Monitoring Threat Prevention with SmartEvent

Event Analysis in SmartEvent or SmartEvent Intro

SmartEvent and SmartEvent Intro supply advanced analysis tools with filtering, charts, reporting, statistics, and more, of all events that travel through enabled Security Gateways.

You can filter the Threat Prevention Software Blade information for fast monitoring and useful reporting on connection incidents related to them.

• Real-time and historical graphs and reports of Anti-Bot, Threat Emulation and Anti-Virus incidents
• Graphical incident timelines for fast data retrieval
• Easily configured custom views to quickly view specified queries
• Incident management workflow
• Reports to data owners on a scheduled basis

SmartEvent shows information for all Software Blades in the environment. SmartEvent Intro shows information for one SmartEvent Intro mode. If you select Threat Prevention as the SmartEvent Intro Mode, it shows the Threat Prevention information.

To use SmartEvent or SmartEvent Intro, you must enable it on the Security Management Server or on a dedicated machine. See either:

• R77 SmartEvent Administration Guide
• R77 SmartEvent Intro Administration Guide

Viewing Information in SmartEvent

To open SmartEvent do one of these:

• Click Start > Check Point > SmartEvent.
• From the Threat Prevention tab > Navigation Tree > Analyze & Report link.
• From the Threat Prevention tab > Overview > Statistics > Graphs link.
• From the SmartDashboard toolbar of any SmartConsole application, select Window > SmartEvent or press Control +Shift +A.

When SmartEvent opens, go to Events > Predefined > Threat Prevention to use the predefined queries for the Software Blades.

• Most Important - Shows Threat Prevention events that are Critical and High severity
• All Events - Shows all Threat Prevention events grouped by source, includes all prevented and detected events
• By Activity - Shows all Threat Prevention events grouped by malware activity
• Important Anti-Bot - Shows the Anti-Bot events that are Critical and High severity
• Important Anti-Virus - Shows the Anti-Virus events that are Critical and High severity
• Important Threat Emulation - Shows the Threat Emulation events that are Critical and High severity
• More > By Protection Name - Shows all Threat Prevention events grouped by protection name
• More > By Protection Type - Shows all Threat Prevention events grouped by protection type
• More > Blocked Incidents - Shows all Threat Prevention blocked incidents
• More > All Threat Emulation - Shows all Threat Emulation events

Updating the Anti-Bot and Anti-Virus Rule Base

In some cases, after evaluating an event, it may be necessary to update a rule or rule exception in the SmartDashboard Rule Base. You can do this directly from within SmartEvent.

To update a rule in the Anti-Bot and Anti-Virus Rule Base:

1. Right-click the event or from within event details select the Anti-Virus or Anti-Bot menu.
2. Select Go to Rule.

   SmartDashboard opens showing the related rule in the Anti-Bot and Anti-Virus Rule Base.

3. Make related changes.
4. Click Install Policy to install the Anti-Bot, Threat Emulation, and Anti-Virus policy.

   The Anti-Bot, Threat Emulation and Anti-Virus Software Blades have a dedicated policy. You can install this policy installation separately from the policy installation of the other Software Blades.

   You can update the Anti-Bot, Threat Emulation and Anti-Virus Rule Base to give immediate coverage for new malware threats. Install only the Threat Prevention policy to minimize the impact on the Security Gateways.

   To install the Anti-Bot and Anti-Virus policy:

   1. From the Threat Prevention tab > Policy pane, click Install Policy.
   2. Select the relevant options:
      • Install Threat Prevention Policy on all gateways - Installs the policy on all Security Gateways that have Anti-Bot, Threat Emulation, and Anti-Virus enabled.
      • Install Threat Prevention Policy on selected gateways - Select the applicable Security Gateways.
      • Install on each selected gateway independently - Install the policy on the selected Security Gateways without reference to the other targets. A failure to install on one Security Gateway does not affect policy installation on other gateways.

        If the gateway is a member of a cluster, install the policy on all the members. The Security Management Server makes sure that it can install the policy on all the members before it installs the policy on one of them. If the policy cannot be installed on one of the members, policy installation fails for all of them.

      • Install on all selected gateways, if it fails do not install on gateways of the same version - Install the policy on all installation targets. If the policy fails to install on one of the Security Gateways, the policy is not installed on other targets of the same version.
   3. Click OK.

To update a rule exception in the Anti-Bot and Anti-Virus Rule Base:

1. Right-click the event or from within the event details, select the Anti-Virus or Anti-Bot menu.
2. Select Add Exception to the Rule.

   SmartDashboard opens and shows an Add Exception window in the Threat Prevention Rule Base. These details are shown:

   • Protection - The name of the protection. Details are taken from the ThreatCloud repository or, if there is no connectivity, from the log.
   • Scope - The scope is taken from the log. If there is no related host object, an object is created automatically after you click OK. Click the plus sign to add additional objects.
   • Install On - Shows All by default. You can use the plus sign to add gateways.
3. Select an Exception Scope option:
   • Apply Exception to rule number X - If you want the exception to apply only to the related rule.
   • Apply Exception to all rules - If you want the exception to apply to all rules. The exception is added to the Exception Groups > Global Exceptions pane.
4. Click OK.

   The exception is added to the Rule Base. The Action is set to Detect by default. Change if necessary.

5. Click Install Policy to install the Anti-Bot, Threat Emulation, and Anti-Virus policy.

   The Anti-Bot, Threat Emulation and Anti-Virus Software Blades have a dedicated policy. You can install this policy installation separately from the policy installation of the other Software Blades.

   You can update the Anti-Bot, Threat Emulation and Anti-Virus Rule Base to give immediate coverage for new malware threats. Install only the Threat Prevention policy to minimize the impact on the Security Gateways.

   To install the Anti-Bot and Anti-Virus policy:

   1. From the Threat Prevention tab > Policy pane, click Install Policy.
   2. Select the relevant options:
      • Install Threat Prevention Policy on all gateways - Installs the policy on all Security Gateways that have Anti-Bot, Threat Emulation, and Anti-Virus enabled.
      • Install Threat Prevention Policy on selected gateways - Select the applicable Security Gateways.
      • Install on each selected gateway independently - Install the policy on the selected Security Gateways without reference to the other targets. A failure to install on one Security Gateway does not affect policy installation on other gateways.

        If the gateway is a member of a cluster, install the policy on all the members. The Security Management Server makes sure that it can install the policy on all the members before it installs the policy on one of them. If the policy cannot be installed on one of the members, policy installation fails for all of them.

      • Install on all selected gateways, if it fails do not install on gateways of the same version - Install the policy on all installation targets. If the policy fails to install on one of the Security Gateways, the policy is not installed on other targets of the same version.
   3. Click OK.

Accessing the Threat Wiki

You can open the Threat Wiki from within SmartEvent to get more information about a specified protection.

To open the Threat Wiki do one of these:

• Right-click an event and select Go to Threat Wiki.
• Click the malware protection link in the event log.
• Select Go to Threat Wiki from the Anti-Virus or Anti-Bot tab in the event log.

Anti-Bot and Anti-Virus Reports

Daily, weekly, and monthly reports of the events recorded by SmartEvent are configured and stored on the Reports tab. These reports show a high-level summary of the event patterns occurring on your network.

Upon creation, reports can be automatically emailed to predefined addresses, eliminating the need to open SmartEvent to learn of the system's status. You can also choose to save them as PDFs or view them in a browser.

Viewing Information in SmartEvent Intro

To open SmartEvent Intro:

1. From the SmartDashboard menu bar, select SmartConsole > SmartEvent Intro or press Control +Shift +E.
2. From SmartEvent Intro Mode, select Threat Prevention.

All of the information in SmartEvent Intro is based on Anti-Bot, Threat Emulation and Anti-Virus events. See the different tabs for detailed information.

The SmartEvent Intro Overview Page

The Overview page shows a quick understandable overview of the Anti-Bot and Anti-Virus traffic in your environment. Double-click on data in any of the sections in the Overview tab to open the associated list of events to investigate issues down to the individual event level.

The Overview page includes these panes:

• Timeline View
• Anti-Bot & Anti-Virus
• Top Source/Destination Countries of Anti-Bot & Anti-Virus
• Top Malwares by Event Count
• Top Malicious Activities by Event Count
• Status

Anti-Bot and Anti-Virus Event Queries

See detailed event queries in the Events tab.

• Most Important - Shows Threat Prevention events that are Critical and High severity
• All Events - Shows all Threat Prevention events grouped by source, includes all prevented and detected events
• By Activity - Shows all Threat Prevention events grouped by malware activity
• Important Anti-Bot - Shows the Anti-Bot events that are Critical and High severity
• Important Anti-Virus - Shows the Anti-Virus events that are Critical and High severity
• Important Threat Emulation - Shows the Threat Emulation events that are Critical and High severity
• More > By Protection Name - Shows all Threat Prevention events grouped by protection name
• More > By Protection Type - Shows all Threat Prevention events grouped by protection type
• More > Blocked Incidents - Shows all Threat Prevention blocked incidents
• More > All Threat Emulation - Shows all Threat Emulation events

See the R77 SmartEvent Intro Administration Guide.