Configuring Sentinel to send Emails when a Correlation Rule fires

Configuring Sentinel to send Emails when a Correlation Rule fires

Version: 7.0.2.0_664

Sentinel 7 comes with a Correlation rule "Example: Bad Logins Any User", in this article I will show how to configure the Correlation Rule(Bad Logins Any User) to send email when fired.

In a nutshell we have to perform following steps to achieve the target:

  1. SMTP Integrator configuration (smtp server configuration)

  2. Creation of Action to send emails

  3. Configuration of Correlation Rule to use the Action for sending emails

  4. Deploying the Correlation Rule



a. First we have to configure the SMTP Integrator configuration


In Sentinel Control Center(SCC) > Click on "Configuration" to Enable the "Configuration Menu" as shown in Screenshot below:

28081-1


Once the Configuration Menu enabled click on 'Configuration > Integrator Manager > Integrator Manager' as shown in Screenshot below:

28081-2


Select the "Mail" under the Integrators Column

28081-4


then click on Connection tab in the right column to configure the SMTP Settings.

28081-3


Now click on "Integrator Properties" tab.

28081-5


Click on Property "DefaultEMailServer" and change it to "SentinelDefaultEMailServer" then click on Save button.

28081-6


Click on the Test button to verify settings.

28081-7


After the SMTP Integration Configuration completed, now we have to add an Action so that we can define settings to whom the email should be sent(To), and subject.


b. Creation of Action to send emails


In Sentinel Control Center(SCC) > Click on "Configuration" to Enable the "Configuration Menu" as shown in Screenshot below:

28081-8


Once the Configuration Menu enabled click on 'Action Manager > Add' as shown in Screenshots below:

28081-9


28081-10


28081-11


Select "Send Email" from Action drop-down, provide the Action Name, and Email Address(To and From), Subject etc as shown in following Screenshot.

28081-12


Click on Save button.

28081-13


Until now we have all the ingredients ready to use in our Correlation Rule "Bad Logins Any User" (one of the rules that comes with sentinel by default).

In the following steps I will configure the rule to use the Action(EmailAuthDeniedEvents) we just created, and also deploy the rule.


c. Configuration of Correlation Rule to use the Action for sending emails.


To configure and enable the Correlation Rule "Bad Logins Any User", in Sentinel Web UI click on Correlation to expand.

28081-14


28081-15


Select the "Example: Bad Logins Any User" > Edit Rule.

28081-16


Click on the wrench icon to associate actions with the rule.

28081-17


Select the action we created(EmailAuthDeniedEvents) then click on OK button.

28081-18


Click on Save Rule button.

28081-19



d. Deploying the Correlation Rule


Once action associated, now click on "Example: Bad Login Any User" select the Correlation Engine and click on Deploy as shown in Screenshot below:

28081-20


All Done 😉

Now try to login on this Sentinel Server from any ssh client with wrong credentials to fire the correlation rule "Bad Login Any User".

28081-21


The Bad Login Any User rule fired 😉

28081-22


Now check the email of the account provided in the To: field in our Action "EmailAuthDeniedEvents".
Tags (1)

DISCLAIMER:

Some content on Community Tips & Information pages is not officially supported by Micro Focus. Please refer to our Terms of Use for more detail.
Comments
Excellent write-up! I especially like the attention to detail, with annotated screendumps!!
Top Contributors
Version history
Revision #:
1 of 1
Last update:
‎2013-05-20 22:28
Updated by:
 
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.