Anti-Bot and Anti-Virus in SmartEvent
Event Analysis in SmartEvent or SmartEvent Intro
SmartEvent and SmartEvent Intro supply advanced analysis tools with filtering, charts, reporting, statistics, and more, of all events that travel through enabled Security Gateways.
You can filter the Anti-Bot and Anti-Virus information for fast monitoring and useful reporting on connection incidents related to them.
- Real-time and historical graphs and reports of Anti-Bot and Anti-Virus incidents.
- Graphical incident timelines for fast data retrieval.
- Easily configured custom views to quickly view specified queries.
- Incident management workflow.
- Reports to data owners on a scheduled basis.
SmartEvent shows information for all Software Blades in the environment. SmartEvent Intro shows information for one SmartEvent Intro mode. If you select Anti-Bot and Anti-Virus as the SmartEvent Intro Mode, it shows the Anti-Bot and Anti-Virus information.
To use SmartEvent or SmartEvent Intro, you must enable it on the Security Management Server or on a dedicated machine. See either:
Viewing Information in SmartEvent
To open SmartEvent do one of these:
- Click > > .
- From the tab > Navigation Tree > link.
- From the tab > > > link.
- From the SmartDashboard toolbar of any SmartConsole application, select Window > SmartEvent or press Control +Shift +A.
When SmartEvent opens, go to Events > Predefined > Anti-Bot and Anti-Virus to use the predefined queries for Anti-Bot and Anti-Virus.
- - Shows all Anti-Bot and Anti-Virus events grouped by source, includes all prevented and detected events.
- - Shows all Anti-Bot and Anti-Virus events grouped by protection name.
- - Shows all Anti-Bot and Anti-Virus events grouped by protection name.
- - Shows all Anti-Bot and Anti-Virus events grouped by malware activity.
- > - Shows all Anti-Bot events.
- > - Shows all Anti-Virus events.
- > - Shows all Anti-Bot and Anti-Virus blocked incidents.
Updating the Anti-Bot and Anti-Virus Rule Base
In some cases, after evaluating an event, it may be necessary to update a rule or rule exception in the SmartDashboard Rule Base. You can do this directly from within SmartEvent.
To update a rule in the Anti-Bot and Anti-Virus Rule Base:
- Right-click the event or from within event details select the or menu.
- Select .
SmartDashboard opens showing the related rule in the Anti-Bot and Anti-Virus Rule Base.
- Make related changes.
- Click to install the dedicated Anti-Bot and Anti-Virus policy.
To update a rule exception in the Anti-Bot and Anti-Virus Rule Base:
- Right-click the event or from within the event details, select the or menu.
- Select .
SmartDashboard opens and shows an window in the Anti-Bot and Anti-Virus Rule Base. These details are shown:
- - The name of the protection. Details are taken from the ThreatCloud repository or, if there is no connectivity, from the log.
- - The scope is taken from the log. If there is no related host object, an object is created automatically after you click OK. Click the plus sign to add additional objects.
- - Shows by default. You can use the plus sign to add gateways.
- Select an option:
- - If you want the to apply only to the related rule.
- - If you want the to apply to all rules. The exception is added to the > pane.
- Click .
The exception is added to the Rule Base. The is set to by default. Change if necessary.
- Click to install the dedicated Anti-Bot and Anti-Virus policy.
Accessing the Threat Wiki
You can open the Threat Wiki from within SmartEvent to get more information about a specified protection.
To open the Threat Wiki do one of these:
- Right-click an event and select Go to Threat Wiki.
- Click the malware protection link in the event log.
- Select Go to Threat Wiki from the Anti-Virus or Anti-Bot tab in the event log.
Anti-Bot and Anti-Virus Reports
Daily, weekly, and monthly reports of the events recorded by SmartEvent are configured and stored on the tab. These reports show a high-level summary of the event patterns occurring on your network.
Upon creation, reports can be automatically emailed to predefined addresses, eliminating the need to open SmartEvent to learn of the system's status. You can also choose to save them as PDFs or view them in a browser.
Viewing Information in SmartEvent Intro
To open SmartEvent Intro:
- From the SmartDashboard toolbar, select Window > SmartEvent Intro or press Control +Shift +E.
- Select .
All of the information in SmartEvent Intro is based on Anti-Bot and Anti-Virus events. See the different tabs for detailed information.
The SmartEvent Intro Overview Page
The Overview page shows a quick understandable overview of the Anti-Bot and Anti-Virus traffic in your environment. Double-click on data in any of the sections in the Overview tab to open the associated list of events to investigate issues down to the individual event level.
The Overview page includes these panes:
- Timeline View
- Anti-Bot & Anti-Virus
- Top Source/Destination Countries of Anti-Bot & Anti-Virus
- Top Malwares by Event Count
- Top Malicious Activities by Event Count
- Status
Anti-Bot and Anti-Virus Event Queries
See detailed event queries in the tab.
- - Shows all Anti-Bot and Anti-Virus events grouped by source, includes all prevented and detected events.
- - Shows all Anti-Bot and Anti-Virus events grouped by protection name.
- - Shows all Anti-Bot and Anti-Virus events grouped by protection name.
- - Shows all Anti-Bot and Anti-Virus events grouped by malware activity.
- > - Shows all Anti-Bot events.
- > - Shows all Anti-Virus events.
- > - Shows all Anti-Bot and Anti-Virus blocked incidents.
See the R76 SmartEvent Intro Administration Guide.
|
