=$(cat)
echo $EVENT >> /tmp/block_on_clearpass

This in turn yields the following data being collected:

[Expert@checkpoint-management:0]# tail -n 1 /tmp/block_on_clearpass
(StartTime: 20Dec2022 11:10:26; Uuid: deadbeef-dead-beef-dead-beef00000000; rowid: ENdeadbeef-dead-beef-dead-beef00000000; id_generated_by_indexer: false; first: true; sequencenum: 1; log_id: 2000; DisplayName: IP_Block_from_DNS_Trap; Category: User Defined Events; cu_rule_id: DEADBEEF-DEAD-BEEF-DEAD-BEEFDEADBEEF; is_correlated: 1; num_of_updates: 0; is_last: 0; event_start_time: 1671534625; detection_time: 2022-12-20T09:10:26Z; time_interval: 60; max_num_count_detected: 2; cu_log_count: 2; cu_detected_by_hostname: checkpoint-management; cu_detected_by: 172.254.254.23; users_repetitions: 2; aba_customer: SMC User; source_repetitions: 2; origin_repetitions: 2; destination_repetitions: 2; service_repetitions: 2; Severity: High; type: Correlated; ProductName: VPN-1 & FireWall-1; product_family: Access; Destination: (hostname: ******; countryname: Israel; IP: 62.0.58.94; repetitions: 1) ; Origin: (IP: 0; hostname: redacted-fw01; repetitions: 1) ; Service: (port: 443; protocol: 6; servicename: https; repetitions: 1) ; Source: (user_name: ******; IP: 172.254.254.23; machine_name: ******; repetitions: 1) ; logid: 392281947) ;

PS: I understand the importance of sanitising input variables, is this possibly simply a safety mechanism so that people can be warned about the dangers?

 

The logs themselves do contain user identities:

 

cp_correlation_rule.png

 

SmartEvent is configured as follows:

cp_correlation_rule_detail_1.png

cp_correlation_rule_detail_2.png

 

We did add the 'Users' event field with the 'src_user_name' field:

cp_correlation_rule_detail_3.png

 

This then has two actions, the first to drop traffic from that source:

cp_correlation_rule_action_1.png

 

And the 2nd to stop the device being able to communicate with other devices in the same subnet. For now I'm simply calling the custom script detailed above:

cp_correlation_rule_action_2.png

 

Regards

David Herselman

1 Solution

Accepted Solutions
G_W_Albrecht
MVP Silver
MVP Silver
‎2022-12-20 07:44 AM
Jump to solution

An old known issue: sk68020: In E-mail alerts sent by SmartEvent, the user name field contains '*** Confidential ***' in...

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist

View solution in original post

3 Replies
G_W_Albrecht
MVP Silver
MVP Silver
‎2022-12-20 07:44 AM
Jump to solution

An old known issue: sk68020: In E-mail alerts sent by SmartEvent, the user name field contains '*** Confidential ***' in...

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist
David_Herselman
Advisor
‎2022-12-20 09:27 AM
In response to G_W_Albrecht
Jump to solution

Thank you!

0 Kudos
David_Herselman
Advisor
‎2022-12-21 04:11 AM
Jump to solution

Hope the following saves someone else time in future, it should hopefully:

  • Sanitise input
  • Extract the username who's devices we wish to drop off the network
  • Call an API
  • Log debug information

 

 

[Expert@checkpoint-management:0]# cat $RTDIR/bin/ext_commands/block_on_clearpass
#!/bin/bash
INPUT=$(cat);
CURL_OUTPUT='';
EVENT="${INPUT//[^a-zA-Z0-9 ().,:;+_-]}";
USERID=`echo "$EVENT" | sed -r "/user_name/ s/.*user_name: ([[:alnum:]_-]+).*/\1/"`;

[ ${#USERID} -ge 4 ] && [ ${#USERID} -le 20 ] && CURL_OUTPUT=`curl_cli -kX POST -H 'Content-type: application/json' --data '{"text":"Hello, World!"}' https://hooks.slack.com/services/RANDOMSTRINGPROVIDEDBYSLACK --fail --silent --show-error 2>&1`;

if [ ${#CURL_OUTPUT} -gt 0 ]; then
  echo -e "User: $USERID\nCurl debug data: \n$CURL_OUTPUT" >> /tmp/block_on_clearpass;
else
  echo -e "User: $USERID - Curl return code: $? - Sanitised event data:\n$EVENT" >> /tmp/block_on_clearpass;
fi

 

 

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events