Custom Notifications

Juniper Networks, Inc.

1194 North Mathilda Avenue

Sunnyvale, CA 94089

USA

408-745-2000

www.juniper.net

Security Threat Response Manager

Custom E-mail Notifications

2

Copyright Notice

Copyright © 2013 Juniper Networks, Inc. All rights reserved.

Juniper Networks, Junos, Steel-Belted Radius, NetScreen, and ScreenOS are registered trademarks of Juniper Networks, Inc. in the United States and other countries. The Juniper Networks Logo, the Junos logo, and JunosE are trademarks of Juniper Networks, Inc.

The following terms are trademarks or registered trademarks of other companies:

JavaTM and all Java-based trademarks and logos are trademarks or registered trademarks of Oracle and/or its affiliates.

All other trademarks, service marks, registered trademarks, or registered service marks are the property of their respective owners.

All specifications are subject to change without notice. Juniper Networks assumes no responsibility for any inaccuracies in this document or for any obligation to update information in this document. Juniper Networks reserves the right to change, modify, transfer, or otherwise revise this publication without notice.

FCC Statement

The following information is for FCC compliance of Class A devices: This equipment has been tested and found to comply with the limits for a Class A digital device, pursuant to part 15 of the FCC rules. These limits are designed to provide reasonable protection against harmful interference when the equipment is operated in a commercial environment. The equipment generates, uses, and can radiate radio-frequency energy and, if not installed and used in accordance with the instruction manual, may cause harmful interference to radio communications. Operation of this equipment in a residential area is likely to cause harmful interference, in which case users will be required to correct the interference at their own expense. The following information is for FCC compliance of Class B devices: The equipment described in this manual generates and may radiate radio-frequency energy. If it is not installed in accordance with Juniper Networks’ installation instructions, it may cause interference with radio and television reception. This equipment has been tested and found to comply with the limits for a Class B digital device in accordance with the specifications in part 15 of the FCC rules. These specifications are designed to provide reasonable protection against such interference in a residential installation. However, there is no guarantee that interference will not occur in a particular installation. If this equipment does cause harmful interference to radio or television reception, which can be determined by turning the equipment off and on, the user is encouraged to try to correct the interference by one or more of the following measures: Reorient or relocate the receiving antenna. Increase the separation between the equipment and receiver. Consult the dealer or an experienced radio/TV technician for help. Connect the equipment to an outlet on a circuit different from that to which the receiver is connected. Caution: Changes or modifications to this product could void the user's warranty and authority to operate this device.

Disclaimer

THE SOFTWARE LICENSE AND LIMITED WARRANTY FOR THE ACCOMPANYING PRODUCT, SUBJECT TO THE MODIFICTAIONS SET FORTH BELOW ON THIS PAGE, ARE SET FORTH IN THE INFORMATION PACKET THAT SHIPPED WITH THE PRODUCT AND ARE INCORPORATED HEREIN BY THIS REFERENCE. IF YOU ARE UNABLE TO LOCATE THE SOFTWARE LICENSE OR LIMITED WARRANTY, CONTACT YOUR JUNIPER NETWORKS REPRESENTATIVE FOR A COPY.

Custom E-mail Notifications

Release 2013.2

Copyright © 2013, Juniper Networks, Inc. All rights reserved. Printed in USA. Revision History

July 2013—Custom E-mail Notifications

The information in this document is current as of the date listed in the revision history.

END USER LICENSE AGREEMENT

The Juniper Networks product that is the subject of this technical documentation consists of (or is intended for use with) Juniper Networks software. Use of such software is subject to the terms and conditions of the End User License Agreement (“EULA”) posted at http://www.juniper.net/support/eula.html, as modified by the following text, which shall be treated under the EULA as an Entitlement Document taking precedence over any conflicting provisions of such EULA as regards such software:

As regards software accompanying the STRM products (the “Program”), such software contains software licensed by Q1 Labs and is further accompanied by third-party software that is described in the applicable documentation or materials provided by Juniper Networks.

For the convenience of Licensee, the Program may be accompanied by a third party operating system. The operating system is not part of the Program, and is licensed directly by the operating system provider (e.g., Red Hat Inc., Novell Inc., etc.) to Licensee. Neither Juniper Networks nor Q1 Labs is a party to the license between Licensee and the third party operating system provider, and the Program includes the third party operating system “AS IS”, without representation or warranty, express or implied, including any implied warranty of merchantability, fitness for a particular purpose or

non-infringement. For an installed Red Hat operating system, see the license file: /usr/share/doc/redhat-release-server-6Server/EULA. By downloading, installing or using such software, you agree to the terms and conditions of that EULA as so modified.

C

ONTENTS

1

C

USTOM

E-

MAIL

N

OTIFICATIONS

Customizing E-mail Notifications . . . 7

Using Custom Parameters . . . 9

1

C

USTOM

E-

MAIL

N

OTIFICATIONS

You can customize content in e-mail notifications to meet the requirements of your

organization.

When you create rules using STRM the responses can be configured to generate

emails. Theses notifications can be sent to recipients to provide useful information

such as event or flow properties. These properties are specified in the

alert-config.xml file, which is the default template.

Unless otherwise noted, all references to STRM refer to STRM, STRM Log

Manager, and STRM Network Anomaly Detection. References to flows do not

apply to STRM Log Manager.

Customizing E-mail

Notifications

You can edit and customise the STRM file, alert_config.xml, which is used to

generate e-mail notifications.

About this task

When you upgrade from STRM 2013.1 to STRM 2013.2, the default

alert-config.xml file displays the 2013.1 configuration.

Use the following parameters to access STRM and edit the custom email file:

Procedure

Step 1

Using SSH, log into the STRM Console as the root user.

Username:

root

Password:

<password>

Step 2

To create a new temporary directory, type the following command:

mkdir <directory_name>

Table 1-1 Custom E-mail Notification Parameters

Parameter

Description

Username

The username used to access the STRM console using SSH.

Password

The password used to access the STRM console using SSH.

directory name

The temporary directory used to store the custom email files.

8

C

E-

N

Where

<directory_name>

is the name of the temporary directory you use to edit

copies of the default files.

Step 3

To copy the files stored in the

custom_alerts

directory to the temporary

directory, type the following command:

cp /store/configservices/staging/globalconfig/templates/

custom_alerts/*.* <directory_name>

Where

<directory_name>

is the name of the directory you created in

Step 2

.

Step 4

Confirm the files were copied successfully:

a

To list the files in the directory, type the following command:

ls -lah

b

Verify the following file is listed:

alert-config.xml

Step 5

Open the alert-config.xml file.

Step 6

Optional. If you want to create multiple templates, copy the <template></template>

property, including tags and the contents, and then paste it below the existing

<template></template> property.

NOTE

You can add multiple templates, however, STRM only supports one event and one

flow template type to be set to

True

in the

Active

property.

Step 7

Edit the contents of the

<template></template>

property:

a

Specify the template type using the following XML property:

<templatetype></templatetype>

Where possible values include

event

or

flow

. This field is mandatory.

b

Specify the template name using the following XML property:

<templatename></templatename>

c

Set Active property to true:

<active>true</active>

d

Edit the Subject property, if required.

e

Add or remove parameters from the Body property. For more information on

accepted parameters, see

Using Custom Parameters

.

f

Repeat these steps for each template you want to add.

Step 8

Save and close the file.

Step 9

To validate your changes, type the following command:

/opt/qradar/bin/runCustAlertValidator.sh <directory_name>

If the script validates the changes successfully, the following message is

displayed:

Using Custom Parameters

9

Step 10

Log in to the STRM user interface.

Step 11

Click the Admin tab.

Step 12

Select Advanced > Deploy Full Configuration.

Your custom email notifications are now complete. Rules that have an email

notification set as the rule response will generate emails using the custom

parameters you specified.

Using Custom

Parameters

You can use several parameters to customise your email notifications.

About this task

To use the body.CustomProperty and body.CalculatedProperty parameters, create

a custom event or custom property. For more information, see the user guide for

your STRM Product.The accepted email notification parameters are listed below.

Table 1-2 Accepted Custom Parameters

Common Parameters

Event Parameters

Flow Parameters

AppName

EventCollectorID

Type

RuleName

DeviceId

CompoundAppID

RuleDescription

DeviceName

FlowSourceIDs

EventName

DeviceTime

SourceASNList

EventDescription

DstPostNATPort

DestinationASNList

EventProcessorId

SrcPostNATPort

InputIFIndexList

Qid

DstMACAddress

OutputIFIndexList

Category

DstPostNATIPAddress

AppId

RemoteDestinationIP

DstPreNATIPAddress

Host

Payload

SrcMACAddress

Port

Credibility

SrcPostNATIPAddress

SourceBytes

Relevance

SrcPreNATIPAddress

SourcePackets

Source

SrcPreNATPort

Direction

SourcePort

DstPreNATPort

SourceTOS

SourceIP

SourceDSCP

Destination

SourcePrecedence

DestinationPort

DestinationTOS

DestinationIP

DestinationDSCP

DestinationUserName

SourceASN

Protocol

DestinationASN

StartTime

InputIFIndex

Duration

OutputIFIndex

StopTime

FirstPacketTime

10

C

E-

N

Procedure

Step 1

Open the alert-config.xml file for editing. For more information, see

Customizing

E-mail Notifications

.

Step 2

Add one or both of the following lines to the alert-config.xml file:

•

body.CustomProperty <Property Name>

•

body.CalculatedProperty <Property Name>

Where

<Property Name>

is the name used to create the custom property.

If you configured custom properties and included custom parameters in your

template, then STRM generates emails using the custom parameters you

specified.

EventCount

LastPacketTime

SourceV6

TotalSourceBytes

DestinationV6

TotalDestinationBytes

UserName

TotalSourcePackets

DestinationNetwork

TotalDestinationPackets

SourceNetwork

SourceQOS

Severity

DestinationQOS

CustomPropertiesList

SourcePayload

body.CustomProperty("<

Property Name>")

DestinationPayload

body.CalculatedProperty("<P

roperty Name>")

Table 1-2 Accepted Custom Parameters (continued)