Security Event Management: Real-time Alerts and Instant Remediation

You may come across a situation, where there was a virus attack on you IT network. In another situation some of the corporate users may be accessing the streaming sites which drain the Internet bandwidth.  First it should get notified instantly, Firewall Analyzer does this promptly.  Will the alerts alone be sufficient to mitigate the effects of the attack or rectify the cause of the bandwidth drain? No. You need to take swift and automatic action to tackle the situation. If you depend on manual remediation measures, which are inherently slow, the virus will spread and will bring the whole network to a grinding halt or the business will get crippled as the bandwidth is not available for critical business activity.  Also, the method of taking action should be flexible enough to address different security scenarios as given above.  You may want to run a program or script to kill a process, block a port, user etc.  Firewall Analyzer addresses this requirement using a feature called ‘Run Script’ (Program) which allows instant remediation to your network threats.

How Firewall Alerts and Program Execution help to mitigate threat?

Firewall Analyzer comes with real-time alerting feature. It is equipped with three notification methods:

  • Email
  • SMS
  • Run Script

Email & SMS notifications are self-explanatory. ‘Run Script’ (Program) is a powerful and flexible feature. It allows you to write custom program, which get automatically executed when an alert gets triggered. Ensure that the program you write carries out remedial action according to the alert conditions as discussed above.

Setting up ‘Run Script’ (Program)

For the sake of demonstration, let us assume that you would like to be notified of any BitTorrent process in your organizations’ network and immediately kill that process.

Create an executable program file to kill the bandwidth consuming processes (for demo we have created a file named bit.exe). The sample code can be found below:

 

Script to block BitTorrent

Script to block BitTorrent like processes

 

In Firewall Analyzer, create an alert profile with the following configuration:

  • Enter a profile name of your choice (for demo we have given ‘bittorrent-blog’)
  • Select Profile Type as ‘Normal Alert
  • Select Device(s) of your choice (for demo we have selected ‘FGT_TEST2’ )
  • Select Criteria, Match all of the following and select ‘Attack’, condition ‘contains’, and enter text ‘BitTorrent

In the Threshold section

  • Select Priority of your choice (for demo we have selected ‘High’)
  • Enter values in Alert for every 20 events generated in 1 minutes (for demo we have selected ’20’, ‘1’)
  • Select Assign owner of your choice (for demo we have selected ‘guest’)
  • Select Apply threshold to value as ‘All selected devices

In the Notification section

  • Omit Send the notifications once and do not send forThis day, This week, This month, Custom period’ selection.
  • Select Send Email Notification option
    • Enter the email ID to which the alert notification to be sent in the ‘Mail To:’ text box. Separate multiple e-mail addresses by a comma(‘,’)
    • Enter the subject of alert email notification in the ‘Subject:’ text box. Use the ‘Data Variables’ drop down list and select the variable to add to the email subject line
    • Optionally, enter message to the email in the ‘Note:’ text box
  • Select Run Script option
  • In the Enter Script Location section,
    • Click the Browse button and select the location of the file to be executed (for demo bit.exe file) in the client machine
    • Click Add link to add arguments (for demo $SRC field) in the Arguments text box which will be passed to the program for execution
  • Click Save Profile button to save the alert profile

 

Create Alert Profile

Create Alert Profile

 

Alert generated for BitTorrent

Alerts generated for BitTorrent

 

Alert Details

Details of the Alert – BitTorrent

 

Alert detail part-2

Alert details – 2

 

Email notification of the Alert – BitTorrent

 

You may also be interested in some of the alert profiles discussed in the Firewall Analyzer forum post. The post also contains alert profile, which can be imported.

https://forums.manageengine.com/topic/importing-of-alert-profile

With such a powerful feature that Firewall Analyzer provides, correlating events and taking immediate action becomes so easy for a network administrator. Explore the possibilities!

 

You Can Learn More About the ManageEngine Product Line By Going to manageengine.optrics.com

The original article/video can be found at Security Event Management: Real-time Alerts and Instant Remediation

Leave a Reply