Investigating Events

In This Section:

Once you have arranged the events as you like in the Event Log, you can begin to investigate their details and evaluate whether they represent a threat.

Tracking Event Resolution using Tickets

Events can be categorized and assigned to administrators to track their path through the workflow of resolving threats. Once administrators review an event, they can assign it a status, such as Investigation in Progress, Resolved, or False Alarm; add comments that detail the actions that have been taken with respect to the event; and assign an administrator as the owner of the event. This process is called Ticketing.

After editing the ticket, administrators can use queries to track the actions taken to mitigate security threats and produce statistics based on those actions.

To edit an Event Ticket, open the event and click Edit Ticket.
To add a quick comment about the event without changing the state or owner, open the event and click Add Comment.
To view the history of actions that have been taken on an event, open the event and click View History.

Editing IPS Protection Details

When you review events generated from the IPS blade, review the IPS protections and profiles to understand why an event was generated or attempt to change the way the traffic is handled by the IPS blade.

The IPS menu presents actions that are specific to IPS events. These actions include:

Go to Protection - opens the SmartDashboard to the IPS protection which triggered the event.
Go to Advisory - opens the Check Point Advisory article which provides background information about the IPS protection.
Protection description - opens a detailed description of the IPS protection.

Displaying Original Event Log Information

To see log entries for an event, right-click the event and select Additional Information > View Event Raw Logs. SmartView Tracker displays the log entries that comprise the event.

Note - If the log data for a certain event exceeds 100Kb, the data is discarded.

Packet Capture

If any logs have related packet captures, you can open a packet viewer to see the contents of the captured packet. You can also save the packet capture to a file for further investigation.

To use the Packet Capture feature, you must activate these blades and plug-ins:

In a Security Management Server deployment, you must activate the Logging & Status Software Blade on the Security Management Server.
In a Multi-Domain Security Management deployment, you must activate the SmartEvent plug-in the specified Domain Management Server.

To view a packet capture:

In the SmartEvent Events tab, right-click the event in the Event Log pane.
Select Additional Information > View packet capture from the options menu. The Packet Capture Viewer Output window opens.
Optionally, click Save to save the packet capture data as a text file.

You can select Actions > Packet Capture Configuration to define an application in which to view packet capture information. The options are:

The SmartEvent Internal Viewer
Any windows program associated with this file type
Select a program by entering the program executable file name and any required arguments.

Using Custom Commands

The SmartEvent client provides a convenient way to run common command line executables that can assist you in investigating events. By right-clicking on cells in the Event Log that refer to an IP address, the default list of commands appears in the context-sensitive menu.

The following commands are available by default: ping, whois, nslookup and Telnet. They appear by design only on cells that refer to IP addresses, because the IP address of the active cell is used as the destination of the command when run.

For example, if you right-click a cell containing an IP address and select the default ping command, a window opens and three ICMP packets are sent to that address. This behavior is configurable, and other commands can be added as well. To add your own custom commands, see Configuring Custom Commands.