Monitoring Threat Prevention with SmartEvent
Event Analysis in SmartEvent or SmartEvent Intro
SmartEvent and SmartEvent Intro supply advanced analysis tools with filtering, charts, reporting, statistics, and more, of all events that travel through enabled Security Gateways.
You can filter the Threat Prevention Software Blade information for fast monitoring and useful reporting on connection incidents related to them.
- Real-time and historical graphs and reports of Anti-Bot, Threat Emulation and Anti-Virus incidents
- Graphical incident timelines for fast data retrieval
- Easily configured custom views to quickly view specified queries
- Incident management workflow
- Reports to data owners on a scheduled basis
SmartEvent shows information for all Software Blades in the environment. SmartEvent Intro shows information for one SmartEvent Intro mode. If you select Threat Prevention as the SmartEvent Intro Mode, it shows the Threat Prevention information.
To use SmartEvent or SmartEvent Intro, you must enable it on the Security Management Server or on a dedicated machine. See either:
Viewing Information in SmartEvent
To open SmartEvent do one of these:
- Click > > .
- From the tab > Navigation Tree > link.
- From the tab > > > link.
- From the SmartDashboard toolbar of any SmartConsole application, select Window > SmartEvent or press Control +Shift +A.
When SmartEvent opens, go to Events > Predefined > Threat Prevention to use the predefined queries for the Software Blades.
- - Shows Threat Prevention events that are severity
- - Shows all Threat Prevention events grouped by source, includes all prevented and detected events
- - Shows all Threat Prevention events grouped by malware activity
- - Shows the Anti-Bot events that are severity
- - Shows the Anti-Virus events that are severity
- - Shows the Threat Emulation events that are severity
- > - Shows all Threat Prevention events grouped by protection name
- > - Shows all Threat Prevention events grouped by protection type
- > - Shows all Threat Prevention blocked incidents
- > - Shows all Threat Emulation events
Updating the Anti-Bot and Anti-Virus Rule Base
In some cases, after evaluating an event, it may be necessary to update a rule or rule exception in the SmartDashboard Rule Base. You can do this directly from within SmartEvent.
To update a rule in the Anti-Bot and Anti-Virus Rule Base:
- Right-click the event or from within event details select the or menu.
- Select .
SmartDashboard opens showing the related rule in the Anti-Bot and Anti-Virus Rule Base.
- Make related changes.
- Click to install the Anti-Bot, Threat Emulation, and Anti-Virus policy.
The Anti-Bot, Threat Emulation and Anti-Virus Software Blades have a dedicated policy. You can install this policy installation separately from the policy installation of the other Software Blades.
You can update the Anti-Bot, Threat Emulation and Anti-Virus Rule Base to give immediate coverage for new malware threats. Install only the Threat Prevention policy to minimize the impact on the Security Gateways.
To install the Anti-Bot and Anti-Virus policy:
- From the tab > pane, click .
- Select the relevant options:
- Installs the policy on all Security Gateways that have Anti-Bot, Threat Emulation, and Anti-Virus enabled.
- - Select the applicable Security Gateways.
- - Install the policy on the selected Security Gateways without reference to the other targets. A failure to install on one Security Gateway does not affect policy installation on other gateways.
If the gateway is a member of a cluster, install the policy on all the members. The Security Management Server makes sure that it can install the policy on all the members before it installs the policy on one of them. If the policy cannot be installed on one of the members, policy installation fails for all of them.
- - Install the policy on all installation targets. If the policy fails to install on one of the Security Gateways, the policy is not installed on other targets of the same version.
- Click .
To update a rule exception in the Anti-Bot and Anti-Virus Rule Base:
- Right-click the event or from within the event details, select the or menu.
- Select .
SmartDashboard opens and shows an window in the Threat Prevention Rule Base. These details are shown:
- - The name of the protection. Details are taken from the ThreatCloud repository or, if there is no connectivity, from the log.
- - The scope is taken from the log. If there is no related host object, an object is created automatically after you click . Click the plus sign to add additional objects.
- - Shows by default. You can use the plus sign to add gateways.
- Select an option:
- - If you want the to apply only to the related rule.
- - If you want the to apply to all rules. The exception is added to the > pane.
- Click .
The exception is added to the Rule Base. The is set to by default. Change if necessary.
- Click to install the Anti-Bot, Threat Emulation, and Anti-Virus policy.
The Anti-Bot, Threat Emulation and Anti-Virus Software Blades have a dedicated policy. You can install this policy installation separately from the policy installation of the other Software Blades.
You can update the Anti-Bot, Threat Emulation and Anti-Virus Rule Base to give immediate coverage for new malware threats. Install only the Threat Prevention policy to minimize the impact on the Security Gateways.
To install the Anti-Bot and Anti-Virus policy:
- From the tab > pane, click .
- Select the relevant options:
- Installs the policy on all Security Gateways that have Anti-Bot, Threat Emulation, and Anti-Virus enabled.
- - Select the applicable Security Gateways.
- - Install the policy on the selected Security Gateways without reference to the other targets. A failure to install on one Security Gateway does not affect policy installation on other gateways.
If the gateway is a member of a cluster, install the policy on all the members. The Security Management Server makes sure that it can install the policy on all the members before it installs the policy on one of them. If the policy cannot be installed on one of the members, policy installation fails for all of them.
- - Install the policy on all installation targets. If the policy fails to install on one of the Security Gateways, the policy is not installed on other targets of the same version.
- Click .
Accessing the Threat Wiki
You can open the Threat Wiki from within SmartEvent to get more information about a specified protection.
To open the Threat Wiki do one of these:
- Right-click an event and select Go to Threat Wiki.
- Click the malware protection link in the event log.
- Select Go to Threat Wiki from the Anti-Virus or Anti-Bot tab in the event log.
Anti-Bot and Anti-Virus Reports
Daily, weekly, and monthly reports of the events recorded by SmartEvent are configured and stored on the tab. These reports show a high-level summary of the event patterns occurring on your network.
Upon creation, reports can be automatically emailed to predefined addresses, eliminating the need to open SmartEvent to learn of the system's status. You can also choose to save them as PDFs or view them in a browser.
Viewing Information in SmartEvent Intro
To open SmartEvent Intro:
- From the SmartDashboard menu bar, select > or press Control +Shift +E.
- From , select .
All of the information in SmartEvent Intro is based on Anti-Bot, Threat Emulation and Anti-Virus events. See the different tabs for detailed information.
The SmartEvent Intro Overview Page
The Overview page shows a quick understandable overview of the Anti-Bot and Anti-Virus traffic in your environment. Double-click on data in any of the sections in the Overview tab to open the associated list of events to investigate issues down to the individual event level.
The Overview page includes these panes:
- Timeline View
- Anti-Bot & Anti-Virus
- Top Source/Destination Countries of Anti-Bot & Anti-Virus
- Top Malwares by Event Count
- Top Malicious Activities by Event Count
- Status
Anti-Bot and Anti-Virus Event Queries
See detailed event queries in the tab.
- - Shows Threat Prevention events that are severity
- - Shows all Threat Prevention events grouped by source, includes all prevented and detected events
- - Shows all Threat Prevention events grouped by malware activity
- - Shows the Anti-Bot events that are severity
- - Shows the Anti-Virus events that are severity
- - Shows the Threat Emulation events that are severity
- > - Shows all Threat Prevention events grouped by protection name
- > - Shows all Threat Prevention events grouped by protection type
- > - Shows all Threat Prevention blocked incidents
- > - Shows all Threat Emulation events
See the R77 SmartEvent Intro Administration Guide.
|
|