Re: SmartEvent IPS alert example

ChrisMartel · ‎2020-07-02

Hey guys,

I'm trying to set up an email alert for every IPS log with action prevent and severity critical. I'm not having any luck. Can someone provide an example of an IPS alert that they have set up through SmartEvent? I'm currently on R80.40 latest ongoing.

I've had a little bit of luck getting emails with some correlated logs but they don't show any valuable information (no attack name, action etc..) even after enabling the column in "Event Format" and lumping them into the same event in the "Count logs" section. I have been testing by just using IPS action = Prevent for right now. Also note that the single log events wont trigger an email only the correlated. Is there something I'm missing? Pictures below. Thanks!!

Amir_Senn · ‎2020-07-05

Hey,

To avoid misconfiguration of events I recommend using the existing event for "Generic IPS Event" under "Legacy" folder.

The correlated event information displayed is already defined and supposed to contain relevant information.

Try not to add too many conditions at once, change it one by one and see that the last event definitions worked as expected.

a) First try to only change action to "Prevent" from "Control"

b) Add email reaction and see that it contains all relevant information that you require.

c) Add severity by clicking show more fields -> Existing fields -> Severity -> Critical

d) Add "Accumulate additional logs..."

Tell me if that helps you.

Amir Senn

Kind regards, Amir Senn

ChrisMartel · ‎2020-07-07

Hi Amir,

Thanks for the reply. I tried out what you said and used the default IPS legacy event with only changing default Filter of "Type Not Equal {Control}" to "Action Equal {Prevent}" and it provides similar results to my previous testing.

It generates a correlated event and lets me know via email but the correlated event does not have any information associated with it as you can see in the screenshot. I tried 3 separate times to add an additional "Group By field" in the "Count logs" section with "attack" "Attack Information" and "Protection Name" Each time only adding one of them to make sure to accurately test and in all 3 test situations a correlated log failed to generate and thus no email alert. I also tried to remove Source and Destination and only leave one of those filters but that didn't work either. You can see below the results of my testing and the lack of any more correlated logs after the first one generated by the base legacy IPS alert with only control to prevent. Any more ideas? Thank you!

Amir_Senn · ‎2020-07-08

It looks like it accumulates. Did you try to remove all the fields from "Accumulate additional logs.." ?

Kind regards, Amir Senn

ChrisMartel · ‎2020-07-13

Hi Amir,

I removed everything from accumulate logs and received the same behavior of no email alert with no logs being correlated.

Anything else I can try?

Thanks,

christian_konne · ‎2020-07-13

👍

Amir_Senn · ‎2020-07-14

I wasn't expecting that at all.

I'll try to look into it more on my lab environment.

Kind regards, Amir Senn

ChrisMartel · ‎2020-07-14

Hi Amir,

My apologies, on the last test, I had IPS in detect mode. I set it back to prevent and tried removing all the fields from accumulate different logs and I did get a correlated log generated with an email alert but there was still no information on the event, similar to the earlier test attempts. These screenshots show the configuration and results.

Amir_Senn · ‎2020-07-29

Hey,

2 things you could try:

1) Change action equals prevent to not equal detect. If other event are generated than maybe filter them out with type not equals control.

2) Clear accumulate by values and put Log UUID instead.

Hope that helps.

Kind regards, Amir Senn

Are you a member of CheckMates?

SmartEvent IPS alert example