Intelligent Policy Center Help >> Operation Guide >> Event Configuration >> Event Operations

Event Operations

The function allows various operations to be performed for the received events. This function also allows actions to be executed.

Event operations include:

  • Automatically Execute Security Policy

    		•

    A service control policy can be executed automatically or manually. If the events match a policy with the execute type of Auto, the system will automatically take the actions in the policy.

  • Manually Execute Security Policy

    		•

    A security policy can be executed automatically or manually. If the events match a policy with the execute type of Manual, you must manually execute the actions in the policy.

    Operation Procedure

    1. Click the Manual execution required link for an event. The link appears only when the event matches a policy with the execute type of Manual and does not have the policy executed.
    2. Click Execute.

  • Manually Execute Action

    •

    If an event matches no policy, you can click the No machining policy link to configure actions for the event and then click Execute to make the actions take effect.

    Operation Procedure

    1. Click the No machining policy link for an event. The link appears only when the event does not match any policy.
    2. Select the actions to be executed and the execution sequence.
    3. Configure action execution and action target parameters.
    4. Click Execute.

  • View Result Report

    		•

    After the policy that matches an event has been executed or the actions for an event that match no policy has been executed, you can view the policy or action execution results.

    Click the Success link for an event.The result report page displays the following information:

    • Started at: Time when the matched policy started to be executed. An event that matches no policy will match a default policy when you execute actions for the event manually.
    • Ended at: Time when the execution of the matched policy ended.
    • Execution Result List: Lists all actions and their execution results.

    Precautions

    • Click Refresh to view the latest execution results of policies or actions.

  • Perform Reversing Action

    		•

    Some of the actions can be reversed after they are executed.

    Operation Procedure

    1. Click the Success link for an event.
    2. Click the Recover link for an action in the action list.

    Precautions

    • The reversing operation can only be performed manually.
    • The Recover link is available only for an action that has been executed successfully.

  • Delete Events

    		•

    Perform this task to delete events from the event list.

    Operation Procedure

    1. In the event list, select one or more events.
    2. Click Delete. In the confirmation dialog box, click OK.

  • RESTful Action

    		•

    The RESTful action uses a third-party API to implement specific functions.

    In Intelligent Policy Center, configure a policy to associate the Execute RESTful Action option with a periodic event.

    Then, the system periodically calls the third-party API according to the RESTful action configuration.

    Use the following configuration to test the RESTful action:
    HOST IP: 127.0.0.1 (IP address of the system server)
    PROTOCAL(http/https): http (Protocol used to access the system)
    PORT: 8080 (HTTP port used by the system)
    USER NAME: admin (Login username)
    PASSWORD: admin (Login password)
    URL: /imcrs/scc/testAction (Path of the action script on the system server)

    Structure of Request and Response Messages
    1. The RESTful action always uses the PUT method.
    2. Structure of the request message sent by the RESTful action:
    3. Structure of the response message returned by the third-party API:
    4. After the request and response messages are configured, the system stores the parameters returned by the action in returnMap(key,value).

  • Jython Script Action Execution Description

    		•

    The system provides the following parameters that can be used directly in the Jython script. A parameter value is empty when it does not exist.

    • eventName: Name of the event
    • eventOID: OID of the event
    • eventIp: IP address of the event
    • srcIp: Source IP address of the attack
    • srcMAC: Source MAC address of the attack
    • srcPort: Source port number of the attack
    • destIp: Destination IP address of the attack
    • destMAC: Destination MAC address of the attack
    • destPort: Destination port number of the attack
    • inputDeviceIp: IP address of the source access device of the attack.
    • inputDeviceIfDesc: Interface description of the source access device of the attack.
    • inputDestDeviceIp: IP address of the destination access device of the attack.
    • inputDestDeviceIfDesc: Interface description of the destination access device of the attack.
    • targetIpList: List of action target IP addresses that are configured in the policy.

    The system also provides the jythonErrorMsg parameter that returns execution failure information to the system. You can customize the execution failure information.

    Related Topics