Working with Queries

In This Section:

SmartEvent uses filtered event views, called queries, to identify and show relevant events. Event window information, timelines, graphs and reports are based on queries that identify potentially dangerous events and event patterns. You use this information to adjust your Security Policies and protection settings in response to detected threats.

Event Queries

SmartEvent uses filtered event views, called queries, to define the events to view. Located in the Queries Tree, these queries filter and organize event data for display in the Events, Charts and Maps tabs. Queries are defined by filter properties and charts properties. Filter properties allow you to define what type of events to display and how they should be organized. Charts properties allow you to define how the filtered event data should be displayed in chart form.

Predefined Queries

SmartEvent provides a thorough set of predefined queries, which are appropriate for many scenarios.

Queries are organized by combinations of event properties, for example:

IPS, which includes queries of IPS events
Direction, such as Incoming, Internal, and Outgoing
Direction is determined by the Internal Network settings.
IP, either the Source or Destination IP address
Ticketing, such as ticket State or Owner
Severity, such as Critical, High, and Medium

Custom Queries

SmartEvent gives you the flexibility to define custom queries that show the most relevant events and trends. Once you have defined custom queries, you can organize them into folders so that they are easy to find and use.

You can use your queries to:

Show an overview of events with specified characteristics in the Events tab
Generate reports to analyze specified events and trends in the Reports tab
Show event counts and severity trends in the Timelines tab
Show event data in easy to read charts in the Charts tab
Show events by source or destination country in the Maps tab

Customizing Query Filters

You can work with queries in the Events, Timelines, Charts and Maps windows. See the Reports section to learn about procedures for working with report queries.

To change query filter properties:

In the tree, right-click the query.
Select Properties > Events Query Properties from the options menu.

In the Query Properties window, do one or more of these tasks:

Use the Add and Remove buttons to select criteria fields to include in your query.
Selected criteria show in the In Use list. Criteria not selected show in the Ignored list. You can enter text in the Search Fields box to highlight matching text strings in criteria fields.
Click the Filter column to define filter criteria. Select or enter criteria values in the window that opens.
The window type and data entry procedures are different for each criterion type. The default value is Any.

Optional: Clear the Show option to prevent a criterion column from showing in the Event pane.

In this case, the criterion filter applies to the query, but the column does not show. By default, the Show option is selected for all criteria.

Note - If you clear the Show option for a criterion that does not have a filter applied, that criterion automatically moves to the Ignored list. This action is the same as using the Remove button.

Optional: Select a field in the In Use list and click Group.
This shows events with the same field value under a collapsible summary line. This option works best when you select only one criteria field.
Use the Up and Down buttons to change the criteria column sequence in the Event Log.

Optionally define these additional query settings:
- To require users to enter or select a filter value at run time, select the When running the query prompt for option. Select a filter criterion from the list.
  When enabled, the query shows a Filter window and the user must select or enter the filter value. This makes the query more dynamic, enabling the user to specify values each time the query is run.
- Auto refresh query every 60 seconds - The query automatically updates the Event Log at 60 second intervals. This option is cleared by default.
- Run query on OK - The query automatically updates the Event Log after you complete the definition and click OK. This option is selected by default.
- Use existing value from the toolbar - Shows only the number of events as defined in the Show up to # toolbar field. This option is selected by default.
- Return maximum of X events per query - Shows only the number of events defined it this field. SmartEvent ignores the value in the Show up to # toolbar field.

To clear filter values from a query:

In the tree, right-click the query.
Select Properties > Events Query Properties from the options menu.
In the In Use list, right-click the value in the Filter column.
Select Clear Filter. This step changes the filter to the value Any.

Creating Custom Queries

You can create a custom query from scratch in the Custom folder or based on an existing query.

To create a custom query based on the default query:

In SmartEvent, click Events.
In the Selector tree, right-click on the Custom folder and select New.
Enter a name for the custom query.

To create a custom query based on an existing query:

Right-click an existing query and select Save As.
Enter a name for the new query.
To save the query with the Time frame setting from the Events list:
1. Click More.
2. Select the Save time frame option.
Click Save.

Customizing Query Charts

To change the way your custom query will display as a chart:

Right-click the new query and select Properties > Chart Properties.
Add fields to the column on the right side of the window to make them available in the Split-By menu on the chart. Selecting a field from the Split-By menu displays the event data divided according to the selected event characteristic.
In Show top, select the number of top values to show from the chosen Split-By field.
Select to display the query by default as a Pie chart or on a Time axis.
If you want to display on a Time axis using a pre-defined Time Resolution, choose the Time Resolution you want.

Organizing Queries in Folders

You can create custom folders to organize your custom queries, as well as subfolders nested within folders.

To create a custom folder:

Right-click on Custom (or any other custom folder you have created previously) and select New Folder.
Name the folder.

When you create a new query, you can save it to this new folder by selecting it before selecting Save in the Save to Tree window.

Event Query Results

The Events tab is the heart of SmartEvent.

These are the components of the Events tab:

Query Tree
Event Statistics Pane
Event Log
Log entry detail pane
Event Preview Pane

The Events tab is an Event Log that shows events generated by a query. In addition, the Events tab contains the Query Tree, the Event Preview Pane and the Event Statistics Pane.

Double-click a query in the Query Tree to run that query. The results show in the Event Log. The top Events, Destinations, Sources and Users of the query results are displayed in the Event Statistics Pane, either as a chart or in a tallied list. The details of the selected event are displayed in the Event Preview Pane.

Event Log

The SmartEvent Event Log can display up to 100,000 events. The events displayed are the result of a query having been run on the Event Database. To run a different query, double-click on a query in the Selector tree. The Event Log will display the events that match the criteria of the query.

The Event Log is where detected events can be filtered, sorted, grouped, sent for review and exported to a file to allow you to understand your network security status. Event details, such as Start and End Time, Event Name and Severity, are displayed in a grid. In the Status bar at the bottom of the SmartEvent client window, Number of records in view displays a count of new events. Refresh retrieves the data from the database according the active query filter.

The details of an event provide important specifics about the event, including type of event, origin, service, and number of connections. You can access event details by double-clicking the event or by displaying the Event Preview Pane.

Queries are built with certain default settings that can be changed directly in the Events tab to provide more specific or more comprehensive results.

The time frame Last... selection lets you choose the period of time for which events should be displayed.
The Event number selection sets the number of events that should be displayed from the query (default is 5,000 events). Up to 30,000 events can be displayed and managed at one time.
The Group By selection is particularly useful here to quickly divide the data by specific criteria and immediately show the number of events per grouping.

Filtering Events

After you run a query, you can right-click a column and define the filter parameters to filter the event data. This temporarily includes the filter in the active query and runs the query again against the database to return the matching values.

A green filter icon at the top of a column indicates that a filter is applied to that field. To save the new set of filters as a custom query, select Save from the File menu. To discard the filters that was not saved, run the query again.

To use filters with query results:

To change the filter criteria, right-click on a column header and select Edit Filter.
To remove events that have any specific field value, right-click on the value and select Filter out.
To include only events that have a specific field value, right-click on the value and select Follow.
To remove the extra conditions you have applied, right-click the filter and select Clear Filter.

Sorting and Searching Events

Running a query can return thousands of matching events. To help you organize the events that have already been returned by the query, click a column header to sort these events

To look for events with specified values, enter values in the Search field. When you search for multiple values, with commas that separate the values, the events that contain the search values return. But the values can be in all event fields. The search can be made case-sensitive or can search data that does not show in columns.

Grouping Events

One of the most powerful ways to analyze event data is by grouping the data based on the specific columns using the Group By button on the toolbar. Here you can group the events by one or more columns and the Event Log shows the number of matching events in those groups, presented in descending order.

You can also specify the default grouping that a query should use by marking fields as Grouped in the Events Query Properties window.

The top line of each group in the Event Log shows a summary of the events that it contains. If you hover over a field in the top line, you can see details of what data that field contains in all of the events in the group.

To group events by one or more fields, perform one of the following:

Click on Group By in the toolbar and select the field to use for grouping events.
Click on Group By in the toolbar and select More Fields. Then in the Group By window select one or more field to use for grouping events.
Right-click on the column in the Event Log you want to use for grouping events and select Group By This Column.
Once you have already grouped by a column, you can add another column to use for grouping by right-clicking on the column in the Event Log you want to use for grouping events and select Add this Column to the Group.

To remove fields from the grouping, perform one of the following:

Click on Ungroup in the toolbar to remove all grouping.
Click on Group By in the toolbar and select More Fields. Then in the Group By window remove one or more field from grouping.
Right-click on the column in the Event Log you want to remove from the grouping and select Remove Column from Group.

Sending an Event

In some circumstances, event information can be used to show evidence of a security attack or vulnerability that needs to be resolved. For example, you may decide that another member of your security team should review an event as evidence of an attack. Also, reporting events to Check Point can help Check Point improve the IPS technology to detect new threats in an ever-changing security environment. From the Event Log, you can choose to send event details as an email using your default email client, or you can choose to send the event details to Check Point over a secure SSL connection.

To send an event using email:

Select the event in the Event Log.
Right-click on the event and select Send event by Email.
A new email opens using your default email client and the event information is included in the body of the email.

To report an event to Check Point:

Select the event in the Event Log.
Right-click on the event, select Report Event to Check Point and choose whether you want to include just the Event Details or to include the Packet Capture associated with the event.

Only the event information will be sent to Check Point over a secure SSL connection. The data is kept confidential and Check Point only uses the information to improve IPS.

Exporting Events to a File

The Events tab in the SmartEvent client can contain thousands of events. Export the events into a text file to review or manipulate the data with external applications. For example, a spreadsheet or text editor.

To export events to a comma-delimited (csv) file:

in the SmartEvent client, go to the Events tab.
From the File menu, select Export Events to csv File.
Save the file.

Examining Client Vulnerability

To maintain a high level of security, organizations must install the latest security patches on network computers. Many of the security patches are designed to prevent threats from exploiting known vulnerabilities. If you are consistent with implementing software patches, your network computers will not be vulnerable to some of the attacks that are identified by SmartEvent. SmartEvent ClientInfo helps you determine whether an attack related to Microsoft software is likely to affect the target machine. If the target machine is patched, you can stop the events from being generated by choosing to exclude the target machine from the event definition or from the specific IPS protection.

SmartEvent ClientInfo connects to the computer whose IP address is listed in the event. After you enter credentials with administrator privileges on the target computer, SmartEvent ClientInfo reads the list of Microsoft patches installed on the computer as well as other information about the installed hardware and software. SmartEvent ClientInfo also retrieves the Microsoft Knowledge Base article related to the vulnerability reported in the event and checks to see if the patches listed in the article are installed on the target computer. If SmartEvent ClientInfo finds that the matching patch is installed, it is likely that the attack will have no effect on the target computer and you can choose to create an exception so that IPS or SmartEvent stops recognizing the attack as a threat.

Once the computer information is loaded in SmartEvent ClientInfo, you can perform the following functions:

Icon	Action
	Save the information in the active tab to a .csv file
	Enter new credentials for accessing the computer information
	Copy the contents of the selected cell
	Run Google.com search using the contents of the selected cell
Search field	Filter the contents of the active tab for rows containing the search text
	Filter the contents of the active tab for rows containing the KB number
	Connect to the specified IP address to gather the computer information

To make sure that a computer is not vulnerable to an attack:

In the Events tab, right-click on the event you want to investigate and select SmartEvent ClientInfo.
Enter user credentials that allow administrator privileges on the target computer or select Use Windows Logon Account to login with your current credentials. You can also save your credentials to avoid having to enter them again.
SmartEvent ClientInfo retrieves the software and hardware information from the target computer, as well as the details of the Knowledge Base article associated with the vulnerability identified in the event.
Check the result. SmartEvent ClientInfo returns one of the following results:
- Installed fix / Computer is not vulnerable - In this instance, SmartEvent ClientInfo found that the patch recommended by Microsoft for protecting against the vulnerability is installed on the target computer.
  Based on this, you can decide to modify the associated IPS protection or event definitions to prevent these events from displaying in the future.
- Unfound fix / Derived fixes exist -In this instance, SmartEvent ClientInfo found that a patch is installed that is related to the Security Bulletin, but found that the main patch that is recommended by Microsoft for protecting against the vulnerability is not installed on the target computer. The installed fix may not cover all of the affected software.
  Click on the KB numbers specified to open the associated Knowledge Base articles. Review the recommended remediation steps, which may include installing a patch on the target computer.
- Missing Fix / Computer may be vulnerable - In this instance, SmartEvent ClientInfo found that the patch recommended by Microsoft for protecting against the vulnerability is not installed on the target computer.
  Click on the KB number specified to open the associated Knowledge Base article. Review the recommended remediation steps, which may include installing a patch on the target computer.

Note - If SmartEvent ClientInfo finds that the patch in the KB article is not installed on the remote computer, it may indicate one of the following:

The vulnerability does not affect or is not relevant to the target computer’s Operating System OR Service Pack version. If so, the computer is not vulnerable.
The article is relatively old and you may have installed Service Pack that includes the patch for the vulnerability. If so, you should check the installed Service Pack to see if it was released after KB article and may include the associated patch.

Event Statistics Pane

The Event Log is accompanied by charts displaying the Top Events, Top Sources, Top Destinations and Top Users for the active query. These statistics are automatically updated as filters are applied to the Event Log.

You can toggle between viewing the statistics as a chart or a list by clicking on the arrow in the top-right corner of each of the boxes and selecting Show Pie Chart.

You can filter in or out any value in the Event Statistics Pane to focus the query results on the data that is most important to you. Filtering in the Event Statistics Pane is also reflected in the Event Log, and clearing filters from the Event Statistics Pane clears all filters that have been applied to the query.

To remove events that have any specific field value, right-click on the value and select Filter out.
To include only events that have a specific field value, right-click on the value and select Follow.
To remove the extra conditions you have applied, click on the Clear Filter icon.

Event Details

See the details of an event from the Preview Pane in the Events tab or by double-clicking on the event in the Event Log. The Event Details window has two tabs with different data:

Summary tab - Shows a brief summary of the event in a user-friendly format.
Details tab - Shows the full, technical details of the event.

These options are available from the Event Details window:

Copy - Copies the event details to the Windows Clipboard.
Actions - Actions that you can do that are related to this log. They include:
- Event Raw Logs - Launches SmartView Tracker and displays the log entries upon which the event is based.
- Edit Ticket - Lets you set the state of the event, assign an owner, and add a comment.
- Add Comment - Lets you add a quick comment about the event without changing the state or owner.
- View History - Lets you view the ticket activity on the event, including changes to the state, owner, or comments.
Blade Specific Menu - For example, IPS or Application Control. This menu has different options depending on the Software Blade that is related to the event.
Previous displays the event that appears before the current event in the Event Log.
Next displays the event that appears after the current event in the Event Log.

Summary Tab

The Summary tab includes:

The source of the activity. If Identity Awareness is enabled, this can be the user name.
A brief description of the event.
The action taken on the event.
The time of the event.
Other important data related to the event.

Details Tab

The Details tab includes:

Details about the Software Blade and rule that caused the event.
Ticketing information for the event - Use this to track activity related to the event.
General Event Information - Includes the severity for the event and a unique ID.
Traffic Information - Where the event originated, its destination, and the size of the data in bytes.
Event Detection - How and when the event was detected and by which Security Gateway.
More - Additional information related to the connections involved in the event and the source.

Browse Time

The Browse Time feature keeps track of the total time that users are connected to different sites and applications. R76 and later Security Gateways calculate the cumulative connection time for each session and periodically updates this value until the session is closed.

Browse time is calculated as follows:

Total browse time is calculated for each site from the first HTTP request to the last HTTP response. Idle time of more than two minutes is not included in the browse time.
The minimum calculated time is two minutes. Any connection of less than two minutes is rounded up to two minutes. However, browse time for each user does not include time spent at more than one site simultaneously. For example, if a user connects to google.com and facebook.com at the same time, only one site is included in the browse time calculation.

Event Data Analysis

SmartEvent includes a many different tools to let you analyze events that occur in your environment. You can get access to these tools using one of the tabs in the SmartEvent GUI.

Overview Tab

The SmartEvent Overview tab shows critical security status information for your environment. Its main focus is presenting a quick view of the recent events data using the Timeline View, Recent Critical Events, and Top tables and chart. These interactive sections report on the events based on the Time Frame setting to allow you to display event data from a specific latest period of time.

Double-click on data in any of the sections in the Overview tab to open the associated list of events so that you can continue investigating issues all the way down to the individual event level.

By default, the Overview tab includes these sections:

Timeline View - Timelines let you see specified recent events in a linear format. The number of events is shown inside a circle at each defined time interval. The circle itself is color coded to show the severity of the different events. You can add, modify or remove timelines from this view just as you would in the Timeline Tab.
Events Query - This section shows events from a user-selected query. This is useful for examining important events that occurred during the specified Time Frame. To select a query to show in this pane:
1. Click the cogwheel button in the pane.
2. Select one of these options from the menu:
  - Set Query - Select a predefined query from Set Query window.
  - Show Newly Detected Applications table - Show applications seen for the first time during the specified Time Frame.
You can search, sort, filter and group events using the same methods as in the Events tab. Click the arrow to select a different query to show here.

How do I view the details of an event?
See the details of an event from the Preview Pane in the Events tab or by double-clicking on the event in the Event Log. The Event Details window has two tabs with different data:
- Summary tab - Shows a brief summary of the event in a user-friendly format.
- Details tab - Shows the full, technical details of the event.
These options are available from the Event Details window:
- Copy - Copies the event details to the Windows Clipboard.
- Actions - Actions that you can do that are related to this log. They include:
  - Event Raw Logs - Launches SmartView Tracker and displays the log entries upon which the event is based.
  - Edit Ticket - Lets you set the state of the event, assign an owner, and add a comment.
  - Add Comment - Lets you add a quick comment about the event without changing the state or owner.
  - View History - Lets you view the ticket activity on the event, including changes to the state, owner, or comments.
- Blade Specific Menu - For example, IPS or Application Control. This menu has different options depending on the Software Blade that is related to the event.
- Previous displays the event that appears before the current event in the Event Log.
- Next displays the event that appears after the current event in the Event Log.
How do I search in the query results?

The Search field at the top of the Event Log allows you to filter the query results based on criteria that you choose. The search function returns all events that contain the search term in any of the event fields. You can choose to treat the search term as case-sensitive or choose to only search in the visible columns by selecting those options in the Options menu.

To search for values in the events, enter your search terms in the Search field and press Enter or click Find. Multiple search terms can be entered by separating them by a comma (,), and partial terms can be found by entering the partial term following by an asterisk (*).

How do I filter the query results?
- To change the filter criteria, right-click on a column header and select Edit Filter.
- To remove events that have any specific field value, right-click on the value and select Filter out.
- To include only events that have a specific field value, right-click on the value and select Follow.
- To remove the extra conditions you have applied, right-click the filter and select Clear Filter.
How do I sort the query results?

The Event Log allows you to change the order in which events are displayed. By clicking on a column header, you can sort the events according to that column criteria. If you click on the same column header again, you reverse the order by which the events are listed (earliest/latest, or A-Z/Z-A).

How do I group events?
You can choose to group events together based on a particular field and display group together events that share certain specific values. Grouping also provides a quick method of counting the number of events with specific values. For example, grouping events by Event Name will display the events by name and the number of events that match each event name.

You can also group events by multiple fields. For example, grouping events by Event Name and Source Country will display the events that have matching Event Names and Source Country as well as a count of how many events are in each group. From this information you can quickly determine which country is the most common source of a particular event name.

To group events by one or more fields, perform one of the following:
- Click on Group By in the toolbar and select the field to use for grouping events.
- Click on Group By in the toolbar and select More Fields. Then in the Group By window select one or more field to use for grouping events.
- Right-click on the column in the Event Log you want to use for grouping events and select Group By This Column.
  Once you have already grouped by a column, you can add another column to use for grouping by right-clicking on the column in the Event Log you want to use for grouping events and select Add this Column to the Group.
To remove fields from the grouping, perform one of the following:
- Click on Ungroup in the toolbar to remove all grouping.
- Click on Group By in the toolbar and select More Fields. Then in the Group By window remove one or more field from grouping.
1. Right-click on the column in the Event Log you want to remove from the grouping and select Remove Column from Group.
How do I send an event to Check Point or to an email recipient?
In some circumstances, event information can be used to show evidence of a security attack or vulnerability that needs to be resolved. For example, you may decide that another member of your security team should review an event as evidence of an attack. Also, reporting events to Check Point can help Check Point improve the IPS technology to detect new threats in an ever-changing security environment. From the Event Log, you can choose to send event details as an email using your default email client, or you can choose to send the event details to Check Point over a secure SSL connection.

To send an event using email:
1. Select the event in the Event Log.
2. Right-click on the event and select Send event by Email.
  A new email opens using your default email client and the event information is included in the body of the email.
To report an event to Check Point:
1. Select the event in the Event Log.
2. Right-click on the event, select Report Event to Check Point and choose whether you want to include just the Event Details or to include the Packet Capture associated with the event.
  Only the event information will be sent to Check Point over a secure SSL connection. The data is kept confidential and Check Point only uses the information to improve IPS.
How do I export a list of events to a tab-delimited (csv) file?
The Events tab in the SmartEvent client can contain thousands of events. Export the events into a text file to review or manipulate the data with external applications. For example, a spreadsheet or text editor.
To export events to a comma-delimited (csv) file:
1. in the SmartEvent client, go to the Events tab.
2. From the File menu, select Export Events to csv File.
3. Save the file.
'Top' Panes - The Top Application and Top Events panes show the most frequent occurrences during the specified Time Frame according to user-selected categories. You can show events according to traffic volume or the quantity of events. To show the top events:
1. Click the cogwheel button in the pane.
2. Select one of these criteria:
  - Sources
  - Users
  - Destinations
  - Malwares
  - Malware involved hosts
  - Malicious activities
  - Application / Site
  - Application Categories
3. Select a metric:
  - Show Data by Event Count - Quantity of events during the specified Time Frame
  - Show Data by Traffic - Traffic volume in MBs
SmartEvent Status - The Status section contains system information including:
- Status - This indicator reports the current status of the Event Analysis system, including problems connectivity to Correlation Units and Log servers and when the allocated disk space is full. Click on the link for more information.
- Object Sync - This indicator reports on the synchronization of objects between the management servers (either Security Management Server or Domain Management Server) and the SmartEvent server. Click on the link for more information.
- Config - This indicator will appear if components are not configured, including Internal Network settings and Correlation Units. Click on the link for more information.
- Events received in the - These statistics show the number of events received by the SmartEvent server in the last minute, hour and 24-hour period. This information gives a quick glance at the traffic load on the SmartEvent server. Unusual data in these fields may indicate connectivity problems between the components of the Event Analysis system.

Timeline Tab

Timelines let you see specified recent events in a linear format. The number of events is shown inside a circle at each defined time interval. The circle itself is color coded to show the severity of the different events.

Note - Because timeline circles use colors to show event severity, timelines for queries without filters (such as a query by source IP address) are identical to those of the All Events query.

You can modify these timelines or add new timelines for predefined and custom queries. You can also rename timelines and move them up or down the in the window.

To add a new timeline:

Select Manage > Add Line.
In the Add Line window, do one of the following:
1. Use a Predefined Query: Select an existing query and click OK.
2. Modify a Predefined Query:
  1. Select an existing query and click Configure.
  2. In the Events Query properties window, configure the query to filter for the events that you want to track and click OK.
  3. Enter a name for the new custom query. You can choose to save the time frame for the query.
  4. Click Save.
3. Create a new Custom Query:
  1. Click New to create a custom query which you can use for the new timeline.
  2. In the Events Query properties window, configure the query to filter for the events that you want to track and click OK.
  3. In the Add Line window, enter a name for the custom query.
In the Add Line window, click OK.

You can now see the configured timelines and you can modify the Time Frame and Time Line Resolution to help you analyze the event data.

To modify an existing timeline:

Select a timeline and select Manage > Configure.
In the Events Query properties window, configure the query to filter for the events that you want to track.
Click OK.

The selected timeline now displays the event data based on the modified query.

Charts Tab

Charts display query results in a graphical format which you can configure to divide the events data based in any event characteristic. You can then drill down into any segment of the chart to display a list of those events in a new Events window.

Event queries can be shown with a Time Axis or as a Pie Chart. The query’s chart properties define which type of chart will be shown by default but you can change the chart type to display at any time by selecting from the options in the upper-left corner.

The Time Axis display shows the query results over time based on a configured Time Resolution. This method focuses attention on how the event data differs over time.

The Pie Chart is the best way to show Top N data such as By Source (top sources), By Destination (top destinations), and By Service (top services). This method focuses attention on the number of events with specific properties.

Event Data Options

The following are settings that can be set from the Toolbar to change the event data that is displayed in the chart:

Time frame - Select a specific time frame for which events are displayed. For example, you can choose to show only events during the last 24 hours, the last 30 days, or a custom time frame.
Time Resolution - This field determines how events are grouped in charts and timelines. For example, when the time frame is set to one hour, all events that match the query filter properties and occurred within the period of one hour will be displayed together. The colors of the time wheel indicate the breakdown of events by category within the selected period of time.
Split By - This field determines which dimension will be used to analyze the events. In the query Chart Properties, you can choose which dimensions to make available for displaying in the charts.
Show Top - This field determines how many of dimensions results will be displayed in the chart. In the query Chart Properties, you can set the default number.

You can also set a particular chart to be displayed by default in the Charts tab by right-clicking on the query and selecting Run on Start.

Manage Options

The following are options that can be changed from the Toolbar to present the chart data in a more informative and appealing manner:

Fixed Scale - By default, the scale of the number of events will change based on the results displayed in the chart. By selecting Fixed Scale, you can choose for the scale of the number of events to remain constant as you scroll through the chart.
Data Grid - You can choose to show a data grid next to the chart. The data grid provides a table which shows a summary of all of the data points in the query. When you move the cursor over any part of the chart or grid, the associated data will be highlighted in the other area.
Copy to Clipboard - Select the option to access the options for copying the event statistics to your computer Clipboard for external use. You can copy the image itself, or you can the copy raw event counts represented by the image that is currently displayed and then paste that data into another application.
- As a Bitmap - To copy the image that is currently displayed.
- As Text (data only) - To copy the raw event counts represented by the image that is currently displayed.
Print - Select to print the image that is currently displayed.
3D/2D Display - Select to choose if to display the chart as flat (2D) or with depth (3D).
Gallery - Select to show the pie chart as a bar, doughnut, or pie chart.

The following are elements of the chart display that can be changed by right-clicking on the chart to customize the presentation of the chart:

Data Grid - You can choose to show a data grid next to the chart. The data grid provides a table which shows a summary of all of the data points in the query. When you move the cursor over any part of the chart or grid, the associated data will be highlighted in the other area.
Legend Box - You can choose to show or hide the Legend Box. The Legend Box is a key which indicates what the colors of the chart represent. Change the location and font of the Legend Box by right-clicking on it.
Background Color - You can select a background color for the chart.

You can modify the display options for the data grid, legend box, axis labels or axis scales. Right-clicking any of the elements allows you to change the font, text color, display location and other graphical options.

To view a chart:

Run a query by double-clicking the query in the Query Tree.
You can also open your chart in a new window by right-clicking the query and selecting Run in New Window. This allows you to keep multiple charts open at the same time.
Decide whether you want the chart to be based on time (Time Axis) or based on other event properties (Pie Chart).
- When using Time Axis, choose a Chart Time Resolution to group the events by a specific time range.
The chart will display all events. You can choose to show only a number of the top query results by selecting a number from the Show Top menu.

Maps Tab

Source and Destination information are frequently critical when determining the potential threat of traffic. Some companies need to block traffic from certain countries based on security, political, or legal reasons whereas other companies may see identifying traffic by country of origin or destination simply as a way to limit the traffic passing through the network.

In the Maps tab, SmartEvent presents source and destination countries for the active query on an interactive world map. Countries are color-coded to indicate levels of event activity. You can define the number of countries to include in the top tier of countries (Top N) and in the second tier of countries (Next Top N) to change how countries are grouped in the map.

By double-clicking on a country, you can drill-down to see a detailed list of events for that country. By default the map shows the results of the All Events query; however, you can populate the map with information from any of the available queries by double-clicking on a query in the Query Tree. You can also choose to view continents individually in order to see countries more clearly.

Statistics information about the active query is displayed below the interactive map. The five countries with the highest number of events matching the query filter are shown with the number of events for each, as well as the total number of countries matching the query.

Interact with the map using the following actions:

To see the number of events that correspond to a country, move the mouse over that country.
To view query results for a country in an Events window, double-click on the country.
To change between viewing the entire world map and viewing maps for individual continents, choose from the Map menu.
Activity Level - In the bottom right corner of the map is the Activity Level key. Countries are colored according to four tiers:
- Top - By default, the Top 3 countries are colored Red. Choose the number of countries to include in the top tier by changing this setting.
- Next Top - By default, the Next Top 5 countries are colored Yellow. Choose the number of countries to include in the second tier by changing this setting.
- Others - All countries with events, but are not included in the Top or Next Top tiers, are colored Blue.
- No Activity - All countries without events are colored White.
Moving the mouse over a tier in the Activity Level key will highlight the Countries in that tier.

In addition, in the bottom left corner of the map is a summary of event statistics which includes the number of events for the top 5 countries and the total number of countries with events.

Reports Tab

Use the Reports tab to see, manage and generate reports that show a summary of events identified by SmartEvent. You can generate report for these supported blades:

Application Control and URL Filtering events
Data Loss Prevention events
IPS events
Anti-Bot and Anti-Virus events
All - Tabular list of all events, including events not related to these supported blades
Each supported blade has its own filter criteria and format that for presenting the information.

Policy Tab

Most configuration steps occur in the Policy tab. System components, such as SmartEvent Correlation Unit, are defined here, as well as lists of blocked IP addresses and other general settings.

But the main attraction of the Policy tab is the configuration of each type of event. Each type of event that SmartEvent can detect is listed here, and sorted into a number of main categories. Each event can be customized by altering the default thresholds and setting Automated Responses. Events can also be disabled by removing the check mark. The settings made here are what determine the SmartEvent Event Policy.

The Policy tab is composed of three sections:

Selector Tree - The navigation pane on the left.
Detail pane - Contains the settings of each item in the Selector Tree.
Description pane - Shows a description of the selected item.

Once the SmartEvent client begins displaying events, the following tasks should be performed:

Modifications to the Event Policy do not take effect until saved on the SmartEvent server and installed to the SmartEvent Correlation Unit.

To enable changes made to the Event Policy:

Click File > Save.
Click Actions > Install Event Policy.

You can undo changes to the Event Policy, if they were not saved.

To undo changes: click File > Revert Changes.