Severity

To modify the severity of an event, select a severity level from the drop-down list.

If the event is based on Threat Prevention logs, the event gets the severity from the protection type, not from the severity configured here.

To overwrite the severity:

1. Go to SmartEvent > Policy.
2. Select an event and right click > Select Properties.

   The Edit Event Definition window opens.

3. In the Event Format tab, select Determine event's display name and severity from event logs.

Automatic Reactions

When detected, an event can activate an Automatic Reaction. The SmartEvent administrator can create and configure one Automatic Reaction, or many, according to the needs of the system.

For example: A Mail Reaction can be defined to tell the administrator of events to which it is applied. Multiple Automatic Mail Reactions can be created to tell a different responsible party for each type of event.

To create an automatic reaction:

1. Create an automatic reaction object in the Event definition, or from General Settings > Objects > Automatic Reactions.
2. Assign the Automatic Reaction to an event (or to an exception to the event).
3. To save the Event Policy, click File > Save
4. To install the Event Policy on the SmartEvent Correlation Unit, click Actions > Install Event Policy.

These are the types of Automatic Reactions:

• Mail - tell an administrator by email that the event occurred. See Create a Mail Reaction.
• Block Source - instruct the Security Gateway to block the source IP address from which this event was detected for a configurable period of time . Select a period of time from one minute to more than three weeks. See Create a Block Source Reaction
• Block Event activity - instruct the Security Gateway to block a distributed attack that emanates from multiple sources, or attacks multiple destinations for a configurable period of time. Select a period of time from one minute to more than three weeks). See Create a Block Event Activity Reaction.
• External Script - run a script that you provide. See Creating an External Script Automatic Reaction to write a script that can exploit SmartEvent data.
• SNMP Trap - generate an SNMP Trap. See Create an SNMP Trap Reaction.

  You can send event fields in the SNMP Trap message. The format for such an event field is [seam_event_table_field]. This list represents the possible seam_event table fields:

  AdditionalInfo varchar(1024)

  AutoReactionStatus varchar(1024)

  Category varchar(1024)

  DetectedBy integer

  DetectionTime integer

  Direction integer

  DueDate integer

  EndTime integer

  EventNumber integer

  FollowUp integer

  IsLast integer

  LastUpdateTime integer

  MaxNumOfConnections integer

  Name varchar(1024), NumOfAcceptedConnections integer

  NumOfRejectedConnections integer

  NumOfUpdates integer

  ProductCategory varchar(1024)

  ProductName varchar(1024)

  Remarks varchar(1024)

  RuleID varchar(48)

  Severity integer

  StartTime integer

  State integer

  TimeInterval integer

  TotalNumOfConnections varchar(20)

  User varchar(1024)

  Uuid varchar(48)

  aba_customer varchar(1024)

  jobID varchar(48)

  policyRuleID varchar(48)

These sections tell how to add an Automatic Reaction to an event:

Creating Automatic Reactions

You can create Automatic reaction from:

• The Policy tab: Select General Settings> Object > Automatic Reactions
• In an Event Definition: Select the icon […] and click Add New.

The first step for each of the next procedures assumes that you are at one of the starting points above.