Print Download PDF Send Feedback

Previous

Next

Customizing a User-Defined Event

Customizing a user-defined event:

  1. From the Policy tab > Event Policy > User Defined Events, right-click a User-Defined Event and select Properties.
  2. In the tabs provided, make the necessary changes:
    • Name - Name the Event Definition, enter a Description and select a Severity level. The text you enter in the Description field shows in the Event Description area (below the event configurable properties).
    • Filter - To edit a product filter:
      1. Select the product.
      2. Select the Log field from the available Log Fields list.
      3. If the necessary field does not show select Show more fields... to add a field to the Log Fields list.
      4. Click Add to edit the filter.
      5. Select if the filter matches on All Conditions or Any Conditions.
    • Count logs

      This screen defines how SmartEvent counts logs related to this event.

      • A Single log — Frequently depicts an event, such as a log from a virus scanner that reports that a virus is found.
      • With this option you can set the fields that are used to group events into Event Candidates. Logs with matching values for these fields are added to the same event. For example: Multiple logs that report a virus detected on the same source with the same virus name are combined into the same event.
      • Multiple logs — Required for events that identify an activity level, such as a High Connection Rate.
      • When the event is triggered by multiple logs, set the behavior of Event Candidates:
      • Detect the event when at least... — Set the Event Threshold that, when exceeded, indicates that an event has occurred.
      • Select the field(s) by which distinct event candidates will be created — An event is generated by logs with the same values in the fields specified here. To define how logs are grouped into Event Candidates, select the related fields here.
      • Use unique values of the ...— Only logs with unique values for the fields specified here are counted in the event candidate. For example: A port scan event counts logs that include unique ports scanned. Also, the logs do not increment the log count for logs that contain ports already encountered in the event candidate.
      • Advanced — Define the keep=alive time for the event, and how often the SmartEvent Correlation Unit updates the SmartEvent server with new logs for the created event.
    • Event Format

      When an event is generated, information about the event is presented in the Event Detail pane.

      This screen lets you specify if the information will be added to the detailed pane and from which Log Field the information is taken.

      You can clear it in the Display column. The Event Field will not be populated.

    • GUI representation

      All events can be configured. This screen lets you select the configuration parameters that show.

      • The Threshold section shows the number of logs that must matched to create the event. This is usually not shown for one log events and shown for multiple log events.
      • The Exclude section lets you specify the log fields that show when you add an event exclusion.
      • The Exception section lets you specify the log fields that show when you add an event exception.
  3. Click OK to save your changes.
02 March 2022
Was this helpful?
Incorrect information Not what I'm looking for Too much information Confusing information
© 2021 Check Point Software Technologies Ltd. All rights reserved.