Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
jfelix
Participant

Real Time Alerting - Smart 1 Cloud

HI there,

have been tasked to configure real time alerts on a Azure Based Cloudguard managed via Smart -1 cloud.  

Unit is licensed for both Smart Event and Compliance with the appliance running R81.20

The process is required to adhere to a security framework, the relevant item is  "real-time alerts for attempted intrusions. "

A little ambitious,  but all previous research pointed at using SmartEvent Reactions, however have just found the S1C admin guide lists smart event polices are not supported.  


I know i can configure an email alert within the treat protection policy, but my understanding is that will then not log the event. 

 

Has anyone got any advise on how i can achieve the request? 

Cheers!

0 Kudos
14 Replies
G_W_Albrecht
Legend
Legend

0 Kudos
jfelix
Participant

Sorry I think I have used the wrong terminology.  I have a stand alone Security Gateway managed by smart -1 cloud. not the SaaS application suite the admin guide you have linked referenced.  

0 Kudos
the_rock
Legend
Legend

Standalone term means gateway AND management in one appliance, but I think you mean single gateway? As only one, not cluster?

Andy

0 Kudos
jfelix
Participant

Sorry.  Yeah you are correct.  Single gateway. 

PhoneBoy
Admin
Admin

Smart-1 Cloud does not support the legacy SmartEvent client, which is necessary to configure SmartEvent Reactions.
You should be able to configure the action for Track type of Mail in Global Properties:

image.png

These commands execute on the gateway itself.

jfelix
Participant

Yeah I have identified info around this config.  But my understanding is, if I where to change the threat protection rule tracking option from log to mail, then the events/action from this rule while being emailed, would no longer be logged.  


0 Kudos
Tomer_Noy
Employee
Employee

Setting the email option is "on top" of the logging. The event should still be logged if the Track option is "Mail".

Tomer_Noy
Employee
Employee

The easiest way to achieve this is to leverage the new PlayBlocks application (under Horizon) in the Infinity Portal.

PlayBlocks Menu.png

This application allows you to define triggers and actions on events that happen in your security systems. It has integrations to notify you via email, SMS and even Teams or Slack. It can also open a ticket for you in ServiceNow if you'd like (although I wouldn't recommend that for every IPS attack).

Beyond notifications, it can also take remediation actions such as blocking the IP of the attacker at the Firewall level so that they can't continue to attack you. Here's an example:

PlayBlocks IPS Attack.png

It's a relatively new offering, so if you are missing something or have additional requirements, we're eager for feedback 😉

BTW, both Smart-1 Cloud and on-premise customers can use PlayBlocks. If you are on-prem, you just need to connect to the Infinity Portal first, using the Infinity Services tab in SmartConsole (R81.10 and up).

0 Kudos
jfelix
Participant

Any idea when this will be rolled out to the Australian infinity portal?  

I don't have it available on Australia, but can see it on EU portal 

What can you tell me about licensing for this feature?  is it included in the smart-1 cloud subscription?  

 

 

0 Kudos
_Val_
Admin
Admin

@jfelix you are looking at Horizon, which is a different product. The post is about Smart-1 Cloud

Screenshot 2023-09-18 at 08.53.03.png

0 Kudos
jfelix
Participant

Hi Val, there is a post above from Tomer referencing Horizon playbooks as a possible solution

0 Kudos
_Val_
Admin
Admin

I guess you mean @Tomer_Noy . Tomer, can you please advise?

0 Kudos
the_rock
Legend
Legend

If its not there, you may want to check with your local SE person, maybe its licensing issue. I see it in North American and EU portal. My colleague and I worked on it, it is relatively new and it needs lots of improvements, for sure, but so far, it seems pretty robust.

Andy

0 Kudos
Tomer_Noy
Employee
Employee

Our current focus is on the EU and US regions, but we have plans for early next year to support PlayBlocks on AP (Australia) as well.

With regards to licensing/cost, it's free to use as long as we are in "Preview" mode. We hope to have attractive pricing for this service and will share more info as soon as it's available.

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    Tue 23 Apr 2024 @ 08:00 AM (CDT)

    South US: HTTPS Inspection Best Practices

    Tue 23 Apr 2024 @ 11:00 AM (EDT)

    East US: What's New in R82

    Thu 25 Apr 2024 @ 11:00 AM (SGT)

    APAC: CPX 2024 Recap

    Tue 30 Apr 2024 @ 03:00 PM (CDT)

    EMEA: CPX 2024 Recap

    Tue 23 Apr 2024 @ 08:00 AM (CDT)

    South US: HTTPS Inspection Best Practices

    Tue 23 Apr 2024 @ 11:00 AM (EDT)

    East US: What's New in R82

    Thu 25 Apr 2024 @ 11:00 AM (SGT)

    APAC: CPX 2024 Recap

    Tue 30 Apr 2024 @ 03:00 PM (CDT)

    EMEA: CPX 2024 Recap

    Thu 02 May 2024 @ 11:00 AM (SGT)

    APAC: What's new in R82
    CheckMates Events