Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Jeroen_Deckers
Participant

Mail alert with variable

Hi there,

I know how to create an email alert when a rule is hit.
Now I want to add a variable in the script so I know which rule has been hit.


Is this possible?2023-03-03 12_04_49-Window.png

0 Kudos
6 Replies
Danny
Champion Champion
Champion

If it's only three different rules you could define three different UserDefined 1,2,3 mail alerts and assign these to the different rules.

0 Kudos
Jeroen_Deckers
Participant

No, the thing is, I want to add for example the rule name as varialbe in the mail alert.

PhoneBoy
Admin
Admin

The log entry should be passed as input to the script.
It should contain this information.

Jeroen_Deckers
Participant

Hi PhoneBoy,
Thanks for your answer.
How can I pass the log entry as input in the script?

PhoneBoy
Admin
Admin

It's already being passed via stdin.
I confirmed this by writing a very simple script that merely echoes the input received to an output file.
You should get a line that looks something like this:

HeaderDateHour: 6Mar2023 11:08:28; ContentVersion: 5; HighLevelLogKey: N/A; Uuid: {0x64061e0b,0x10000,0xe5624173,0xcec9fff8}; SequenceNum: -1; Action: accept; Origin: MyGateway; IfDir: >; InterfaceName: eth0; Alert: alert; OriginSicName: cn=cp_mgmt,o=MyGateway..3o8s6z; inzone: External; outzone: Local; service_id: https; src: x.y.z.w; dst: MyGateway; proto: tcp; security_inzone: ExternalZone; security_outzone: ; user: ; src_user_name: ; src_machine_name: ; src_user_dn: ; snid: ; dst_user_name: ; dst_machine_name: ; dst_user_dn: ; UP_match_table: TABLE_START; ROW_START: 0; match_id: 1; layer_uuid: 6a5b4108-a94e-4f5d-974b-8d8c431fdd5f; layer_name: Network; rule_uid: eda54453-4aee-4358-9f2c-0da5c29dc16d; rule_name: ; ROW_END: 0; UP_match_table: TABLE_END; UP_alert_table: TABLE_START; ROW_START: 0; alert: alert; ROW_END: 0; UP_alert_table: TABLE_END; ProductName: VPN-1 & FireWall-1; svc: https; sport_svc: 51585; ProductFamily: Network

Note: the actual data received will depend on the log entry in question.

0 Kudos
guilhermevi
Explorer

Hello, 

I know you can do this via Python and CheckPoint API, But I do not know how to perform this via SmartConsole.

I will share it below, it may be helpful for you friend.

import requests
import json
import time

from requests.packages.urllib3.exceptions import InsecureRequestWarning

requests.packages.urllib3.disable_warnings(InsecureRequestWarning)

url = 'https://XXX.XXX.XXX.XXX/web_api/login'

headers = {"Content-Type": "application/json"}
credentials = {"apiuser" : 'APIKEY'}
data = json.dumps(credentials)
payload = requests.post(url=url, headers=headers, data=data, verify=False)
json_response = json.loads(payload.text)

sid = json_response['sid']
#print("\nThe ID of session is: ", sid)

url = 'https://XXX.XXX.XXX.XXX/web_api/show-package'

headers = {"Content-Type": "application/json", "X-chkp-sid": sid}
package = {'name' : 'Standard'}
data = json.dumps(package)
payload = requests.post(url=url, headers=headers, data=data, verify=False)
json_response = json.loads(payload.text)

for package in json_response["access-layers"]:
    package_name = package['name']
    package_uid = package['uid']

print("\nThe name of the packet show-package is: ", package_name)
print("The UID of package show-package is: ", package_uid, "\n")

url = 'https://XXX.XXX.XXX.XXX/web_api/show-access-rulebase'

headers = {"Content-Type": "application/json", "X-chkp-sid": sid}
filter = {'uid' : package_uid, 'show-hits' : 'true',}
data = json.dumps(filter)
payload = requests.post(url=url, headers=headers, data=data, verify=False)
json_response = json.loads(payload.text)

for policy in json_response["rulebase"]:

    name_policy = policy["name"]
    hits = policy['hits']

    if hits['value'] > 740000:

        hitsNumber =  hits['value']

        email_subject = "Alert: Rule violated in Check Point policy"
        email_message = "The '{0}' rule was hit with {1} hits.".format(name_policy,hitsNumber)

        print(email_subject)
        print(email_message,"\n")

 

It is worth remembering that it is necessary to change some information, such as IP, user, password, name of policies and etc.

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events