Contents/Index/Search Download Complete PDF Send Feedback Print This Page

Previous

Next

Investigating Events

Once you have arranged the events as you like in the Event Log, you can begin to investigate their details and evaluate whether they represent a threat.

Related Topics

Tracking Event Resolution using Tickets

Editing IPS Protection Details

Displaying Original Event Log Information

Using Custom Commands

Tracking Event Resolution using Tickets

Events can be categorized and assigned to administrators to track their path through the workflow of resolving threats. Once administrators review an event, they can assign it a status, such as Investigation in Progress, Resolved, or False Alarm; add comments that detail the actions that have been taken with respect to the event; and assign an administrator as the owner of the event. This process is called Ticketing.

After editing the ticket, administrators can use queries to track the actions taken to mitigate security threats and produce statistics based on those actions.

  • To edit an Event Ticket, open the event and click Edit Ticket.
  • To add a quick comment about the event without changing the state or owner, open the event and click Add Comment.
  • To view the history of actions that have been taken on an event, open the event and click View History.

Editing IPS Protection Details

When reviewing events generated from the IPS blade, you may want to review the IPS protections and profiles to understand why an event was generated or attempt to change the way the traffic is handled by the IPS blade.

The IPS menu presents actions that are specific to IPS events. These actions include:

  • Go to Protection which opens the SmartDashboard to the IPS protection which triggered the event.
  • Go to Advisory which opens the Check Point Advisory article which provides background information about the IPS protection.
  • Protection description which opens a detailed description of the IPS protection.

Displaying Original Event Log Information

To see log entries for an event, right-click the event and select Additional Information > View Event Raw Logs. SmartView Tracker displays the log entries that comprise the event.

Note - If the log data for a certain event exceeds 100Kb, the data is discarded.

Using Custom Commands

The SmartEvent client provides a convenient way to run common command line executables that can assist you in investigating events. By right-clicking on cells in the Event Log that refer to an IP address, the default list of commands appears in the context-sensitive menu.

The following commands are available by default: ping, whois, nslookup and Telnet. They appear by design only on cells that refer to IP addresses, because the IP address of the active cell is used as the destination of the command when run.

For example, if you right-click a cell containing an IP address and select the default ping command, a window opens and three ICMP packets are sent to that address. This behavior is configurable, and other commands can be added as well. To add your own custom commands, see Configuring Custom Commands.

 
Top of Page ©2013 Check Point Software Technologies Ltd. All rights reserved. Download Complete PDF Send Feedback Print