System Administration and Modifying Event Policy

The following tasks help you maintain your SmartEvent system properly:

• Creating objects for use in filters
• Adding objects to the Internal Network
• Creating or modifying custom commands that can be run from the SmartEvent client
• Creating scripts to run as Automatic Reactions for certain events
• Modify the database settings to fit your disk space and requirements

These tasks can be performed from the Policy tab. The Policy tab is hidden by default.

To show the Policy tab: from the View menu, select Policy Tab.

Modifications to the Event Policy do not take effect until saved on the SmartEvent server and installed to the Correlation Units.

To enable changes made to the Event Policy, proceed as follows:

1. Select File > Save.
2. Select Actions > Install Event Policy.

Changes made to the Event Policy can be undone if the changes have not been saved first. To undo changes made to the policy, select File > Revert Changes.

Adding Exclusions

Exclusions remove log entries from query results according to defined criteria (query properties). For example, if source 10.10.10.1 is defined as an exclusion for an event, all events with source 10.10.10.1 do not show in the query result. Global Exclusions work in the same way, except they apply to all events.

You can add exclusions in one of these ways:

• Manually using this window
• By accepting Learning Mode recommendations
• By right-clicking an event and selecting Exclude from event definition.

To manually add an exclusion:

1. Click Add.
2. In the Exclusion window, select the Source and/or destination Server object you want to exclude from the query results.
3. Configure any other filter criteria that are available for the specified event.
4. Optionally, click Apply and delete existing events to remove the excluded events from the existing query results.

   If you do not see the host object listed, you may need to create it in SmartEvent.

You can change or delete existing exclusions by selecting Edit or Remove, respectively.

Modifying the System General Settings

The following tasks help you maintain your SmartEvent system:

• Creating objects for use in filters, as described in Adding Network and Host Objects.
• Adding additional IPS Event Correlation Units and Log servers, as detailed in Defining Correlation Units and Log servers
• Adding objects to the Internal Network, as described in Defining the Internal Network
• Creating or modifying custom commands that can be run from the SmartEvent client, as explained in Configuring Custom Commands
• Creating scripts to run as Automatic Reactions for certain events, as detailed in Creating an External Script.

These tasks can be performed from the Policy tab. The Policy tab is hidden by default, but can be revealed by selecting Policy Tab from the View menu.

Adding Network and Host Objects

Certain objects from the Management server are added during the initial sync with the SmartEvent server and updated at a set interval. However, it may be necessary or useful to add other Network or Host objects, for the following reasons:

• If you have devices or networks not represented on the Management server that are important for the purpose of defining your internal network
• When adding sources or destinations to exclusions or exceptions in Event Definitions
• When selecting sources or destinations in a filter

The following screens are locked until initial sync is complete:

• Network Objects
• Internal Network
• Correlation Units

To make these devices available for use in SmartEvent, proceed as follows:

For a Host object:

1. From the Policy tab, select General Settings > Objects > Network Objects > Add > Host.
2. Give the device a significant Name.
3. Enter its IP Address or select Get Address.
4. Select OK.

For a Network object:

1. From the Policy tab, select General Settings > Objects > Network Objects > Add > Network.
2. Give the network a significant Name.
3. Enter the Network Address and Net Mask.
4. Select OK.

See Defining the Internal Network for information on adding objects to the Internal Network definition.

Defining Correlation Units and Log Servers

The SmartEvent system works with correlation units that compile event information from log servers. Additional Correlation Units and their corresponding Log servers should be configured during the initial system setup.

To define Correlation Units or Log servers in SmartEvent:

1. From the Policy tab, select General Settings > Initial Settings > Correlation Units.
2. Select Add.
3. Select the […] symbol and select a Correlation Unit from the pop-up window.
4. Select OK.
5. Select Add and select a Log server available to the Correlation Unit from the pop-up window.
6. Select Save.
7. From the Actions menu, select Install Event Policy.

   Note - The following screens are locked until sync is complete:

   • Network Objects
   • Internal Network
   • Correlation Units

To define Correlation Units in SmartEvent Intro:

• In a Security Management Server environment: correlation is defined automatically.
• In a Multi-Domain Security Management environment: do the previous procedure on the Multi-Domain Server.

Defining the Internal Network

To help SmartEvent determine whether events have originated internally or externally, the Internal Network must be defined. The direction is calculated the as follows:

1. Incoming – all the sources are outside the network and all destinations are inside
2. Outgoing – all sources are inside the network and all destinations are outside
3. Internal – sources and destinations are all inside the network
4. Other – a mixture of and internal and external values makes the result indeterminate

To define the Internal Network:

1. From the Policy tab, select General Settings > Initial Settings > Internal Network.
2. Add internal objects.

Certain network objects are copied from the Management server to the SmartEvent server during the initial sync and updated afterwards periodically.

The following screens are locked until initial sync is complete:

• Network Objects
• Internal Network
• Correlation Units

Offline Log Files

SmartEvent enables an administrator to view existing logs from a previously generated log file. This feature is designed to enable an administrator to review security threats and pattern anomalies that appeared in the past. As a result, an administrator can investigate threats (for example, unauthorized scans targeting vulnerable hosts, unauthorized legions, denial of service attacks, network anomalies, and other host-based activity) before SmartEvent was installed.

In the same respect, an administrator can review logs from a specific time period in the past and focus on deploying resources on threats that have been active for a period of time but may have been missed (for example, new events which may have been dynamically updated can now be processed over the previous period).

The generation of Offline logs are set in the SmartEvent > Policy tab > General Settings > Initial Settings > Offline Jobs, connected to the Security Management Server or Multi-Domain Server with the following options:

• Add enables you to configure an Offline Log File process.
  • Name acts as a label that enables you to recognize the specific Offline Line log file for future processing. For example, you can create a query according to the Offline Job name. This name is used in Event tab queries to search events that have been generated by this job.
  • Comment contains a description of the Offline Job for edification.
  • Offline Job Parameters:

    Correlation Unit the machine that reads and processes the Offline Logs.

    Log Server the machine that contains the Offline Log files. SmartEvent will query this log server to see which log files are available.

    Log File contains a list of available of log files found on the selected Log server to be processed by the correlation unit. In this window you select the log file from which you would like to retrieve historical information.

• Edit enables you to modify the parameters of an Offline Log File process.
• Remove enables you to delete an Offline Log File process.

  Once you Start an Offline Log File process you cannot remove it.

• Start runs the Offline Log File process.

  The results of this process appear in the Events tab and are accessible by the By Job Name query or filter.

• Stop ends the Offline Log Files process.
• Stop does not delete the entire process, it only stops the process at the specific point at which it is selected. The information collected up until the process is stopped will appear in the Events tab.

With the SmartEvent Events Tab you can add offline jobs to query events generated by offline jobs. To do this perform the following:

1. Select the Events Tab.
2. Go to Predefined > By Job Name.
3. Double-click By Job Name.

   Every job that appears in this window is an offline job except for All online jobs.

4. Select the job you want the By Job Name to query.
5. Click OK.

Configuring Custom Commands

To add (or edit) custom commands:

1. Select Actions > Configure Custom Commands.
2. To add a command, select Add…. (To edit an existing command, highlight the command and select Edit.)
3. Enter the text to appear in the right-click context menu.
4. Enter the command to run, and any arguments.
5. Configure the command to run in an SmartEvent window or a in separate Windows command window.
6. Select whether the command should appear in the context menu only when right-clicking in cells with IP address data.
7. Select OK.

Creating an External Script

An external script can be written to receive an Event Definition via standard input. The format of the event content is a name-value set – a structured set of fields that have the form:

(name: value ;* );

where name is a string and value is either free text until a semicolon, or a nested name-value set. The script will be reported as successful if it completes within 10 minutes and its exit status is zero.

The following is a sample event as it is received by an external script:

To add an External Script, proceed as follows:

1. From the Policy tab, select General Settings > Initial Settings > Automatic Reactions > Add > External Script.
2. Give the script a name.
3. In the field Action, enter the name of the file containing the script. The script must be placed in the directory $RTDIR/bin/ext_commands, and must have execute privileges.

Managing the Event Database

SmartEvent uses an optimization algorithm to manage disk space and other system resources. When the SmartEvent database becomes too large, the oldest events are automatically deleted to save space. In addition, events that are more than one year old are also automatically deleted.

For instructions to change maximum period and maximum database size to save past events in SmartEvent database see sk69706

Backup and Restore of the Database

The evs_backup utility backs up the SmartEvent configuration files and places them in a compressed tar file. In addition, it backs up data files based upon the options selected. The files can be restored using the evs_backup_extractor script. Enclosed are two script versions, one for Windows that has a .bat suffix and one for Solaris, Linux and SecurePlatform that does not have a suffix but should have the executable permissions set.

Usage:

evs_backup [-filename file.tgz] [-EvaDb] [-EvrDb] [-Results] [-Logs] [-LogoAndScripts] [-All] [-export] 

Additional options are:

Administrator Permissions Profile - Policy

SmartEvent lets you to assign a Profile to an administrator for the SmartEvent database. When an administrator logs into SmartEvent his user name and password are verified by the SmartEvent server. If the administrator is not defined on the SmartEvent server, the server will attempt the login process with the credentials that are defined on the Security Management Server or Multi-Domain Server connected with SIC to the SmartEvent server.

The Permission Profile types for the SmartEvent Events tab are set in the SmartDashboard or SmartDomain Manager (SmartDashboard > Manage > Permissions Profiles > New / Edit) connected to the Security Management Server or Multi-Domain Server with this option:

The following are the four types of Permission Profiles:

• None indicates that the administrator cannot view the SmartEvent Policy tab.
• Read Only enables the administrator to view SmartEvent Policy tab.
• Read/Write enables the administrator to perform Install Policy and modify the SmartEvent Policy tab.

  With Read/Write permissions the administrator can also configure one or both of the following from within the Events tab:

  • Exclude from Event Definition
  • Add Exception to Event Definition
• Customized allows user-defined access to the selected Check Point products and select permissions per application

Multi-Domain Security Management

When using Multi-Domain Security Management, SmartEvent works with specified Domains. In the Policy tab, administrator can see events, exceptions and exclusions for Domains according to administrator permissions.

A Multi-Domain Security Management Policy administrator can be one of the following:

• Locally defined administrator on the SmartEvent Server
• Multi-Domain Server Super User defined on the Multi-Domain Server.
• An administrator with permissions to all Domains selected in SmartEvent (Policy > General Settings > Objects > Domains). Unlike the two above, this type of administrator can install a Policy and can view events that are cross-Domain (an event created from logs that come from multiple Domains).