Knowledge Search


×
 

[Sky ATP] How to create SNMP trap from Sky ATP syslog event

  [KB34315] Show Article Properties


Summary:

This article explains how to create an SRX configuration to produce an SNMP trap on an Advanced-anti-malware (AAMW) syslog event.

Cause:

A customer may need to create SNMP traps to be sent to their Network Management Server for their Network Operations to monitor AAMW events.

Solution:

Trap Configuration

The following is an example of SNMP Trap Configuration. For more configuration details refer to Configuring SNMP Trap Options on a Device Running Junos OS).

snmp {
    community skytest {
        authorization read-write;
        clients {
            10.17.14.1/24;
        }
    }
    trap-group skytrap {
        destination-port 172;
        categories {
            services;
        }
        targets {
            10.17.14.222;
        }
    }
}

Event Policy Configuration

For example, configuring to send SNMP traps for Sky ATP Actions such as verdicts and Infected Hosts Feed updates. There are other options such as secintel and other aamw the user can configure. Use ? for help after 'events' statement.

event-options {
    policy Sky_ATP_Alert {
        events [ aamw_action_log aamw_host_infected_event_log aamw_action_log_ls ];
        then {
            priority-override {
                severity alert;
            }
            raise-trap;
        }
    }
}
The user can create a custom syslog file name to help with management. However, the user can utilize standard syslog data as long as they are configured ANY ANY to allow all syslog data to /var/log/messages file.

Custom AAMW Syslog Configuration

# show system syslog
   syslog {
           }
        file SKYATP {
            any any;
            match AAMW;
        }
    }

Note: Ensure that 'security log mode' is enabled. This will work with writing syslog locally (event) or writing to a syslog server (stream)

The below log messages are written to your new syslog file SKYATP:

# show log SKYATP
.....
Apr 23 22:56:16 jtac-sky-1 RT_AAMW: AAMW_ACTION_LOG: hostname=N/A file-category=N/A verdict-number=N/A action=BLOCK list-hit=BLACK source-address=10.100.1.50 source-port=54101 destination-address=209.124.215.105 destination-port=80 protocol-id=6 application=HTTP nested-application=MICROSOFT-UPDATE policy-name=AAM username=N/A roles=N/A session-id-32=51031472 source-zone-name=trust destination-zone-name=untrust url=N/A
.....
Apr 23 22:56:16 jtac-sky-1 RT_AAMW: AAMW_HOST_INFECTED_EVENT_LOG: timestamp=Mon Apr 23 22:56:20 2018 tenant-id=<tenant-id> client-ip=10.0.255.16 client-hostname=N/A host-status=Resolved Fixed host-policy=Manually Blocked threat-level=0 infected-host-status=present reason=manual details=Investigation status has changed to "Resolved Fixed"
Related Links: