Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
David_Herselman
Advisor
Jump to solution

How to unhide 'user_name: ******;' when calling custom script as a SmartEvent correlation rule?

I'm just not finding references to unhiding additional fields when calling a custom correlation rule, as detailed here:

https://sc1.checkpoint.com/documents/R81/WebAdminGuides/EN/CP_R81_LoggingAndMonitoring_AdminGuide/To...

 

I essentially have a script which will simply log all input passed to it:

[Expert@checkpoint-management:0]# cat $RTDIR/bin/ext_commands/block_on_clearpass
#!/bin/bash
EVENT=$(cat)
echo $EVENT >> /tmp/block_on_clearpass

This in turn yields the following data being collected:

[Expert@checkpoint-management:0]# tail -n 1 /tmp/block_on_clearpass
(StartTime: 20Dec2022 11:10:26; Uuid: deadbeef-dead-beef-dead-beef00000000; rowid: ENdeadbeef-dead-beef-dead-beef00000000; id_generated_by_indexer: false; first: true; sequencenum: 1; log_id: 2000; DisplayName: IP_Block_from_DNS_Trap; Category: User Defined Events; cu_rule_id: DEADBEEF-DEAD-BEEF-DEAD-BEEFDEADBEEF; is_correlated: 1; num_of_updates: 0; is_last: 0; event_start_time: 1671534625; detection_time: 2022-12-20T09:10:26Z; time_interval: 60; max_num_count_detected: 2; cu_log_count: 2; cu_detected_by_hostname: checkpoint-management; cu_detected_by: 172.254.254.23; users_repetitions: 2; aba_customer: SMC User; source_repetitions: 2; origin_repetitions: 2; destination_repetitions: 2; service_repetitions: 2; Severity: High; type: Correlated; ProductName: VPN-1 & FireWall-1; product_family: Access; Destination: (hostname: ******; countryname: Israel; IP: 62.0.58.94; repetitions: 1) ; Origin: (IP: 0; hostname: redacted-fw01; repetitions: 1) ; Service: (port: 443; protocol: 6; servicename: https; repetitions: 1) ; Source: (user_name: ******; IP: 172.254.254.23; machine_name: ******; repetitions: 1) ; logid: 392281947) ;

PS: I understand the importance of sanitising input variables, is this possibly simply a safety mechanism so that people can be warned about the dangers?

 

The logs themselves do contain user identities:

 

cp_correlation_rule.png

 

SmartEvent is configured as follows:

cp_correlation_rule_detail_1.png

cp_correlation_rule_detail_2.png

 

We did add the 'Users' event field with the 'src_user_name' field:

cp_correlation_rule_detail_3.png

 

This then has two actions, the first to drop traffic from that source:

cp_correlation_rule_action_1.png

 

And the 2nd to stop the device being able to communicate with other devices in the same subnet. For now I'm simply calling the custom script detailed above:

cp_correlation_rule_action_2.png

 

Regards

David Herselman

1 Solution

Accepted Solutions
G_W_Albrecht
Legend
Legend
3 Replies
G_W_Albrecht
Legend
Legend
David_Herselman
Advisor

Thank you!

0 Kudos
David_Herselman
Advisor

Hope the following saves someone else time in future, it should hopefully:

  • Sanitise input
  • Extract the username who's devices we wish to drop off the network
  • Call an API
  • Log debug information

 

 

[Expert@checkpoint-management:0]# cat $RTDIR/bin/ext_commands/block_on_clearpass
#!/bin/bash
INPUT=$(cat);
CURL_OUTPUT='';
EVENT="${INPUT//[^a-zA-Z0-9 ().,:;+_-]}";
USERID=`echo "$EVENT" | sed -r "/user_name/ s/.*user_name: ([[:alnum:]_-]+).*/\1/"`;

[ ${#USERID} -ge 4 ] && [ ${#USERID} -le 20 ] && CURL_OUTPUT=`curl_cli -kX POST -H 'Content-type: application/json' --data '{"text":"Hello, World!"}' https://hooks.slack.com/services/RANDOMSTRINGPROVIDEDBYSLACK --fail --silent --show-error 2>&1`;

if [ ${#CURL_OUTPUT} -gt 0 ]; then
  echo -e "User: $USERID\nCurl debug data: \n$CURL_OUTPUT" >> /tmp/block_on_clearpass;
else
  echo -e "User: $USERID - Curl return code: $? - Sanitised event data:\n$EVENT" >> /tmp/block_on_clearpass;
fi

 

 

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events