Event Analysis

In This Section:

Event Analysis with SmartEvent

The SmartEvent Software Blade is a unified security event management and analysis solution that delivers real-time, graphical threat management information. SmartConsole, SmartView Web Application, and the SmartEvent GUI client consolidate billions of logs and show them as prioritized security events so you can immediately respond to security incidents, and do the necessary actions to prevent more attacks. You can customize the views to monitor the events that are most important to you. You can move from a high level view to detailed forensic analysis in a few clicks. With the free-text search and suggestions, you can quickly run data analysis and identify critical security events.

What is an Event?

An event is a record of a security incident. It is based on one or more logs, and on rules that are defined in the Event Policy.

An example of an event that is based on one log: A High Severity Anti-Bot event. One Anti-Bot log with a Severity of High causes the event to be recorded.

An example of an event that is based on more than one log: A Certificate Sharing event. Two login logs with the same certificate and a different user cause the event to be recorded.

How Are Logs Converted to Events?

SmartEvent automatically defines logs that are not Firewall, VPN, or HTTPS Inspection logs, as events.

Events that are based on a suspicious pattern of two or more logs, are created by the SmartEvent Correlation Unit. These correlated events are defined in the SmartEvent client GUI, in the Policy tab.

Most logs are Firewall, VPN and HTTPS inspection logs. Therefore, SmartEvent does not define them as events by default to avoid a performance impact on the SmartEvent Server. For logs from R77.xx Gateways and lower: To create events for Firewall, in the SmartEvent Policy tab, enable Consolidated Sessions > Firewall Session.

Sample Application & URL Filtering Event Analysis

To show an Internet browsing event:

In the Logs & Monitor view of SmartConsole or the SmartView Web Application, open the General Overview.
In the Query search bar, select the time period. For example: Past 24 Hours
The events of this time period show.
In Timeline View, click a circle below High Risk Attacks.

This is an example log of a High Risk event.

uTorrent is classified as a High risk application. It is a freeware closed source BitTorrent client.

The SmartEvent Architecture

SmartEvent has some components that work together to help track down security threats and make your network more secure.

This is how they work together. The numbers refer to the diagram:

SmartEvent Correlation Unit (3) analyzes log entries on Log Servers (2).
SmartEvent Server (4) contains the Events Database (5).
The SmartEvent and SmartConsole clients (6) manage the SmartEvent Server.

SmartEvent Traffic Architecture

Item	Description	Purpose
		Log data flow
		Event data flow
1	Check Point Security Gateway	Sends logs to the Log Server.
2	Log Server	Stores logs.
3	SmartEvent Correlation Unit	Identifies events: Analyzes each log entry from a Log Server, and looks for patterns according to the installed Event Policy. The logs contain data from Check Point products and certain third-party devices. When a threat pattern is identified, the SmartEvent Correlation Unit forwards the event to the SmartEvent Server.
4	SmartEvent Server	Receives the items that are identified as events by the SmartEvent Correlation Unit. The SmartEvent Server does further analysis to determine the severity level of the event and what action to do. The event is stored in the system database.
5	Events database	Stores events. Located on the SmartEvent Server.
6	SmartEvent client	Shows the received events. Uses the clients to manage events (for example: to filter and close events), fine-tunes, and installs the Event Policy. The clients are: SmartConsole SmartView Web Application SmartEvent GUI

The SmartEvent components can be installed on one computer (that is, a standalone deployment) or multiple computers and sites (a distributed deployment). To handle higher volumes of logging activity, we recommend a distributed deployment. You can install more than one SmartEvent Correlation Unit. Each SmartEvent Correlation Unit can analyze logs from more than one Log Server or Domain Log Server.

SmartEvent Correlation Unit

The SmartEvent Correlation Unit analyzes the log entries and identifies events from them. During analysis, the SmartEvent Correlation Unit does one of these actions:

Marks log entries that are not stand-alone events, but can be part of a larger pattern to be identified later.
Takes a log entry that meets one of the criteria set in the Events Policy, and generates an event.
Takes a new log entry that is part of a group of items. Together, all these items make up a security event. The SmartEvent Correlation Unit adds it to an ongoing event.
Discards log entries that do not meet event criteria.

The SmartView Web Application

The SmartView Web Application is one of the SmartEvent clients that you can use to analyze events that occur in your environment. Use the SmartView Web Application to see an overview of the security information for your environment. It has the same real-time event monitoring and analysis views as SmartConsole. The convenience is that you do not have to install a client.

To log in to SmartEvent using SmartView Web Application:

Browse to
https://<Security Management Server IP Address>/smartview/
or
https://<Security Management Server host name>/smartview/

Note - The URL is case sensitive.

Configuring SmartEvent Policy and Settings

In This Section:

Opening the SmartEvent GUI Client

Policy Tab

Modifying Event Definitions

Event Definitions and General Settings

Event Definition Parameters

Creating Event Definitions (User Defined Events)

High Level Overview of Event Identification

Creating a User-Defined Event

Eliminating False Positives

System Administration

Opening the SmartEvent GUI Client

Use the Policy tab of the SmartEvent GUI client to configure and customize the events that define the SmartEvent Event Policy.

To open the SmartEvent GUI client:

Open SmartConsole > Logs & Monitor.
Click (+) for a new Catalog tab.
Click SmartEvent Settings & Policy.

Policy Tab

Define the Event Policy in the Event Policy tab. Most configuration steps occur in the Policy tab. You define system components, such as SmartEvent Correlation Unit, lists of blocked IP addresses and other general settings.

The types of events that SmartEvent can detect are listed here, and sorted into a number of categories. To change each event, change the default thresholds and set Automated Responses. You can also disable events.

The Policy tab has these sections:

Selector Tree - The navigation pane.
Detail pane - The settings of each item in the Selector Tree.
Description pane - A description of the selected item.

After the SmartEvent client starts to show events, do these procedures:

Fine-tune the Event Policy
Change the existing Event Definition to see the events that interest you
Create new Event Definitions to see the events that are not included in the existing definitions

Save Event Policy

Modifications to the Event Policy do not take effect until saved on the SmartEvent server and installed to the SmartEvent Correlation Unit.

To enable changes made to the Event Policy:

Click File > Save.
Click Actions > Install Event Policy.

Revert Changes

You can undo changes to the Event Policy, if they were not saved.

To undo changes: click File > Revert Changes.

Modifying Event Definitions

SmartEvent constantly takes data from your Log Servers, and searches for patterns in all the network chatter that enters your system.

Depending on the levels set in each Event Definition, the number of events detected can be high. But only a portion of those events can be meaningful. You can change the thresholds and other criteria of an event, to reduce the number of false alarms.

To change Event Definitions:

Select a type of event from one of the Event Policy categories.
Adjust the Event Definitions. The elements that can be modified vary per event definition. Some event types include all; others have just one or two of these configurable elements.
To save the Event Policy, click File > Save.
From the Actions menu, click Install Event Policy.

Event Definitions and General Settings

The Selector tree is divided into two branches: Event Policy and General Settings. The events detectable by SmartEvent are organized by category in the Event Policy branch. Select an event definition to show its configurable properties in the Detail pane, and a description of the event in the Description pane. Clear the property to remove this event type from the Event Policy the next time the Event Policy is installed.

The General Settings branch contains Initial Settings. For example: To define SmartEvent Correlation Unit, which is typically used for the initial configuration. Click a General Settings item to show its configurable properties in the Detail pane.

For details on specified attacks or events, refer to the Event Definition Detail pane.

Event Definition Parameters

When an event definition is selected, its configurable elements appear in the Detail pane, and a description of the event is displayed in the Description pane. These are the usual types of configurable elements:

Thresholds, such as Detect the event when more than x connections were detected over y seconds
Severity, such as Critical, Medium, Informational, etc.
Automatic Reactions, such as Block Source or run External Script
Exceptions, such as Apply the following exceptions
Time Object, such as to issue an event if the following occurs outside the following Working Hours

Not all of these elements appear for every Event Definition. After you install and run SmartEvent for a short time, you will discover which of these elements need to be fine-tuned per Event Definition.

For configuration information regarding most objects in General Settings, see System Administration.

Event Threshold

The Event Threshold allows you to modify the limits that, when exceeded, indicate that an event occurred. Limits include the number of connections, logs, or failures, and the period of time in which they occurred:

Detect the event when more than x connections/logs/failures (etc.) were detected over a period of y seconds.

To decrease the number of false alarms based on a particular event, increase the number of connections, logs or failures and/or the period of time for them to occur.

Severity

An event severity affects in which queries (among those that filter for severity) this type of event appears.

To modify the severity of an event, select a severity level from the drop-down list.

Automatic Reactions

When detected, an event can activate an Automatic Reaction. The SmartEvent administrator can create and configure one Automatic Reaction, or many, according to the needs of the system.

For example: A Mail Reaction can be defined to tell the administrator of events to which it is applied. Multiple Automatic Mail Reactions can be created to tell a different responsible party for each type of event.

To create an automatic reaction:

Create an automatic reaction object in the Event definition, or from General Settings > Objects > Automatic Reactions.
Assign the Automatic Reaction to an event (or to an exception to the event).
To save the Event Policy, click File > Save
To install the Event Policy on the SmartEvent Correlation Unit, click Actions > Install Event Policy.

These are the types of Automatic Reactions:

Mail - tell an administrator by email that the event occurred. See Create a Mail Reaction.
Block Source - instruct the Security Gateway to block the source IP address from which this event was detected for a configurable period of time . Select a period of time from one minute to more than three weeks. See Create a Block Source Reaction
Block Event activity - instruct the Security Gateway to block a distributed attack that emanates from multiple sources, or attacks multiple destinations for a configurable period of time. Select a period of time from one minute to more than three weeks). See Create a Block Event Activity Reaction.
External Script - run a script that you provide. See Creating an External Script Automatic Reaction to write a script that can exploit SmartEvent data.
SNMP Trap - generate an SNMP Trap. See Create an SNMP Trap Reaction.
You can send event fields in the SNMP Trap message. The format for such an event field is [seam_event_table_field]. This list represents the possible seam_event table fields:

AdditionalInfo varchar(1024)

AutoReactionStatus varchar(1024)

Category varchar(1024)

DetectedBy integer

DetectionTime integer

Direction integer

DueDate integer

EndTime integer

EventNumber integer

FollowUp integer

IsLast integer

LastUpdateTime integer

MaxNumOfConnections integer

Name varchar(1024), NumOfAcceptedConnections integer

NumOfRejectedConnections integer

NumOfUpdates integer

ProductCategory varchar(1024)

ProductName varchar(1024)

Remarks varchar(1024)

RuleID varchar(48)

Severity integer

StartTime integer

State integer

TimeInterval integer

TotalNumOfConnections varchar(20)

User varchar(1024)

Uuid varchar(48)

aba_customer varchar(1024)

jobID varchar(48)

policyRuleID varchar(48)

These sections tell how to add an Automatic Reaction to an event:

Creating Automatic Reactions

You can create Automatic reaction from:

The Policy tab: Select General Settings> Object > Automatic Reactions
In an Event Definition: Select the icon […] and click Add New.

The first step for each of the next procedures assumes that you are at one of the starting points above.

Creating a Mail Reaction

Select Add > Mail.
Give the automatic reaction a significant name.
Fill out the Mail Parameters of From, To and cc.
To add multiple recipients, separate each email address with a semi-colon.
Note - the Subject field has the default variables of [EventNumber] - [Severity] - [Name]. These variables automatically adds to the mail subject the event number, severity and name of the event that triggered this reaction. These variables can be removed at your discretion.
Optional: Include your own standard text for each mail reaction.
Enter the domain name of the SMTP server.
Select Save.

Creating an SNMP Trap Reaction

Select Add > SNMP Trap.
Give the automatic reaction a significant name.
Fill out the SNMP Trap parameters of Host, Message, OID and Community name.
The command send_snmp uses values that are found in the file chkpnnt.mib, in the directory $CPDIR/lib/snmp/. An OID value used in the SNMP Trap parameters window must be defined in chkpnnt.mib, or in a file that refers it. If the OID field is left blank, the value is determined from iso.org.dod.internet.private.enterprises.checkpoint.products.fw.fwEvent = 1.3.6.1.4.1.2620.1.1.11.

When the automatic reaction occurs, the SNMP Trap is sent as a 256 byte DisplayString text. But, if the OID type is not text, the message is not sent.
Select Save.

Creating a Block Source Reaction

Select Add > Block Source.
Give the automatic reaction a significant name.
From the drop-down list, select the number of minutes to block this source.
Select Save.

Creating a Block Event Activity Reaction

Select Add > Block Event Activity.
Give the automatic reaction a significant name.
From the drop-down list, select the number of minutes to block this source.
Select Save.

Creating an External Script Automatic Reaction

To add an External Script:

Create the script. See the Guidelines for creating the script below.
Put the script on the SmartEvent Server:
1. In $RTDIR/bin, create the folder ext_commands. Run:
  mkdir $RTDIR/bin/ext_commands
2. Put the script in $RTDIR/bin/ext_commands/ or in a folder under that location. The path and script name must not contain any spaces.
3. Give the script executable permissions. Run:
  chmod +x <script_filename>
In the SmartEvent GUI client Policy tab, in Automatic Reactions, Select Add > External Script.
In the Add Automatic Reaction window:
1. Give the automatic reaction object a significant Name.
2. In Command line, enter the name of the script to run. Specify the name of the script that is in $RTDIR/bin/ext_commands/ directory. Use the relative path if needed. Do not specify the full path of $RTDIR/bin/ext_commands/.
3. Select Save.

Guidelines for creating the script

Run the script manually and make sure it works as expected
Make sure the script runs for no longer than 10 minutes, otherwise it will be terminated by the SmartEvent Server.
Use the event fields in the script:
To refer to the event in the script, define this environment variable:

EVENT=$(cat)

and use $EVENT

Use line editor commands like awk or sed to parse the event and refer to specific fields. You can print the $EVENT one time to see its format.

--------------------------------------------------------------------------------------------------

The format of the event content is a name-value set – a structured set of fields that have the form:

(name: value ;* );

where name is a string and value is either free text until a semicolon, or a nested name-value set.

The following is a sample event:

(Name: Check Point administrator credential guessing; RuleID:
{F182D6BC-A0AA-444a-9F31-C0C22ACA2114}; Uuid:
<42135c9c,00000000,2e1510ac,131c07b6>; NumOfUpdates: 0; IsLast: 0;
StartTime: 16Feb2015 16:45:45; EndTime: Not Completed; DetectionTime:
16Feb2015 16:45:48; LastUpdateTime: 0; TimeInterval: 600;
MaxNumOfConnections: 3; TotalNumOfConnections: 3; DetectedBy: 2886735150;
Origin: (IP: 192.0.2.4; repetitions: 3; countryname: United States;
hostname: theHost) ; ProductName: SmartDashboard; User: XYZ; Source:
(hostname: theHost; repetitions: 3; IP: 192.0.2.4; countryname: United
States) ; Severity: Critical; EventNumber: EN00000184; State: 0;
NumOfRejectedConnections: 0; NumOfAcceptedConnections: 0) ;

--------------------------------------------------------------------------------------------------

If you need to refer to more fields, you can add them to the event:
1. In the SmartEvent GUI client, in the Policy tab, right click the event, and select Properties > Event Format tab
2. In the Display column, select the Event fields to have in the Event.
3. Install the Event Policy on the SmartEvent Correlation Unit.

Assigning an Automatic Reaction to an Event

You can add an Automatic Reaction for SmartEvent to run when this type of event is detected.

Select the icon [...].
Select an Automatic Reaction that you created from the list, or select Add new…. For details on how to create each type of Automatic Reaction, see section below.
Configure the Automatic Reaction.
Select Save.
Click OK.

Working Hours

Working Hours are used to detect unauthorized attempts to access protected systems and other forbidden operations after-hours. To set the Regular Working Hours for an event, select a Time Object that you have configured from the drop-down list.

To create a Time Object:

From the Policy tab, select General Settings > Objects > Time Objects.
Click Add.
Enter a Name and Description.
Select the days and times that are considered Regular Working Hours.
Click OK.

To assign a Time Object to an event:

From the Policy tab, select an event that requires a Time Object (for example, User Login at irregular hours in the Unauthorized Entry event category).
Select the Time Object you created from the drop-down list.
Select File > Save.

Exceptions

Exceptions allow an event to be independently configured for the sources or destinations that appear. For example, if the event Port Scan from Internal Network is set to detect an event when 30 port scans occur within 60 seconds, you can also define that two port scans detected from host A within 10 seconds of each other is also an event.

To manually add an exception:

Under Apply the following exceptions, click Add.
Select the Source and/or Destination of the object to apply different criteria for this event.

Note - If you do not see the host object listed, you may need to create it in SmartEvent.

To modify or delete existing exceptions:

Select Edit or Remove.

Creating Event Definitions (User Defined Events)

To create a user-defined event you must have knowledge of the method by which SmartEvent identifies events. This section starts with a high level overview of how logs are analyzed to conclude if an event occurs or occurred.

High Level Overview of Event Identification

Events are detected by the SmartEvent Correlation Unit. The SmartEvent Correlation Unit scans logs for criteria that match an Event Definition.

SmartEvent uses these procedures to identify these events:

Matching a Log Against Global Exclusions

When the SmartEvent Correlation Unit reads a log, it first checks if the log matches all defined Global Exclusions. Global Exclusions (defined on the Policy tab > Event Policy > Global Exclusions) direct SmartEvent to ignore logs that are not expected to contribute to an event.

If the log matches a Global Exclusion, it is discarded by the system. If not, the SmartEvent Correlation Unit starts to match it against each Event Definition.

Matching a Log Against Each Event Definition

Each Event Definition contains a filter which is comprised of a number of criteria that must be found in all matching logs. The criteria are divided by product: The Event Definition can include a number of different products, but each product has its own criterion.

To match the Event Definition "A", a log from Endpoint Security must match the Action, Event Type, Port, and Protocol values listed in the Endpoint Security column. A log from a Security Gateway must match the values listed in its column.

SmartEvent divides this procedure into two steps. The SmartEvent Correlation Unit first checks if the Product value in the log matches one of the permitted Product values of an Event Definition.

If Log 1 did not contain a permitted Product value, the SmartEvent Correlation Unit compares the log against Event Definition "B", and so on. If the log fails to match against an Event Definition, it is discarded.

The SmartEvent Correlation Unit checks if the log contains the Product-specific criteria to match the Event Definition. For example: The product Endpoint Security generates logs that involve the Firewall, Spyware, Malicious Code Protection, and others. The log contains this information in the field Event Type. If an event is defined to match on Endpoint Security logs with the event type Firewall, an Endpoint Security log with Event Type "Spyware" fails against the Event Definition filter. Other criteria can be specified to the Product.

In our example, Log 1 matched Event Definition "A" with a permitted product value. The SmartEvent Correlation Unit examines if the log contains the necessary criteria for an Endpoint Security log to match.

If the criteria do not match, the SmartEvent Correlation Unit continues to compare the log criteria to other event definitions.

Creating an Event Candidate

When a log matches the criteria, it is added to an Event Candidate. Event candidates let SmartEvent track logs until an event threshold is crossed, at which point an event is generated.

Notes -

The Event Candidate can track logs from multiple products
The logs must be from the same source
The Event Candidate tracks logs before all of the criteria were matched

Each Event Definition can have multiple event candidates, each of which keeps track of logs grouped by equivalent properties. In the figure above the logs that create the event candidate have a common source value. They are dropped, blocked or rejected by a Firewall. They are grouped together because the Event Definition is designed to detect this type of activity, that originates from one source.

When a log matches the event definition, but has properties different than those of the existing event candidates, a new event candidate is created. This event candidate is added to what can be thought of as the Event Candidate Pool.

Note - SmartEvent creates a new event candidate for a log with a different source.

To illustrate more, an event defined detects a high rate of blocked connections. SmartEvent tracks the number of blocked connections for each Firewall, and the logs of the blocked traffic at each Firewall forms an event candidate. When the threshold of blocked connection logs from a Firewall is surpassed, that Firewall event candidate becomes an event. While this Event Definition creates one event candidate for each Firewall monitored, other Event Definitions can create many more.

The Event Candidate Pool is a dynamic environment, with new logs added and older logs discarded when they have exceeded an Event Definition time threshold.

When a Candidate Becomes an Event

When a candidate becomes an event, the SmartEvent Correlation Unit forwards the event to the Event Database. But to discover an event does not mean that SmartEvent stops to track logs related to it. The SmartEvent Correlation Unit adds matching logs to the event as long as they continue to arrive during the event threshold. To keep the event open condenses what can appear as many instances of the same event to one, and provides accurate, up-to-date information as to the start and end time of the event.

Creating a User-Defined Event

To create New Event Definitions, right-click an existing Event Definition, or use the Actions menu:

Right Click	Actions Menu	Description
New	New Custom Event	Launches the Event Definition Wizard, which allows you to select how to base the event: on an existing Event Definition, or from scratch.
Save As	Save Event As	Creates an Event Definition based on the properties of the highlighted Event Definition. When you select Save As, the system prompts you to save the selected Event Definition with a new name for later editing. Save As can also be accessed from the Properties window.

All User Defined Events are saved at Policy tab > Event Policy > User Defined Events. When an Event Definition exists it can be modified through the Properties window, available by right-click and from the Actions menu.

Creating a New Event Definition

To create a User Defined Event based on an existing event:

From the Actions menu, select New Custom Event.
The Event Definition Wizard opens.
For Create an event
1. Select that is based on an existing event.
2. Select an event that has equivalent properties to the event you want to create.
3. Click Next.
Name the Event Definition.
Enter a Description.
Select a Severity level.
Click Next.
Set which of these options generates the event:
- A single log — Frequently depicts an event, such as a log from a virus scanner that reports that a virus has been found.
- Multiple logs — Required if the event can only be identified as a result of a combination of multiple logs, such as a High Connection Rate.
Click Next.
Examine the products that can cause this event.
Select Next.
Optional: Edit the product filters:
- If you added a product you can edit the filters for each product (Edit all product filters), or those of new products you added (Edit only newly selected product filters).
- If you did not add other products, edit the filters of existing products (Yes) or skip this step (No, Leave the original files).
Click Next.
Edit or add product filters for each log necessary in the Event Definition filter:
1. Select the Log field from the available Log Field list.
2. Click Add to edit the filter.
3. Make sure that the filter matches on All Conditions or Any Conditions.
4. Double-click the Log field and select the values to use in the filter.
Click Next.
When you defined the filters for each product, select values for these options to define how to process logs:
- Detect the event when at least __ logs occurred over a period of __ seconds contains the event thresholds that define the event. You can modify the event thresholds by altering the number of logs and/or the period of time that define the event.
- Each event definition may have multiple Event Candidates existing simultaneously allows you to set whether SmartEvent creates distinct Event Candidates based on a field (or set of fields) that you select below.
  Select the field(s) by which distinct Event Candidates will be created allows you to set the field (or set of fields) that are used to differentiate between Event Candidates.
- Use unique values of the __ field when counting logs directs SmartEvent to count unique values of the specified field when determining whether the Event Threshold has been surpassed. When this property is not selected, SmartEvent counts the total number of logs received.
Click Finish.

To edit a user-defined event:

From the Policy tab > Event Policy > User Defined Events, right-click a User-Defined Event and select Properties.
In the tabs provided, make the necessary changes:
- Name - Name the Event Definition, enter a Description and select a Severity level. The text you enter in the Description field shows in the Event Description area (below the event configurable properties).
- Filter - To edit a product filter:
  1. Select the product.
  2. Select the Log field from the available Log Fields list.
  3. If the necessary field does not show select Show more fields... to add a field to the Log Fields list.
  4. Click Add to edit the filter.
  5. Select if the filter matches on All Conditions or Any Conditions.
- Count logs
  This screen defines how SmartEvent counts logs related to this event.
  - A Single log — Frequently depicts an event, such as a log from a virus scanner that reports that a virus is found.
  - With this option you can set the fields that are used to group events into Event Candidates. Logs with matching values for these fields are added to the same event. For example: Multiple logs that report a virus detected on the same source with the same virus name are combined into the same event.
  - Multiple logs — Required for events that identify an activity level, such as a High Connection Rate.
  - When the event is triggered by multiple logs, set the behavior of Event Candidates:
  - Detect the event when at least... — Set the Event Threshold that, when exceeded, indicates that an event has occurred.
  - Select the field(s) by which distinct event candidates will be created — An event is generated by logs with the same values in the fields specified here. To define how logs are grouped into Event Candidates, select the related fields here.
  - Use unique values of the ...— Only logs with unique values for the fields specified here are counted in the event candidate. For example: A port scan event counts logs that include unique ports scanned. Also, the logs do not increment the log count for logs that contain ports already encountered in the event candidate.
  - Advanced — Define the keep=alive time for the event, and how often the SmartEvent Correlation Unit updates the SmartEvent server with new logs for the created event.
- Event Format
  When an event is generated, information about the event is presented in the Event Detail pane.
  
  This screen lets you specify if the information will be added to the detailed pane and from which Log Field the information is taken.
  
  You can clear it in the Display column. The Event Field will not be populated.
- GUI representation
  All events can be configured. This screen lets you select the configuration parameters that show.
  - The Threshold section shows the number of logs that must matched to create the event. This is usually not shown for one log events and shown for multiple log events.
  - The Exclude section lets you specify the log fields that show when you add an event exclusion.
  - The Exception section lets you specify the log fields that show when you add an event exception.
Click OK to save your changes.

Eliminating False Positives

This section shows you how to reduce false positives.

Services that Generate Events

Some types of services are characterized by a high quantity of traffic that can be misidentified as events. These are examples of services and protocols that can potentially generate events:

Software that does a routine scan of the network to make sure that everything runs correctly. Configuration of SmartEvent to exclude this source from a scan event eliminates a source of false positive events.
High connection rate on a web server. Set SmartEvent to allow a higher connection rate for each minute on a busy web server, or to exclude this source from a scan event.

Common Events by Service

The information in this table provides a list of server types where high activity is frequently used. To change the Event Policy, adjust event thresholds and add Exclusions for servers and services . You can decrease more the quantity of false positives detected.

Common events by service

Server Type	Category	Event Name	Source	Dest	Service	Reason
SNMP	Scans	IP sweep from internal network	Any	Any	SNMP-read	Hosts that query other hosts
DNS Servers	Scans	IP sweep from internal network	DNS servers	-	DNS	Inter-DNS servers updates
	Denial of Service (DoS)	High connection rate on internal host on service	Any	DNS servers	DNS	DNS requests and inter-DNS servers updates
	Anomalies	High connection rate from internal network	Any	Any	DNS	DNS requests and inter-DNS servers updates
	Anomalies	High connection rate from internal network on service	Any	Any	DNS	DNS requests and inter-DNS servers updates
	Anomalies	Abnormal activity on service	Any	Any	DNS	DNS requests and inter-DNS servers updates
NIS Servers	Scans	Port scan from internal network	NIS servers	Any	-	Multiple NIS queries
	Denial of Service (DoS)	High connection rate on internal host on service	Any	NIS servers	NIS	NIS queries
	Anomalies	High connection rate from internal network	Any	Any	NIS	NIS queries
	Anomalies	High connection rate from internal network on service	Any	Any	NIS	NIS queries
	Anomalies	Abnormal activity on service	Any	Any	NIS	NIS queries
LDAP Servers	Denial of Service (DoS)	High connection rate on internal host on service	Any	LDAP servers	LDAP	LDAP requests
	Anomalies	High connection rate from internal network	Any	LDAP servers	LDAP	LDAP requests
	Anomalies	High connection rate from internal network on service	Any	LDAP servers	LDAP	LDAP requests
	Anomalies	Abnormal activity on service	Any	LDAP servers	LDAP	LDAP requests
HTTP Proxy Servers - Hosts To Proxy Server	Denial of Service (DoS)	High connection rate on internal host on service	Any	Proxy servers	HTTP:8080	Hosts connections to Proxy servers
	Anomalies	High connection rate from internal network	Any	Proxy servers	HTTP:8080	Hosts connections to Proxy servers
	Anomalies	High connection rate from internal hosts on service	Any	Proxy servers	HTTP:8080	Hosts connections to Proxy servers
	Anomalies	Abnormal activity on service	Any	Proxy servers	HTTP:8080	Hosts connections to Proxy servers
HTTP Proxy Servers - Out to the Web	Scans	IP sweep from internal network	Proxy servers	Any	HTTP/ HTTPS	Proxy servers connections out to various sites
	Denial of Service (DoS)	High connection rate on internal host on service	Proxy servers	Any	HTTP/ HTTPS	Proxy servers connections out to various sites
	Anomalies	High connection rate from internal network	Proxy servers	Any	HTTP/ HTTPS	Proxy servers connections out to various sites
		High connection rate from internal hosts on service	Proxy servers	Any	HTTP/ HTTPS	Proxy servers connections out to various sites
	Anomalies	Abnormal activity on service	Proxy servers	Any	HTTP/ HTTPS	Proxy servers connections out to various sites
UFP Servers	Denial of Service (DoS)	High connection rate on internal host on service	Any	UFP servers	Any/UFP by vendor	Firewall connections to UFP servers
	Anomalies	High connection rate from internal network	Any	UFP servers	Any/UFP by vendor	Firewall connections to UFP servers
	Anomalies	High connection rate from internal hosts on service	Any	UFP servers	Any/UFP by vendor	Firewall connections to UFP servers
	Anomalies	Abnormal activity on service	Any	UFP servers	Any/UFP by vendor	Firewall connections to UFP servers
CVP Servers Request	Denial of Service (DoS)	High connection rate on internal host on service	Any	CVP servers	Any/CVP by vendor	Firewall connections to CVP servers
	Anomalies	High connection rate from internal network	Any	CVP servers	Any/CVP by vendor	Firewall connections to CVP servers
	Anomalies	High connection rate from internal hosts on service	Any	CVP servers	Any/CVP by vendor	Firewall connections to CVP servers
	Anomalies	Abnormal activity on service	Any	CVP servers	Any/CVP by vendor	Firewall connections to CVP servers
CVP Servers Replies	Scans	Port scans from internal network	CVP servers	Any	-	Multiple CVP replies to same GW
	Scans	IP sweep from internal network	CVP servers	-	CVP	CVP replies to multiple GWs
	Denial of Service (DoS)	High connection rate on internal host on service	CVP servers	Any	Any/CVP by vendor	CVP replies
	Anomalies	High connection rate from internal network	CVP servers	Any	Any/CVP by vendor	CVP replies
	Anomalies	High connection rate from internal hosts on service	CVP servers	Any	Any/CVP by vendor	CVP replies
	Anomalies	Abnormal activity on service	CVP servers	Any	Any/CVP by vendor	CVP replies
UA Server Request	Denial of Service (DoS)	High connection rate on internal host on service	Any	UA servers	uas-port (TCP:19191 TCP:19194)	Connections to UA servers
	Anomalies	High connection rate from internal network	Any	UA servers	(TCP:19191 TCP:19194)	Connections to UA servers
	Anomalies	High connection rate from internal hosts on service	Any	UA servers	uas-port (TCP:19191 TCP:19194)	Connections to UA servers
	Anomalies	Abnormal activity on service	Any	UA servers	uas-port (TCP:19191 TCP:19194)	Connections to UA servers
UA Servers Replies	Scans	Port scans from internal network	UA servers	Any	-	Multiple UA replies to the same computer
	Scans	IP sweep from internal network	UA servers	Any	uas-port (TCP:19191 TCP:19194)	Multiple UA replies to multiple computers
	Denial of Service (DoS)	High connection rate on internal host on service	UA servers	Any	uas-port (TCP:19191 TCP:19194)	UA replies
	Anomalies	High connection rate from internal network	UA servers	Any	uas-port (TCP:19191 TCP:19194)	UA replies
	Anomalies	High connection rate from internal hosts on service	UA servers	Any	uas-port (TCP:19191 TCP:19194)	UA replies
	Anomalies	Abnormal activity on service	UA servers	Any	uas-port (TCP:19191TCP:19194)	UA replies
SMTP Servers	Scans	IP sweep from internal network	SMTP servers	-	SMTP	SMTP servers connections out to various SMTP servers
	Denial of Service (DoS)	High connection rate on internal host on service	SMTP servers	Any	SMTP	SMTP servers connections out to various SMTP servers
	Anomalies	High connection rate from internal network	SMTP servers	Any	SMTP	SMTP servers connections out to various SMTP servers
	Anomalies	High connection rate from internal hosts on service	SMTP servers	Any	SMTP	SMTP servers connections out to various SMTP servers
	Anomalies	Abnormal activity on service	SMTP servers	Any	SMTP	SMTP servers connections out to various SMTP servers
Anti-Virus Definition Servers	Scans	IP sweep from internal network	AV_Defs servers	-	Any/AV by vendor	Anti-Virus definitions updates deployment
	Denial of Service (DoS)	High connection rate on internal host on service	AV_Defs servers	-	Any/AV by vendor	Anti-Virus definitions updates deployment
	Anomalies	High connection rate from internal network	AV_Defs servers	-	Any/AV by vendor	Anti-Virus definitions updates deployment
	Anomalies	High connection rate from internal hosts on service	AV_Defs servers	-	Any/AV by vendor	Anti-Virus definitions updates deployment
	Anomalies	Abnormal activity on service	AV_Defs servers	-	Any/AV by vendor	Anti-Virus definitions updates deployment

System Administration

To maintain your SmartEvent system, you can do these tasks from the General Settings section of the Policy tab:

Adding a SmartEvent Correlation Unit and Log Servers
Create offline jobs analyze historical log files
Adding objects to the Internal Network
Creating scripts to run as Automatic Reactions for certain events
Creating objects for use in filters

Save Event Policy

Modifications to the Event Policy do not take effect until saved on the SmartEvent server and installed to the SmartEvent Correlation Unit.

To enable changes made to the Event Policy:

Click File > Save.
Click Actions > Install Event Policy.

Revert Changes

You can undo changes to the Event Policy, if they were not saved.

To undo changes: click File > Revert Changes.

Adding Network and Host Objects

Certain objects from the Management server are added during the initial sync with the SmartEvent server and updated at a set interval. But it is useful (or necessary) to add other Network or Host objects, for these reasons:

If some devices or networks are not represented on the Management server, and are important to define your internal network.
When you add sources or destinations to exclusions or exceptions in Event Definitions.
When you select sources or destinations in a filter.

These screens are locked until initial sync is complete:

Network Objects
Internal Network
SmartEvent Correlation Unit

You can make a device available to use in SmartEvent.

To make a device that is a host object available in SmartEvent:

From the Policy tab, select General Settings > Objects > Network Objects > Add > Host.
Give the device a significant name.
Enter its IP Address or select Get Address.
Select OK.

To make a device that is a network object available in SmartEvent:

From the Policy tab, select General Settings > Objects > Network Objects > Add > Network.
Give the network a significant name.
Enter the Network Address and Net Mask.
Select OK.

See Defining the Internal Network for information about how to add objects to the Internal Network definition.

Defining the Internal Network

To help SmartEvent conclude if events originated internally or externally, you must define the Internal Network. These are the options to calculate the traffic direction:

Incoming – all the sources are external to the network and all destinations are inner
Outgoing – all sources are in the network and all destinations external
Internal – sources and destinations are all in the network
Other – a mixture of and internal and external values makes the result indeterminate

To define the Internal Network:

From the Policy tab, select General Settings > Initial Settings > Internal Network.
Add internal objects.
We recommend you add all internal Network objects, and not Host objects.

Some network objects are copied from the Management server to the SmartEvent Server during the initial sync and updated afterwards.

These screens are locked until initial sync is complete:

Network Objects
Internal Network
Correlation Units

SmartEvent with Management High Availability

The SmartEvent database keeps a synchronized copy of management objects locally on the SmartEvent Server. This process, dbsync, allows SmartEvent to work independently of different management versions and different management servers in a High Availability environment.

Management High Availability capability exists for Security Management Servers, and in a Multi-Domain Security Management environment, dbsync supports High Availability for the Multi-Domain Servers and the Domain Servers.

How it works

Dbsync initially connects to the management server with which SIC is established. It retrieves all the objects. After the initial synchronization it gets updates when an object is saved. Dbsync registers all the High Availability management machines and periodically tests the connectivity with the newest management server. If connectivity is lost, it attempts to connect to the other High Availability management servers until it finds an active one and connects to it.

If two management servers are active concurrently, dbsync stays connected to one management server. Dbsync does not get changes made on the other management server until a synchronization operation is done.

Log Server High Availability

In SmartConsole, you can configure a Security Gateway, that when it fails to send its logs to one Log Server, it will send its logs to a secondary Log Server. To support this configuration, you can add Log Servers to a single SmartEvent Correlation Unit. In this way, the SmartEvent Correlation Unit gets an uninterrupted stream of logs from both servers and continues to correlate all logs.

SmartEvent Correlation Unit High Availability

Multiple correlation units can read logs from the same Log Servers. That way, the units provide redundancy if one of them fails. The events that the Correlation Units detect are duplicated in the SmartEvent database. But these events can be disambiguated if you filter them with the Detected By field in the Event Query definition. The Detected By field specifies which SmartEvent Correlation Unit detected the event.

If the SmartEvent Server becomes unavailable, the Correlation Units keep the events until it can reconnect with the SmartEvent Server and forward the events.