Configuring Event Definitions

In This Section:

Use the Policy tab to configure and customize the events that define the SmartEvent Event Policy.

Modifying Event Definitions

SmartEvent is constantly taking data from your Log Servers, and searching for patterns within all the network chatter that enters your system.

Depending on the levels set within each Event Definition, the number of events detected can be quite high. Yet only a portion of those events may be meaningful. By modifying the thresholds and other criteria that make up an event, you can reduce the number of false alarms.

These modifications are done in the Event Definitions. A high-level view of the process of modifying Event Definitions is as follows:

Select a type of event from one of the Event Policy categories.
Adjust the Event Definitions as desired. The elements that can be modified vary per Event Definition. Some event types will include all; others will have just one or two of these configurable elements.
When you have finished making changes to the Event Definitions, save the Event Policy by selecting File > Save.
From the Actions menu, select Install Event Policy.

Event Definitions and General Settings

The Selector tree is divided into two branches: Event Policy and General Settings. The events detectable by SmartEvent are organized by category in the Event Policy branch. Select an event definition to show its configurable properties in the Detail pane, and a description of the event in the Description pane. Clear the property to remove this event type from the Event Policy the next time the Event Policy is installed.

The General Settings branch contains Initial Settings. For example: To define SmartEvent Correlation Unit, which is typically used for the initial configuration. Click a General Settings item to show its configurable properties in the Detail pane.

For details on specified attacks or events, refer to the Event Definition Detail pane.

Event Definition Parameters

When an event definition is selected, its configurable elements appear in the Detail pane, and a description of the event is displayed in the Description pane. There are generally six types of configurable elements:

Thresholds, such as Detect the event when more than x connections were detected over y seconds
Severity, such as Critical, Medium, Informational, etc.
Automatic Reactions, such as Block Source or run External Script
Exclusions, such as Exclude the following sources and destinations
Exceptions, such as Apply the following exceptions
Time Object, such as to issue an event if the following occurs outside the following Working Hours

Not all of these elements appear for every Event Definition. After installing and running SmartEvent for a short time, you will discover which of these elements need to be fine-tuned per Event Definition. For more about fine-tuning Event Definitions, see Configurable Elements of Event Definitions.

The configurable settings are straight-forward for the General Settings items. Adding a Time Object opens a window to set the appropriate hours and days of the week. For configuration information regarding most objects in General Settings, see System Administration.

Event Threshold

The Event Threshold allows you to modify the limits that, when exceeded, indicates that an event has occurred. The limits typically are the number of connections, logs, or failures, and the period of time in which they occurred. It appears thus:

Detect the event when more than x connections/logs/failures (etc.) were detected over a period of y seconds.

To decreasing the number of false alarms based on a particular event, increase the number of connections, logs or failures and/or the period of time for them to occur.

Severity

An event severity affects in which queries (among those that filter for severity) this type of event will appear.

To modify the severity of an event, select a severity level from the drop-down list.

Automatic Reactions

When detected, an event can activate an Automatic Reaction. The SmartEvent administrator can create and configure one Automatic Reaction, or many, according to the needs of the system.

For example: A Mail Reaction can be defined to tell the administrator of events to which it is applied. Multiple Automatic Mail Reactions can be created to tell a different responsible party for each type of event.

To create an automatic reaction:

Create an automatic reaction object in the Event definition, or from General Settings > Objects > Automatic Reactions.
Assign the Automatic Reaction to an event (or to an exception to the event).
To save the Event Policy, click File > Save
To install the Event Policy on the SmartEvent Correlation Unit, click Actions > Install Event Policy.

These are the types of Automatic Reactions:

Mail - tell an administrator by email that the event occurred. See Create a Mail Reaction.
Block Source - instruct the Security Gateway to block the source IP address from which this event was detected for a configurable period of time . Select a period of time from one minute to more than three weeks. See Create a Block Source Reaction
Block Event activity - instruct the Security Gateway to block a distributed attack that emanates from multiple sources, or attacks multiple destinations for a configurable period of time. Select a period of time from one minute to more than three weeks). See Create a Block Event Activity Reaction.
External Script - run a script that you provide. See Creating an External Script Automatic Reaction to write a script that can exploit SmartEvent data.
SNMP Trap - generate an SNMP Trap. See Create an SNMP Trap Reaction.
You can send event fields in the SNMP Trap message. The format for such an event field is [seam_event_table_field]. This list represents the possible seam_event table fields:

AdditionalInfo varchar(1024)

AutoReactionStatus varchar(1024)

Category varchar(1024)

DetectedBy integer

DetectionTime integer

Direction integer

DueDate integer

EndTime integer

EventNumber integer

FollowUp integer

IsLast integer

LastUpdateTime integer

MaxNumOfConnections integer

Name varchar(1024) ,NumOfAcceptedConnections integer

NumOfRejectedConnections integer

NumOfUpdates integer

ProductCategory varchar(1024)

ProductName varchar(1024)

Remarks varchar(1024)

RuleID varchar(48)

Severity integer

StartTime integer

State integer

TimeInterval integer

TotalNumOfConnections varchar(20)

User varchar(1024)

Uuid varchar(48)

aba_customer varchar(1024)

jobID varchar(48)

policyRuleID varchar(48)

These sections tell how to add an Automatic Reaction to an event:

Creating Automatic Reactions

You can create Automatic reaction from:

The Policy tab: Select General Settings> Object > Automatic Reactions
In an Event Definition: Select the icon […] and click Add New.

The first step for each of the next procedures assumes that you are at one of the starting points above.

Creating a Mail Reaction

Select Add > Mail.
Give the automatic reaction a significant name.
Fill out the Mail Parameters of From, To and cc.
To add multiple recipients, separate each email address with a semi-colon.
Note - the Subject field has the default variables of [EventNumber] - [Severity] - [Name]. These variables automatically adds to the mail subject the event number, severity and name of the event that triggered this reaction. These variables can be removed at your discretion.
Optional: Include your own standard text for each mail reaction.
Enter the domain name of the SMTP server.
Select Save.

Creating an SNMP Trap Reaction

Select Add > SNMP Trap.
Give the automatic reaction a significant name.
Fill out the SNMP Trap parameters of Host, Message, OID and Community name.
The command send_snmp uses values that are found in the file chkpnnt.mib, in the directory $CPDIR/lib/snmp/. An OID value used in the SNMP Trap parameters window must be defined in chkpnnt.mib, or in a file that refers it. If the OID field is left blank, the value is determined from iso.org.dod.internet.private.enterprises.checkpoint.products.fw.fwEvent = 1.3.6.1.4.1.2620.1.1.11.

When the automatic reaction occurs, the SNMP Trap is sent as a 256 byte DisplayString text. But, if the OID type is not text, the message is not sent.
Select Save.

Creating a Block Source Reaction

Select Add > Block Source.
Give the automatic reaction a significant name.
From the drop-down list, select the number of minutes to block this source.
Select Save.

Creating a Block Event Activity Reaction

Select Add > Block Event Activity.
Give the automatic reaction a significant name.
From the drop-down list, select the number of minutes to block this source.
Select Save.

Creating an External Script Automatic Reaction

To add an External Script:

Create the script. See the Guidelines for creating the script below.
Put the script on the SmartEvent Server:
1. In $RTDIR/bin, create the folder ext_commands. Run:
  mkdir $RTDIR/bin/ext_commands
2. Put the script in $RTDIR/bin/ext_commands/ or in a folder under that location. The path and script name must not contain any spaces.
3. Give the script executable permissions. Run:
  chmod +x <script_filename>
In the SmartEvent GUI client Policy tab, in Automatic Reactions, Select Add > External Script.
In the Add Automatic Reaction window:
1. Give the automatic reaction object a significant Name.
2. In Command line, enter the name of the script to run. Specify the name of the script that is in $RTDIR/bin/ext_commands/ directory. Use the relative path if needed. Do not specify the full path of $RTDIR/bin/ext_commands/.
3. Select Save.

Guidelines for creating the script

Run the script manually and make sure it works as expected
Make sure the script runs for no longer than 10 minutes, otherwise it will be terminated by the SmartEvent Server.
Use the event fields in the script:
To refer to the event in the script, define this environment variable:

EVENT=$(cat)

and use $EVENT

Use line editor commands like awk or sed to parse the event and refer to specific fields. You can print the $EVENT one time to see its format.

--------------------------------------------------------------------------------------------------

The format of the event content is a name-value set – a structured set of fields that have the form:

(name: value ;* );

where name is a string and value is either free text until a semicolon, or a nested name-value set.

The following is a sample event:

(Name: Check Point administrator credential guessing; RuleID:
{F182D6BC-A0AA-444a-9F31-C0C22ACA2114}; Uuid:
<42135c9c,00000000,2e1510ac,131c07b6>; NumOfUpdates: 0; IsLast: 0;
StartTime: 16Feb2015 16:45:45; EndTime: Not Completed; DetectionTime:
16Feb2015 16:45:48; LastUpdateTime: 0; TimeInterval: 600;
MaxNumOfConnections: 3; TotalNumOfConnections: 3; DetectedBy: 2886735150;
Origin: (IP: 192.0.2.4; repetitions: 3; countryname: United States;
hostname: theHost) ; ProductName: SmartDashboard; User: XYZ; Source:
(hostname: theHost; repetitions: 3; IP: 192.0.2.4; countryname: United
States) ; Severity: Critical; EventNumber: EN00000184; State: 0;
NumOfRejectedConnections: 0; NumOfAcceptedConnections: 0) ;

--------------------------------------------------------------------------------------------------

If you need to refer to more fields, you can add them to the event:
1. In the SmartEvent GUI client, in the Policy tab, right click the event, and select Properties > Event Format tab
2. In the Display column, select the Event fields to have in the Event.
3. Install the Event Policy on the SmartEvent Correlation Unit.

Assigning an Automatic Reaction to an Event

You can add an Automatic Reaction for SmartEvent to run when this type of event is detected.

Select the icon [...].
Select an Automatic Reaction that you created from the list, or select Add new…. For details on how to create each type of Automatic Reaction, see section below.
Configure the Automatic Reaction.
Select Save.
Click OK.

Working Hours

Working Hours are used to detect unauthorized attempts to access protected systems and other forbidden operations after-hours. To set the Regular Working Hours for an event, select a Time Object that you have configured from the drop-down list.

To create a Time Object:

From the Policy tab, select General Settings > Objects > Time Objects.
Click Add.
Enter a Name and Description.
Select the days and times that are considered Regular Working Hours.
Click OK.

To assign a Time Object to an event:

From the Policy tab, select an event that requires a Time Object (for example, User Login at irregular hours in the Unauthorized Entry event category).
Select the Time Object you created from the drop-down list.
Select File > Save.

Adding Exclusions

Exclusions remove log entries from query results according to defined criteria (query properties). For example, if source 10.10.10.1 is defined as an exclusion for an event, all events with source 10.10.10.1 do not show in the query result. Global Exclusions work in the same way, except they apply to all events.

You can add exclusions in one of these ways:

Manually using this window
By right-clicking an event and selecting Exclude from event definition.

To manually add an exclusion:

Click Add.
In the Exclusion window, select the Source and/or destination Server object you want to exclude from the query results.
Configure any other filter criteria that are available for the specified event.
Optionally, click Apply and delete existing events to remove the excluded events from the existing query results.
If you do not see the host object listed, you may need to create it in SmartEvent.

You can change or delete existing exclusions by selecting Edit or Remove, respectively.

Exceptions

Exceptions allow an event to be independently configured for the sources or destinations that appear. For example, if the event Port Scan from Internal Network is set to detect an event when 30 port scans have occurred within 60 seconds, you can also define that two port scans detected from host A in 10 seconds of each other is also an event.

To manually add an exception, under the heading Apply the following exceptions, click Add and select the Source and/or Destination of the object to apply different criteria for this event.

Note - If you do not see the host object listed, you may need to create it in SmartEvent.

To modify or delete existing exceptions, select Edit or Remove, respectively.

Creating Event Definitions (User Defined Events)

To create a user-defined event you must have knowledge of the method by which SmartEvent identifies events. This section starts with a high level overview of how logs are analyzed to conclude if an event occurs or occurred.

High Level Overview of Event Identification

Events are detected by the SmartEvent Correlation Unit. The SmartEvent Correlation Unit scans logs for criteria that match an Event Definition.

SmartEvent uses these procedures to identify these events:

Matching a Log Against Global Exclusions

When the SmartEvent Correlation Unit reads a log, it first checks if the log matches all defined Global Exclusions. Global Exclusions (defined on the Policy tab > Event Policy > Global Exclusions) direct SmartEvent to ignore logs that are not expected to contribute to an event.

If the log matches a Global Exclusion, it is discarded by the system. If not, the SmartEvent Correlation Unit starts to match it against each Event Definition.

Matching a Log Against Each Event Definition

Each Event Definition contains a filter which is comprised of a number of criteria that must be found in all matching logs. The criteria are divided by product: The Event Definition can include a number of different products, but each product has its own criterion.

To match the Event Definition "A", a log from Endpoint Security must match the Action, Event Type, Port, and Protocol values listed in the Endpoint Security column. A log from a Security Gateway must match the values listed in its column.

SmartEvent divides this procedure into two steps. The SmartEvent Correlation Unit first checks if the Product value in the log matches one of the permitted Product values of an Event Definition.

If Log 1 did not contain a permitted Product value, the SmartEvent Correlation Unit compares the log against Event Definition "B", and so on. If the log fails to match against an Event Definition, it is discarded.

The SmartEvent Correlation Unit checks if the log contains the Product-specific criteria to match the Event Definition. For example: The product Endpoint Security generates logs that involve the Firewall, Spyware, Malicious Code Protection, and others. The log contains this information in the field Event Type. If an event is defined to match on Endpoint Security logs with the event type Firewall, an Endpoint Security log with Event Type "Spyware" fails against the Event Definition filter. Other criteria can be specified to the Product.

In our example, Log 1 matched Event Definition "A" with a permitted product value. The SmartEvent Correlation Unit examines if the log contains the necessary criteria for an Endpoint Security log to match.

If the criteria do not match, the SmartEvent Correlation Unit continues to compare the log criteria to other event definitions.

Creating an Event Candidate

When a log matches the criteria, it is added to an Event Candidate. Event candidates let SmartEvent track logs until an event threshold is crossed, at which point an event is generated.

Notes -

The Event Candidate can track logs from multiple products
The logs must be from the same source
The Event Candidate tracks logs before all of the criteria were matched

Each Event Definition can have multiple event candidates, each of which keeps track of logs grouped by equivalent properties. In the figure above the logs that create the event candidate have a common source value. They were dropped, blocked or rejected by a Firewall. They are grouped together because the Event Definition is designed to detect this type of activity, that originates from one source.

When a log matches the event definition, but has properties different than those of the existing event candidates, a new event candidate is created. This event candidate is added to what can be thought of as the Event Candidate Pool.

Note - SmartEvent creates a new event candidate for a log with a different source.

To illustrate more, an event defined detects a high rate of blocked connections. SmartEvent tracks the number of blocked connections for each Firewall, and the logs of the blocked traffic at each Firewall forms an event candidate. When the threshold of blocked connection logs from a Firewall is surpassed, that Firewall event candidate becomes an event. While this Event Definition creates one event candidate for each Firewall monitored, other Event Definitions can create many more.

The Event Candidate Pool is a dynamic environment, with new logs added and older logs discarded when they have exceeded an Event Definition time threshold.

When a Candidate Becomes an Event

When a candidate becomes an event, the SmartEvent Correlation Unit forwards the event to the Event Database. But to discover an event does not mean that SmartEvent stops to track logs related to it. The SmartEvent Correlation Unit adds matching logs to the event as long as they continue to arrive during the event threshold. To keep the event open condenses what can appear as many instances of the same event to one, and provides accurate, up-to-date information as to the start and end time of the event.

Creating a User-Defined Event

To create New Event Definitions, right-click an existing Event Definition, or use the Actions menu:

Right Click	Actions Menu	Description
New	New Custom Event	Launches the Event Definition Wizard, which allows you to select how to base the event: on an existing Event Definition, or from scratch.
Save As	Save Event As	Creates an Event Definition based on the properties of the highlighted Event Definition. When you select Save As, the system prompts you to save the selected Event Definition with a new name for later editing. Save As can also be accessed from the Properties window.

All User Defined Events are saved at Policy tab > Event Policy > User Defined Events. When an Event Definition exists it can be modified through the Properties window, available by right-click and from the Actions menu.

Creating a New Event Definition

To create a User Defined Event based on an existing event:

From the Actions menu, select New Custom Event.
The Event Definition Wizard opens.
For Create an event
1. Select that is based on an existing event.
2. Select an event that has equivalent properties to the event you want to create.
3. Click Next.
Name the Event Definition.
Enter a Description.
Select a Severity level.
Click Next.
Set which of these options generates the event:
- A single log — Frequently depicts an event, such as a log from a virus scanner that reports that a virus has been found.
- Multiple logs — Required if the event can only be identified as a result of a combination of multiple logs, such as a High Connection Rate.
Click Next.
Examine the products that can cause this event.
Select Next.
Optional: Edit the product filters:
- If you added a product you can edit the filters for each product (Edit all product filters), or those of new products you added (Edit only newly selected product filters).
- If you did not add other products, edit the filters of existing products (Yes) or skip this step (No, Leave the original files).
Click Next.
Edit or add product filters for each log necessary in the Event Definition filter:
1. Select the Log field from the available Log Field list.
2. Click Add to edit the filter.
3. Make sure that the filter matches on All Conditions or Any Conditions.
4. Double-click the Log field and select the values to use in the filter.
Click Next.
When you defined the filters for each product, select values for these options to define how to process logs:
- Detect the event when at least __ logs occurred over a period of __ seconds contains the event thresholds that define the event. You can modify the event thresholds by altering the number of logs and/or the period of time that define the event.
- Each event definition may have multiple Event Candidates existing simultaneously allows you to set whether SmartEvent creates distinct Event Candidates based on a field (or set of fields) that you select below.
  Select the field(s) by which distinct Event Candidates will be created allows you to set the field (or set of fields) that are used to differentiate between Event Candidates.
- Use unique values of the __ field when counting logs directs SmartEvent to count unique values of the specified field when determining whether the Event Threshold has been surpassed. When this property is not selected, SmartEvent counts the total number of logs received.
Click Finish.

To edit a user-defined event:

From the Policy tab > Event Policy > User Defined Events, right-click a User-Defined Event and select Properties.
In the tabs provided, make the necessary changes:
- Name - Name the Event Definition, enter a Description and select a Severity level. The text you enter in the Description field shows in the Event Description area (below the event configurable properties).
- Filter - To edit a product filter:
  1. Select the product.
  2. Select the Log field from the available Log Fields list.
  3. If the necessary field does not show select Show more fields... to add a field to the Log Fields list.
  4. Click Add to edit the filter.
  5. Select if the filter matches on All Conditions or Any Conditions.
- Count logs
  This screen defines how SmartEvent counts logs related to this event.
  - A Single log — Frequently depicts an event, such as a log from a virus scanner that reports that a virus is found.
  - With this option you can set the fields that are used to group events into Event Candidates. Logs with matching values for these fields are added to the same event. For example: Multiple logs that report a virus detected on the same source with the same virus name are combined into the same event.
  - Multiple logs — Required for events that identify an activity level, such as a High Connection Rate.
  - When the event is triggered by multiple logs, set the behavior of Event Candidates:
  - Detect the event when at least... — Set the Event Threshold that, when exceeded, indicates that an event has occurred.
  - Select the field(s) by which distinct event candidates will be created — An event is generated by logs with the same values in the fields specified here. To define how logs are grouped into Event Candidates, select the related fields here.
  - Use unique values of the ...— Only logs with unique values for the fields specified here are counted in the event candidate. For example: A port scan event counts logs that include unique ports scanned. Also, the logs do not increment the log count for logs that contain ports already encountered in the event candidate.
  - Advanced — Define the keep=alive time for the event, and how often the SmartEvent Correlation Unit updates the SmartEvent server with new logs for the created event.
- Event Format
  When an event is generated, information about the event is presented in the Event Detail pane.
  
  This screen lets you specify if the information will be added to the detailed pane and from which Log Field the information is taken.
  
  You can clear it in the Display column. The Event Field will not be populated.
- GUI representation
  All events can be configured. This screen lets you select the configuration parameters that show.
  - The Threshold section shows the number of logs that must matched to create the event. This is usually not shown for one log events and shown for multiple log events.
  - The Exclude section lets you specify the log fields that show when you add an event exclusion.
  - The Exception section lets you specify the log fields that show when you add an event exception.
Click OK to save your changes.

Eliminating False Positives

The purpose of this chapter is to provide additional assistance in reducing false positives.

Services that Generate Events

Some types of services are characterized by a high quantity of traffic that can be misidentified as events. These are examples of services and protocols that can potentially generate events:

Software that does a routine scan of the network to make sure that everything runs correctly. Configuration of SmartEvent to exclude this source from a scan event eliminates a source of false positive events.
High connection rate on a web server. Set SmartEvent to allow a higher connection rate for each minute on a busy web server, or to exclude this source from a scan event.

Common Events by Service

The information in this table provides a list of server types where high activity is frequently used. To change the Event Policy, adjust event thresholds and add Exclusions for servers and services . You can decrease more the quantity of false positives detected.

Common events by service

Server Type	Category	Event Name	Source	Dest	Service	Reason
SNMP	Scans	IP sweep from internal network	Any	Any	SNMP-read	Hosts that query other hosts
DNS Servers	Scans	IP sweep from internal network	DNS servers	-	DNS	Inter-DNS servers updates
	Denial of Service (DoS)	High connection rate on internal host on service	Any	DNS servers	DNS	DNS requests and inter-DNS servers updates
	Anomalies	High connection rate from internal network	Any	Any	DNS	DNS requests and inter-DNS servers updates
	Anomalies	High connection rate from internal network on service	Any	Any	DNS	DNS requests and inter-DNS servers updates
	Anomalies	Abnormal activity on service	Any	Any	DNS	DNS requests and inter-DNS servers updates
NIS Servers	Scans	Port scan from internal network	NIS servers	Any	-	Multiple NIS queries
	Denial of Service (DoS)	High connection rate on internal host on service	Any	NIS servers	NIS	NIS queries
	Anomalies	High connection rate from internal network	Any	Any	NIS	NIS queries
	Anomalies	High connection rate from internal network on service	Any	Any	NIS	NIS queries
	Anomalies	Abnormal activity on service	Any	Any	NIS	NIS queries
LDAP Servers	Denial of Service (DoS)	High connection rate on internal host on service	Any	LDAP servers	LDAP	LDAP requests
	Anomalies	High connection rate from internal network	Any	LDAP servers	LDAP	LDAP requests
	Anomalies	High connection rate from internal network on service	Any	LDAP servers	LDAP	LDAP requests
	Anomalies	Abnormal activity on service	Any	LDAP servers	LDAP	LDAP requests
HTTP Proxy Servers - Hosts To Proxy Server	Denial of Service (DoS)	High connection rate on internal host on service	Any	Proxy servers	HTTP:8080	Hosts connections to Proxy servers
	Anomalies	High connection rate from internal network	Any	Proxy servers	HTTP:8080	Hosts connections to Proxy servers
	Anomalies	High connection rate from internal hosts on service	Any	Proxy servers	HTTP:8080	Hosts connections to Proxy servers
	Anomalies	Abnormal activity on service	Any	Proxy servers	HTTP:8080	Hosts connections to Proxy servers
HTTP Proxy Servers - Out to the Web	Scans	IP sweep from internal network	Proxy servers	Any	HTTP/ HTTPS	Proxy servers connections out to various sites
	Denial of Service (DoS)	High connection rate on internal host on service	Proxy servers	Any	HTTP/ HTTPS	Proxy servers connections out to various sites
	Anomalies	High connection rate from internal network	Proxy servers	Any	HTTP/ HTTPS	Proxy servers connections out to various sites
		High connection rate from internal hosts on service	Proxy servers	Any	HTTP/ HTTPS	Proxy servers connections out to various sites
	Anomalies	Abnormal activity on service	Proxy servers	Any	HTTP/ HTTPS	Proxy servers connections out to various sites
UFP Servers	Denial of Service (DoS)	High connection rate on internal host on service	Any	UFP servers	Any/UFP by vendor	Firewall connections to UFP servers
	Anomalies	High connection rate from internal network	Any	UFP servers	Any/UFP by vendor	Firewall connections to UFP servers
	Anomalies	High connection rate from internal hosts on service	Any	UFP servers	Any/UFP by vendor	Firewall connections to UFP servers
	Anomalies	Abnormal activity on service	Any	UFP servers	Any/UFP by vendor	Firewall connections to UFP servers
CVP Servers Request	Denial of Service (DoS)	High connection rate on internal host on service	Any	CVP servers	Any/CVP by vendor	Firewall connections to CVP servers
	Anomalies	High connection rate from internal network	Any	CVP servers	Any/CVP by vendor	Firewall connections to CVP servers
	Anomalies	High connection rate from internal hosts on service	Any	CVP servers	Any/CVP by vendor	Firewall connections to CVP servers
	Anomalies	Abnormal activity on service	Any	CVP servers	Any/CVP by vendor	Firewall connections to CVP servers
CVP Servers Replies	Scans	Port scans from internal network	CVP servers	Any	-	Multiple CVP replies to same GW
	Scans	IP sweep from internal network	CVP servers	-	CVP	CVP replies to multiple GWs
	Denial of Service (DoS)	High connection rate on internal host on service	CVP servers	Any	Any/CVP by vendor	CVP replies
	Anomalies	High connection rate from internal network	CVP servers	Any	Any/CVP by vendor	CVP replies
	Anomalies	High connection rate from internal hosts on service	CVP servers	Any	Any/CVP by vendor	CVP replies
	Anomalies	Abnormal activity on service	CVP servers	Any	Any/CVP by vendor	CVP replies
UA Server Request	Denial of Service (DoS)	High connection rate on internal host on service	Any	UA servers	uas-port (TCP:19191 TCP:19194)	Connections to UA servers
	Anomalies	High connection rate from internal network	Any	UA servers	(TCP:19191 TCP:19194)	Connections to UA servers
	Anomalies	High connection rate from internal hosts on service	Any	UA servers	uas-port (TCP:19191 TCP:19194)	Connections to UA servers
	Anomalies	Abnormal activity on service	Any	UA servers	uas-port (TCP:19191 TCP:19194)	Connections to UA servers
UA Servers Replies	Scans	Port scans from internal network	UA servers	Any	-	Multiple UA replies to the same computer
	Scans	IP sweep from internal network	UA servers	Any	uas-port (TCP:19191 TCP:19194)	Multiple UA replies to multiple computers
	Denial of Service (DoS)	High connection rate on internal host on service	UA servers	Any	uas-port (TCP:19191 TCP:19194)	UA replies
	Anomalies	High connection rate from internal network	UA servers	Any	uas-port (TCP:19191 TCP:19194)	UA replies
	Anomalies	High connection rate from internal hosts on service	UA servers	Any	uas-port (TCP:19191 TCP:19194)	UA replies
	Anomalies	Abnormal activity on service	UA servers	Any	uas-port (TCP:19191TCP:19194)	UA replies
SMTP Servers	Scans	IP sweep from internal network	SMTP servers	-	SMTP	SMTP servers connections out to various SMTP servers
	Denial of Service (DoS)	High connection rate on internal host on service	SMTP servers	Any	SMTP	SMTP servers connections out to various SMTP servers
	Anomalies	High connection rate from internal network	SMTP servers	Any	SMTP	SMTP servers connections out to various SMTP servers
	Anomalies	High connection rate from internal hosts on service	SMTP servers	Any	SMTP	SMTP servers connections out to various SMTP servers
	Anomalies	Abnormal activity on service	SMTP servers	Any	SMTP	SMTP servers connections out to various SMTP servers
Anti-Virus Definition Servers	Scans	IP sweep from internal network	AV_Defs servers	-	Any/AV by vendor	Anti-Virus definitions updates deployment
	Denial of Service (DoS)	High connection rate on internal host on service	AV_Defs servers	-	Any/AV by vendor	Anti-Virus definitions updates deployment
	Anomalies	High connection rate from internal network	AV_Defs servers	-	Any/AV by vendor	Anti-Virus definitions updates deployment
	Anomalies	High connection rate from internal hosts on service	AV_Defs servers	-	Any/AV by vendor	Anti-Virus definitions updates deployment
	Anomalies	Abnormal activity on service	AV_Defs servers	-	Any/AV by vendor	Anti-Virus definitions updates deployment