Support Support Downloads Knowledge Base Service Request Manager My Juniper Community

Knowledge Base

Search our Knowledge Base sites to find answers to your questions.

Ask All Knowledge Base Sites All Knowledge Base Sites JunosE Defect (KA)Knowledge BaseSecurity AdvisoriesTechnical BulletinsTechnotes Sign in to display secure content and recently viewed articles

[Sky ATP] How to create SNMP trap from Sky ATP syslog event

0

0

Article ID: KB34315 KB Last Updated: 23 Aug 2019Version: 1.0
Summary:

This article explains how to create an SRX configuration to produce an SNMP trap on an Advanced-anti-malware (AAMW) syslog event.

Cause:

A customer may need to create SNMP traps to be sent to their Network Management Server for their Network Operations to monitor AAMW events.

Solution:

Trap Configuration

The following is an example of SNMP Trap Configuration. For more configuration details refer to Configuring SNMP Trap Options on a Device Running Junos OS).

snmp {
    community skytest {
        authorization read-write;
        clients {
            10.17.14.1/24;
        }
    }
    trap-group skytrap {
        destination-port 172;
        categories {
            services;
        }
        targets {
            10.17.14.222;
        }
    }
}

Event Policy Configuration

For example, configuring to send SNMP traps for Sky ATP Actions such as verdicts and Infected Hosts Feed updates. There are other options such as secintel and other aamw the user can configure. Use ? for help after 'events' statement.

event-options {
    policy Sky_ATP_Alert {
        events [ aamw_action_log aamw_host_infected_event_log aamw_action_log_ls ];
        then {
            priority-override {
                severity alert;
            }
            raise-trap;
        }
    }
}
The user can create a custom syslog file name to help with management. However, the user can utilize standard syslog data as long as they are configured ANY ANY to allow all syslog data to /var/log/messages file.

Custom AAMW Syslog Configuration

# show system syslog
   syslog {
           }
        file SKYATP {
            any any;
            match AAMW;
        }
    }

Note: Ensure that 'security log mode' is enabled. This will work with writing syslog locally (event) or writing to a syslog server (stream)

The below log messages are written to your new syslog file SKYATP:

# show log SKYATP
.....
Apr 23 22:56:16 jtac-sky-1 RT_AAMW: AAMW_ACTION_LOG: hostname=N/A file-category=N/A verdict-number=N/A action=BLOCK list-hit=BLACK source-address=10.100.1.50 source-port=54101 destination-address=209.124.215.105 destination-port=80 protocol-id=6 application=HTTP nested-application=MICROSOFT-UPDATE policy-name=AAM username=N/A roles=N/A session-id-32=51031472 source-zone-name=trust destination-zone-name=untrust url=N/A
.....
Apr 23 22:56:16 jtac-sky-1 RT_AAMW: AAMW_HOST_INFECTED_EVENT_LOG: timestamp=Mon Apr 23 22:56:20 2018 tenant-id=<tenant-id> client-ip=10.0.255.16 client-hostname=N/A host-status=Resolved Fixed host-policy=Manually Blocked threat-level=0 infected-host-status=present reason=manual details=Investigation status has changed to "Resolved Fixed"
Comment on this article > Affected Products Browse the Knowledge Base for more articles related to these product categories. Select a category to begin.

Security Alerts and Vulnerabilities

Security Alerts and Vulnerabilities Product Alerts and Software Release Notices Problem Report (PR) Search Tool EOL Notices and Bulletins JTAC User Guide Customer Care User Guide Pathfinder SRX High Availability Configurator SRX VPN Configurator Training Courses and Videos End User Licence Agreement Global Search