Print Download PDF Send Feedback

Previous

Next

Event Analysis

In This Section:

Event Analysis with SmartEvent

What is an Event?

Sample Application & URL Filtering Event Analysis

The SmartEvent Solution

Working with SmartEvent

Event Analysis with SmartEvent

The SmartEvent Software Blade is a unified security event management and analysis solution that delivers real-time, graphical threat management information. SmartConsole, SmartView Web Application, and the SmartEvent GUI client consolidate billions of logs and show them as prioritized security events so you can immediately respond to security incidents, and do the necessary actions to prevent more attacks. You can customize the views to monitor the events that are most important to you. You can move from a high level view to detailed forensic analysis in a few clicks. With the free-text search and suggestions, you can quickly run data analysis and identify critical security events.

What is an Event?

An event is a record of a security incident. It is based on one or more logs, and on rules that are defined in the Event Policy.

An example of an event that is based on one log: A High Severity Anti-Bot event. One Anti-Bot log with a Severity of High causes the event to be recorded.

An example of an event that is based on more than one log: A Certificate Sharing event. Two login logs with the same certificate and a different user cause the event to be recorded.

How Are Logs Converted to Events?

SmartEvent automatically defines logs that are not Firewall, VPN, or HTTPS Inspection logs, as events.

Events that are based on a suspicious pattern of two or more logs, are created by the SmartEvent Correlation Unit. These correlated events are defined in the SmartEvent client GUI, in the Policy tab.

Most logs are Firewall, VPN and HTTPS inspection logs. Therefore, SmartEvent does not define them as events by default to avoid a performance impact on the SmartEvent Server. However, enabling consolidated events for Firewall saves disk space so and makes it possible to keep a longer event history. To create events for Firewall, in the SmartEvent Policy tab, enable Consolidated Sessions > Firewall Session.

Sample Application & URL Filtering Event Analysis

To show an Internet browsing event:

  1. In the Logs & Monitor view of SmartConsole or the SmartView Web Application, open the General Overview.
  2. In the Query search bar, select the time period. For example: Search_TimePeriod Past 24 Hours

    The events of this time period show.

  3. In Timeline View, click a circle below High Risk Attacks.

This is an example log of a High Risk event.

Information about the event:

The SmartEvent Solution

In This Section:

The SmartEvent Architecture

SmartEvent Correlation Unit

The SmartEvent GUI

The SmartView Web Application

The SmartEvent Architecture

SmartEvent has some components that work together to help track down security threats and make your network more secure.

This is how they work together. The numbers refer to the diagram:

SmartEvent Traffic Architecture

Item

Description

Purpose

 

Log data flow

 

Event data flow

1

Check Point Security Gateway

Sends logs to the Log Server.

2

Log Server

Stores logs.

3

SmartEvent Correlation Unit

Identifies events: Analyzes each log entry from a Log Server, and looks for patterns according to the installed Event Policy. The logs contain data from Check Point products and certain third-party devices. When a threat pattern is identified, the SmartEvent Correlation Unit forwards the event to the SmartEvent Server.

4

SmartEvent Server

Receives the items that are identified as events by the SmartEvent Correlation Unit. The SmartEvent Server does further analysis to determine the severity level of the event and what action to do. The event is stored in the system database.

5

Events database

Stores events. Located on the SmartEvent Server.

6

SmartEvent client

Shows the received events. Uses the clients to manage events (for example: to filter and close events), fine-tunes, and installs the Event Policy. The clients are:

  • SmartConsole
  • SmartEvent GUI
  • SmartView Web Application

The SmartEvent components can be installed on one computer (that is, a standalone deployment) or multiple computers and sites (a distributed deployment). To handle higher volumes of logging activity, we recommend a distributed deployment. You can install more than one SmartEvent Correlation Unit. Each SmartEvent Correlation Unit can analyze logs from more than one Log Server or Domain Log Server.

SmartEvent Correlation Unit

The SmartEvent Correlation Unit analyzes the log entries and identifies events from them. During analysis, the SmartEvent Correlation Unit does one of these actions:

The SmartEvent GUI

The SmartEvent GUI is one of the SmartEvent clients that you can use to analyze events that occur in your environment.

Overviews:

The Overview tab shows top events of all types. When you work with a protection type, you can go directly to the data for that area.

Click the tab for events filtered by Software Blade:

Drill down forensics:

Double-click a result in a pane (such as an IP address or a user name). The other Overview panes are filtered for the selection. The search bar shows the filter applied to the events. For example, if you click one of the Top Sources, the search bar shows: src:"<ip_address>".

Quickly search the database of logs and events:

Use Search Suggestions and Recent Searches. Click in the search bar to see the search suggestions and your recent searches. The search is fast, and the results are from the event database.

For example, to see only important events from 192.168.2.15:

  1. Click the Search bar.
  2. Select Severity in the Suggestions list.
  3. In the list of valid values that shows, click Critical.
  4. Click in the Search bar.
  5. Select Source in the Suggestions list.
  6. If the required IP address not in the list, enter it in the search bar.

    The data in all the panes is updated to match your search.

Filter for standard results:

Click Filters to select a standard filter option. For example, in Application and URL Filtering, you can filter to see only events of Application Control or only events of URL Filtering. You can filter for Action, to see events for Blocked or Allowed traffic.

Free-text search using the log search syntax:

For more sophisticated searching, you can do AND/OR searches with the Query Syntax.

The SmartView Web Application

The SmartView Web Application is one of the SmartEvent clients that you can use to analyze events that occur in your environment. Use the SmartView Web Application to see an overview of the security information for your environment. It has the same real-time event monitoring and analysis views as SmartConsole. The convenience is that you do not have to install a client.

To log in to SmartEvent using SmartView Web Application:

Browse to
https://<Security Management Server IP Address>/smartview/
or
https://<Security Management Server host name>/smartview/

Note - The URL is case sensitive.

Working with SmartEvent

In This Section:

Opening the SmartEvent GUI Client

Working with Queries

Investigating Events

Configuring Event Definitions in the SmartEvent Policy Tab

System Administration

SmartEvent High Availability Environment

Opening the SmartEvent GUI Client

To open the SmartEvent GUI client:

  1. Open SmartConsole > Logs & Monitor.
  2. Click (+) for a new Catalog tab.
  3. Click SmartEvent Settings & Policy.

Working with Queries

SmartEvent uses filtered event views, called queries, to identify and show relevant events. Event window information, timelines, graphs, and reports are based on queries that identify potentially dangerous events and event patterns. You use this information to adjust your Security Policies and protection settings in response to detected threats.

Event Queries in SmartEvent

SmartEvent uses filtered event views, called queries, to define the events to view. Located in the Queries Tree, these queries filter and organize event data for display in the Events, Charts and Maps tabs. Queries are defined by filter properties and charts properties. Filter properties allow you to define what type of events to display and how they should be organized. Charts properties allow you to define how the filtered event data should be displayed in chart form.

Predefined Queries

SmartEvent provides a thorough set of predefined queries, which are appropriate for many scenarios.

Queries are organized by combinations of event properties, for example:

Custom Queries

SmartEvent gives you the flexibility to define custom queries that show the most related events and trends. After you define custom queries, you can organize them into folders. That way, they are easy to find and use.

Use your queries to:

Customizing Query Filters

You can work with queries in the Events windows. To learn about procedures and to work with report queries, see the Reports section.

To change query filter properties:

  1. In SmartEvent, click Events.
  2. In the tree, right-click the query and select Options > Properties > Event Query Properties.
  3. In the Query Properties window, configure the query.

To clear filter values from a query:

  1. In the tree, right-click the query and select Options > Properties > Events Query Properties.
  2. In the In Use list, right-click the value in the Filter column and select Clear Filter.

    This filter value changes into Any.

Event Query Properties window - Actions

Optional: Define these additional query settings:

Creating Custom Queries

You can create a custom query from scratch in the Custom folder or based on an existing query.

To create a custom query based on the default query:

  1. In SmartEvent, click Events.
  2. In the Selector tree, right-click on the Custom folder and select New.
  3. Enter a name for the custom query.

To create a custom query based on an existing query:

  1. Right-click an existing query and select Save As.
  2. Enter a name for the new query.
  3. To save the query with the Time frame setting from the Events list:
    1. Click More.
    2. Select the Save time frame option.
  4. Click Save.

Event Query Results in SmartEvent

The Events tab is the primary part of SmartEvent.

SmartEvent_Events_tab

These are the components of the Events tab:

Item

Description

1

Query Tree - Double-click a query to run the query. The results show in the event List.

2

Event Statistics pane - Shows the top events, destinations, sources and users of the query results, either as a chart or in a tallied list.

3

Event List - Shows events generated by a query.

4

Event Preview Pane - Shows the details of the selected event

Event List

The SmartEvent Event List in SmartConsole and in the SmartEvent GUI can show up to 100,000 events. The events shown are the result of a query that ran on the Event Database. To run a different query, double-click a query in the Selector tree. The Event List show the events that match the criteria of the query.

The Event List is where detected events can be filtered, sorted, grouped, sent for review, and exported to a file. This helps to understand your network security status. Event details, such as Start and End Time, Event Name and Severity, are shown in a grid. In the Status bar at the bottom of the SmartConsole and SmartEvent client window, Number of records in view shows a count of new events. Refresh retrieves the data from the database according the active query filter.

The details of an event provide important specifics about the event: Type of event, origin, service, and number of connections. To access event details, double-click the event or show the Event Preview Pane.

Queries are built with default settings that can be changed directly in the Events tab to provide more specified or more comprehensive results.

Filtering Events

After you run a query, you can right-click a column and define the filter parameters to filter the event data. This temporarily includes the filter in the active query and runs the query again against the database to return the matching values.

A green filter icon at the top of a column indicates that a filter is applied to that field. To save the new set of filters as a custom query, select Save from the File menu. To discard the filters that was not saved, run the query again.

To use filters with query results:

Sorting and Searching Events

Running a query can return thousands of matching events. To help you organize the events that have already been returned by the query, click a column header to sort these events

To look for events with specified values, enter values in the Search field. When you search for multiple values, with commas that separate the values, the events that contain the search values return. But the values can be in all event fields. The search can be made case-sensitive or can search data that does not show in columns.

Grouping Events

One of the most powerful ways to analyze event data: To group the data based on the specified columns, and use the Group By button on the toolbar. Group the events by one or more columns. The Event List shows the number of matching events in those groups, presented in descending sequence.

To specify the default grouping that a query uses, mark fields as Grouped in the Events Query Properties window.

The top line of each group in the Event List shows a summary of the events that it contains. Hover over a field in the top line to see details of what data that field contains in this group events.

To group events by one or more fields:

To remove fields from the grouping:

Sending an Event

Use event information to show a sign of a security attack or vulnerability that needs to be resolved. For example, another member of your security team can review an event as a sign of an attack. When you report events to Check Point it helps Check Point to improve the IPS technology to detect new threats in an ever-changing security environment. From the Event List: Send event details as an email with your default email client, or send the event details to Check Point over a secure SSL connection.

To send an event with an email:

  1. Select the event in the Event List.
  2. Right-click on the event and select Send event by Email.

    A new email opens with your default email client. The event information is included in the body of the email.

To report an event to Check Point:

  1. Select the event in the Event List.
  2. Right-click on the event and select Report Event to Check Point.
  3. Include the Event Details only, or include the Packet Capture related to the event.

    Only the event information is sent to Check Point over a secure SSL connection. The data is kept confidential. Check Point uses the information only to improve IPS.

Exporting Events to a File

The Event tab in the SmartEvent GUI can contain thousands of events. Export the events into a text file to review or manipulate the data with external applications. For example: A spreadsheet or text editor.

To export events to a comma-delimited (csv) file:

  1. Open SmartConsole > Logs & Monitor.
  2. Click (+) for a Catalog (new tab).
  3. Click SmartEvent Settings & Policy.
  4. Go to the Events tab.
  5. From the File menu, select Export to a CSV File.
  6. Save the file.
Event Statistics pane

The Event List in the Events tab is accompanied by charts displaying the Top Events, Top Sources, Top Destinations and Top Users for the active query. These statistics are automatically updated as filters are applied to the Event List.

You can filter in or out any value in the Event Statistics Pane to focus the query results on the data that is most important to you. Filtering in the Event Statistics pane is also reflected in the Event List, and clearing filters from the Event Statistics Pane clears all filters that have been applied to the query.

To remove the extra conditions you have applied, click on the Clear Filter icon.

Event Details

See the details of an event from the Preview Pane in the Events tab or by double-clicking on the event in the Event List. The Event Details window has two tabs with different data:

These options are available from the Event Details window:

Details Tab

The Details tab includes:

Summary Tab

The Summary tab includes:

Browse Time

The Browse Time feature keeps track of the total time that users are connected to different sites and applications. R76 and later Security Gateways calculate the cumulative connection time for each session and periodically updates this value until the session is closed.

Browse time is calculated as follows:

Investigating Events

After you arrange the events as you like in the Event List, you can investigate their details and evaluate if they represent a threat.

Tracking Event Resolution using Tickets

Events can be categorized and assigned to administrators to track their path through the workflow of resolving threats. When administrators review an event, they can assign it a status, such as Investigation in Progress, Resolved, or False Alarm; add comments that detail the actions that have been taken with respect to the event. This process is called Ticketing.

After administrators edit the ticket, they can use queries to track the actions taken to mitigate security threats and produce statistics based on those actions.

Editing IPS Protection Details

When you review events generated from the IPS blade, review the IPS protections and profiles to understand why an event was generated or attempt to change the way the traffic is handled by the IPS blade.

The IPS menu presents actions that are specific to IPS events. These actions include:

Packet Capture

If a log has related packet captures, you can open a packet viewer to see the contents of the captured packet. To examine this more, save the packet capture to a file.

To use the Packet Capture feature, you must activate blades.

To activate blades:

  1. In a Security Management Server deployment, activate the Logging & Status Software Blade on the Security Management Server.
  2. In a Multi-Domain Security Management deployment:
    1. Connect to SmartConsole for the Domain Server.
    2. In the Gateways & Servers tab, double-click the Domain Server object.
    3. In the General pane, select SmartEvent.

To see a packet capture:

  1. In the SmartEvent Events tab, right-click the event in the Event List pane.
  2. Select Additional Information > View packet capture from the Options menu.

    The Packet Capture Viewer Output window opens.

  3. Optional: Click Save to save the packet capture data as a text file.
  4. Optional: Select Actions > Packet Capture Configuration to define an application in which to see packet capture information.

    The options are:

    • The SmartEvent Internal Viewer.
    • A windows program related to this file type.
    • To select a program, enter the program executable file name, and required arguments.

Using Custom Commands

The SmartEvent client provides a convenient way to run frequently used command line executables that help you to examine events. Right-click cells in the Event List that refer to an IP address to show the default list of commands in the context-sensitive menu.

These commands are available by default: ping, whois, nslookup and Telnet. The IP address of the active cell is used as the destination of the command when run. Therefore, the commands show by design only on cells that refer to IP addresses, because t

For example: Right-click a cell with an IP address and select the default ping command. A window opens and three ICMP packets are sent to that address. This behavior is configurable. You can add your own custom commands.

To add (or edit) custom commands:

  1. In the SmartEvent GUI, select Actions > Configure Custom Commands.
  2. To add a command, select Add...
  3. Optional: To edit a command, highlight the command and select Edit.
  4. Enter the text to appear in the right-click context menu.
  5. Enter the command to run, and any arguments.
  6. Configure the command to run in a SmartEvent window or in a separate Windows command window.
  7. Select if the command will appear in the context menu only when you right-click in cells with IP address data.
  8. Click OK.

Configuring Event Definitions in the SmartEvent Policy Tab

Use the Policy tab of the SmartEvent GUI client to configure and customize the events that define the SmartEvent Event Policy.

Policy Tab

Define the Event Policy in the Event Policy tab. Most configuration steps occur in the Policy tab. You define system components, such as SmartEvent Correlation Unit, lists of blocked IP addresses and other general settings.

The types of events that SmartEvent can detect are listed here, and sorted into a number of categories. To change each event, change the default thresholds and set Automated Responses. You can also disable events.

The Policy tab has these sections:

After the SmartEvent client starts to show events, do these procedures:

Save Event Policy

Modifications to the Event Policy do not take effect until saved on the SmartEvent server and installed to the SmartEvent Correlation Unit.

To enable changes made to the Event Policy:

  1. Click File > Save.
  2. Click Actions > Install Event Policy.
Revert Changes

You can undo changes to the Event Policy, if they were not saved.

To undo changes: click File > Revert Changes.

Modifying Event Definitions

SmartEvent constantly takes data from your Log Servers, and searches for patterns in all the network chatter that enters your system.

Depending on the levels set in each Event Definition, the number of events detected can be high. But only a portion of those events can be meaningful. You can change the thresholds and other criteria of an event, to reduce the number of false alarms.

To change Event Definitions:
  1. Select a type of event from one of the Event Policy categories.
  2. Adjust the Event Definitions. The elements that can be modified vary per event definition. Some event types include all; others have just one or two of these configurable elements.
  3. To save the Event Policy, click File > Save.
  4. From the Actions menu, click Install Event Policy.

Event Definitions and General Settings

The Selector tree is divided into two branches: Event Policy and General Settings. The events detectable by SmartEvent are organized by category in the Event Policy branch. Select an event definition to show its configurable properties in the Detail pane, and a description of the event in the Description pane. Clear the property to remove this event type from the Event Policy the next time the Event Policy is installed.

The General Settings branch contains Initial Settings. For example: To define SmartEvent Correlation Unit, which is typically used for the initial configuration. Click a General Settings item to show its configurable properties in the Detail pane.

For details on specified attacks or events, refer to the Event Definition Detail pane.

Event Definition Parameters

When an event definition is selected, its configurable elements appear in the Detail pane, and a description of the event is displayed in the Description pane. These are the usual types of configurable elements:

Not all of these elements appear for every Event Definition. After you install and run SmartEvent for a short time, you will discover which of these elements need to be fine-tuned per Event Definition.

For configuration information regarding most objects in General Settings, see System Administration.

Event Threshold

The Event Threshold allows you to modify the limits that, when exceeded, indicates that an event has occurred. The limits typically are the number of connections, logs, or failures, and the period of time in which they occurred. It appears thus:

Detect the event when more than x connections/logs/failures (etc.) were detected over a period of y seconds.

To decreasing the number of false alarms based on a particular event, increase the number of connections, logs or failures and/or the period of time for them to occur.

Severity

An event severity affects in which queries (among those that filter for severity) this type of event will appear.

To modify the severity of an event, select a severity level from the drop-down list.

Automatic Reactions

When detected, an event can activate an Automatic Reaction. The SmartEvent administrator can create and configure one Automatic Reaction, or many, according to the needs of the system.

For example: A Mail Reaction can be defined to tell the administrator of events to which it is applied. Multiple Automatic Mail Reactions can be created to tell a different responsible party for each type of event.

To create an automatic reaction:

  1. Create an automatic reaction object in the Event definition, or from General Settings > Objects > Automatic Reactions.
  2. Assign the Automatic Reaction to an event (or to an exception to the event).
  3. To save the Event Policy, click File > Save
  4. To install the Event Policy on the SmartEvent Correlation Unit, click Actions > Install Event Policy.

These are the types of Automatic Reactions:

These sections tell how to add an Automatic Reaction to an event:

Creating Automatic Reactions

You can create Automatic reaction from:

The first step for each of the next procedures assumes that you are at one of the starting points above.

Creating a Mail Reaction
  1. Select Add > Mail.
  2. Give the automatic reaction a significant name.
  3. Fill out the Mail Parameters of From, To and cc.
  4. To add multiple recipients, separate each email address with a semi-colon.

    Note - the Subject field has the default variables of [EventNumber] - [Severity] - [Name]. These variables automatically adds to the mail subject the event number, severity and name of the event that triggered this reaction. These variables can be removed at your discretion.

  5. Optional: Include your own standard text for each mail reaction.
  6. Enter the domain name of the SMTP server.
  7. Select Save.
Creating an SNMP Trap Reaction
  1. Select Add > SNMP Trap.
  2. Give the automatic reaction a significant name.
  3. Fill out the SNMP Trap parameters of Host, Message, OID and Community name.

    The command send_snmp uses values that are found in the file chkpnnt.mib, in the directory $CPDIR/lib/snmp/. An OID value used in the SNMP Trap parameters window must be defined in chkpnnt.mib, or in a file that refers it. If the OID field is left blank, the value is determined from iso.org.dod.internet.private.enterprises.checkpoint.products.fw.fwEvent = 1.3.6.1.4.1.2620.1.1.11.

    When the automatic reaction occurs, the SNMP Trap is sent as a 256 byte DisplayString text. But, if the OID type is not text, the message is not sent.

  4. Select Save.
Creating a Block Source Reaction
  1. Select Add > Block Source.
  2. Give the automatic reaction a significant name.
  3. From the drop-down list, select the number of minutes to block this source.
  4. Select Save.
Creating a Block Event Activity Reaction
  1. Select Add > Block Event Activity.
  2. Give the automatic reaction a significant name.
  3. From the drop-down list, select the number of minutes to block this source.
  4. Select Save.
Creating an External Script Automatic Reaction

To add an External Script:

  1. Create the script. See the Guidelines for creating the script below.
  2. Put the script on the SmartEvent Server:
    1. In $RTDIR/bin, create the folder ext_commands. Run:
      mkdir $RTDIR/bin/ext_commands
    2. Put the script in $RTDIR/bin/ext_commands/ or in a folder under that location. The path and script name must not contain any spaces.
    3. Give the script executable permissions. Run:
      chmod +x <script_filename>
  3. In the SmartEvent GUI client Policy tab, in Automatic Reactions, Select Add > External Script.
  4. In the Add Automatic Reaction window:
    1. Give the automatic reaction object a significant Name.
    2. In Command line, enter the name of the script to run. Specify the name of the script that is in $RTDIR/bin/ext_commands/ directory. Use the relative path if needed. Do not specify the full path of $RTDIR/bin/ext_commands/.
    3. Select Save.

Guidelines for creating the script

Assigning an Automatic Reaction to an Event

You can add an Automatic Reaction for SmartEvent to run when this type of event is detected.

  1. Select the icon [...].
  2. Select an Automatic Reaction that you created from the list, or select Add new…. For details on how to create each type of Automatic Reaction, see section below.
  3. Configure the Automatic Reaction.
  4. Select Save.
  5. Click OK.

Working Hours

Working Hours are used to detect unauthorized attempts to access protected systems and other forbidden operations after-hours. To set the Regular Working Hours for an event, select a Time Object that you have configured from the drop-down list.

To create a Time Object:

  1. From the Policy tab, select General Settings > Objects > Time Objects.
  2. Click Add.
  3. Enter a Name and Description.
  4. Select the days and times that are considered Regular Working Hours.
  5. Click OK.

To assign a Time Object to an event:

  1. From the Policy tab, select an event that requires a Time Object (for example, User Login at irregular hours in the Unauthorized Entry event category).
  2. Select the Time Object you created from the drop-down list.
  3. Select File > Save.

Exceptions

Exceptions allow an event to be independently configured for the sources or destinations that appear. For example, if the event Port Scan from Internal Network is set to detect an event when 30 port scans have occurred within 60 seconds, you can also define that two port scans detected from host A in 10 seconds of each other is also an event.

To manually add an exception, under the heading Apply the following exceptions, click Add and select the Source and/or Destination of the object to apply different criteria for this event.

Note - If you do not see the host object listed, you may need to create it in SmartEvent.

To modify or delete existing exceptions, select Edit or Remove, respectively.

Creating Event Definitions (User Defined Events)

To create a user-defined event you must have knowledge of the method by which SmartEvent identifies events. This section starts with a high level overview of how logs are analyzed to conclude if an event occurs or occurred.

High Level Overview of Event Identification

Events are detected by the SmartEvent Correlation Unit. The SmartEvent Correlation Unit scans logs for criteria that match an Event Definition.

SmartEvent uses these procedures to identify these events:

Matching a Log Against Global Exclusions

When the SmartEvent Correlation Unit reads a log, it first checks if the log matches all defined Global Exclusions. Global Exclusions (defined on the Policy tab > Event Policy > Global Exclusions) direct SmartEvent to ignore logs that are not expected to contribute to an event.

If the log matches a Global Exclusion, it is discarded by the system. If not, the SmartEvent Correlation Unit starts to match it against each Event Definition.

Matching a Log Against Each Event Definition

Each Event Definition contains a filter which is comprised of a number of criteria that must be found in all matching logs. The criteria are divided by product: The Event Definition can include a number of different products, but each product has its own criterion.

Event Definition Criteria

To match the Event Definition "A", a log from Endpoint Security must match the Action, Event Type, Port, and Protocol values listed in the Endpoint Security column. A log from a Security Gateway must match the values listed in its column.

SmartEvent divides this procedure into two steps. The SmartEvent Correlation Unit first checks if the Product value in the log matches one of the permitted Product values of an Event Definition.

If Log 1 did not contain a permitted Product value, the SmartEvent Correlation Unit compares the log against Event Definition "B", and so on. If the log fails to match against an Event Definition, it is discarded.

The SmartEvent Correlation Unit checks if the log contains the Product-specific criteria to match the Event Definition. For example: The product Endpoint Security generates logs that involve the Firewall, Spyware, Malicious Code Protection, and others. The log contains this information in the field Event Type. If an event is defined to match on Endpoint Security logs with the event type Firewall, an Endpoint Security log with Event Type "Spyware" fails against the Event Definition filter. Other criteria can be specified to the Product.

In our example, Log 1 matched Event Definition "A" with a permitted product value. The SmartEvent Correlation Unit examines if the log contains the necessary criteria for an Endpoint Security log to match.

Comparing Log Details with Event Definition

If the criteria do not match, the SmartEvent Correlation Unit continues to compare the log criteria to other event definitions.

Creating an Event Candidate

When a log matches the criteria, it is added to an Event Candidate. Event candidates let SmartEvent track logs until an event threshold is crossed, at which point an event is generated.

Event Candidate

Notes -

Each Event Definition can have multiple event candidates, each of which keeps track of logs grouped by equivalent properties. In the figure above the logs that create the event candidate have a common source value. They were dropped, blocked or rejected by a Firewall. They are grouped together because the Event Definition is designed to detect this type of activity, that originates from one source.

When a log matches the event definition, but has properties different than those of the existing event candidates, a new event candidate is created. This event candidate is added to what can be thought of as the Event Candidate Pool.

New Event Candidate Added to the Pool

Note - SmartEvent creates a new event candidate for a log with a different source.

To illustrate more, an event defined detects a high rate of blocked connections. SmartEvent tracks the number of blocked connections for each Firewall, and the logs of the blocked traffic at each Firewall forms an event candidate. When the threshold of blocked connection logs from a Firewall is surpassed, that Firewall event candidate becomes an event. While this Event Definition creates one event candidate for each Firewall monitored, other Event Definitions can create many more.

A log joins an Event Candidate

The Event Candidate Pool is a dynamic environment, with new logs added and older logs discarded when they have exceeded an Event Definition time threshold.

When a Candidate Becomes an Event

When a candidate becomes an event, the SmartEvent Correlation Unit forwards the event to the Event Database. But to discover an event does not mean that SmartEvent stops to track logs related to it. The SmartEvent Correlation Unit adds matching logs to the event as long as they continue to arrive during the event threshold. To keep the event open condenses what can appear as many instances of the same event to one, and provides accurate, up-to-date information as to the start and end time of the event.

Creating a User-Defined Event

To create New Event Definitions, right-click an existing Event Definition, or use the Actions menu:

Right Click

Actions Menu

Description

New

New Custom Event

Launches the Event Definition Wizard, which allows you to select how to base the event: on an existing Event Definition, or from scratch.

Save As

Save Event As

Creates an Event Definition based on the properties of the highlighted Event Definition. When you select Save As, the system prompts you to save the selected Event Definition with a new name for later editing. Save As can also be accessed from the Properties window.

All User Defined Events are saved at Policy tab > Event Policy > User Defined Events. When an Event Definition exists it can be modified through the Properties window, available by right-click and from the Actions menu.

Creating a New Event Definition

To create a User Defined Event based on an existing event:

  1. From the Actions menu, select New Custom Event.

    The Event Definition Wizard opens.

  2. For Create an event
    1. Select that is based on an existing event.
    2. Select an event that has equivalent properties to the event you want to create.
    3. Click Next.
  3. Name the Event Definition.
  4. Enter a Description.
  5. Select a Severity level.
  6. Click Next.
  7. Set which of these options generates the event:
    • A single log — Frequently depicts an event, such as a log from a virus scanner that reports that a virus has been found.
    • Multiple logs — Required if the event can only be identified as a result of a combination of multiple logs, such as a High Connection Rate.

    Click Next.

  8. Examine the products that can cause this event.
  9. Select Next.
  10. Optional: Edit the product filters:
    • If you added a product you can edit the filters for each product (Edit all product filters), or those of new products you added (Edit only newly selected product filters).
    • If you did not add other products, edit the filters of existing products (Yes) or skip this step (No, Leave the original files).

    Click Next.

  11. Edit or add product filters for each log necessary in the Event Definition filter:
    1. Select the Log field from the available Log Field list.
    2. Click Add to edit the filter.
    3. Make sure that the filter matches on All Conditions or Any Conditions.
    4. Double-click the Log field and select the values to use in the filter.

    Click Next.

  12. When you defined the filters for each product, select values for these options to define how to process logs:
    • Detect the event when at least __ logs occurred over a period of __ seconds contains the event thresholds that define the event. You can modify the event thresholds by altering the number of logs and/or the period of time that define the event.
    • Each event definition may have multiple Event Candidates existing simultaneously allows you to set whether SmartEvent creates distinct Event Candidates based on a field (or set of fields) that you select below.

      Select the field(s) by which distinct Event Candidates will be created allows you to set the field (or set of fields) that are used to differentiate between Event Candidates.

    • Use unique values of the __ field when counting logs directs SmartEvent to count unique values of the specified field when determining whether the Event Threshold has been surpassed. When this property is not selected, SmartEvent counts the total number of logs received.
  13. Click Finish.

To edit a user-defined event:

  1. From the Policy tab > Event Policy > User Defined Events, right-click a User-Defined Event and select Properties.
  2. In the tabs provided, make the necessary changes:
    • Name - Name the Event Definition, enter a Description and select a Severity level. The text you enter in the Description field shows in the Event Description area (below the event configurable properties).
    • Filter - To edit a product filter:
      1. Select the product.
      2. Select the Log field from the available Log Fields list.
      3. If the necessary field does not show select Show more fields... to add a field to the Log Fields list.
      4. Click Add to edit the filter.
      5. Select if the filter matches on All Conditions or Any Conditions.
    • Count logs

      This screen defines how SmartEvent counts logs related to this event.

      • A Single log — Frequently depicts an event, such as a log from a virus scanner that reports that a virus is found.
      • With this option you can set the fields that are used to group events into Event Candidates. Logs with matching values for these fields are added to the same event. For example: Multiple logs that report a virus detected on the same source with the same virus name are combined into the same event.
      • Multiple logs — Required for events that identify an activity level, such as a High Connection Rate.
      • When the event is triggered by multiple logs, set the behavior of Event Candidates:
      • Detect the event when at least... — Set the Event Threshold that, when exceeded, indicates that an event has occurred.
      • Select the field(s) by which distinct event candidates will be created — An event is generated by logs with the same values in the fields specified here. To define how logs are grouped into Event Candidates, select the related fields here.
      • Use unique values of the ...— Only logs with unique values for the fields specified here are counted in the event candidate. For example: A port scan event counts logs that include unique ports scanned. Also, the logs do not increment the log count for logs that contain ports already encountered in the event candidate.
      • Advanced — Define the keep=alive time for the event, and how often the SmartEvent Correlation Unit updates the SmartEvent server with new logs for the created event.
    • Event Format

      When an event is generated, information about the event is presented in the Event Detail pane.

      This screen lets you specify if the information will be added to the detailed pane and from which Log Field the information is taken.

      You can clear it in the Display column. The Event Field will not be populated.

    • GUI representation

      All events can be configured. This screen lets you select the configuration parameters that show.

      • The Threshold section shows the number of logs that must matched to create the event. This is usually not shown for one log events and shown for multiple log events.
      • The Exclude section lets you specify the log fields that show when you add an event exclusion.
      • The Exception section lets you specify the log fields that show when you add an event exception.
  3. Click OK to save your changes.

Eliminating False Positives

This section shows you how to reduce false positives.

Services that Generate Events

Some types of services are characterized by a high quantity of traffic that can be misidentified as events. These are examples of services and protocols that can potentially generate events:

Common Events by Service

The information in this table provides a list of server types where high activity is frequently used. To change the Event Policy, adjust event thresholds and add Exclusions for servers and services . You can decrease more the quantity of false positives detected.

Common events by service

Server Type

Category

Event Name

Source

Dest

Service

Reason

SNMP

Scans

IP sweep from internal network

Any

Any

SNMP-read

Hosts that query other hosts

DNS Servers

Scans

IP sweep from internal network

DNS servers

-

DNS

Inter-DNS servers updates

 

Denial of Service (DoS)

High connection rate on internal host on service

Any

DNS servers

DNS

DNS requests and inter-DNS servers updates

 

Anomalies

High connection rate from internal network

Any

Any

DNS

DNS requests and inter-DNS servers updates

 

Anomalies

High connection rate from internal network on service

Any

Any

DNS

DNS requests and inter-DNS servers updates

 

Anomalies

Abnormal activity on service

Any

Any

DNS

DNS requests and inter-DNS servers updates

NIS Servers

Scans

Port scan from internal network

NIS servers

Any

-

Multiple NIS queries

 

Denial of Service (DoS)

High connection rate on internal host on service

Any

NIS servers

NIS

NIS queries

 

Anomalies

High connection rate from internal network

Any

Any

NIS

NIS queries

 

Anomalies

High connection rate from internal network on service

Any

Any

NIS

NIS queries

 

Anomalies

Abnormal activity on service

Any

Any

NIS

NIS queries

LDAP Servers

Denial of Service (DoS)

High connection rate on internal host on service

Any

LDAP servers

LDAP

LDAP requests

 

Anomalies

High connection rate from internal network

Any

LDAP servers

LDAP

LDAP requests

 

Anomalies

High connection rate from internal network on service

Any

LDAP servers

LDAP

LDAP requests

 

Anomalies

Abnormal activity on service

Any

LDAP servers

LDAP

LDAP requests

HTTP Proxy Servers - Hosts To Proxy Server

Denial of Service (DoS)

High connection rate on internal host on service

Any

Proxy servers

HTTP:8080

Hosts connections to Proxy servers

 

Anomalies

High connection rate from internal network

Any

Proxy servers

HTTP:8080

Hosts connections to Proxy servers

 

Anomalies

High connection rate from internal hosts on service

Any

Proxy servers

HTTP:8080

Hosts connections to Proxy servers

 

Anomalies

Abnormal activity on service

Any

Proxy servers

HTTP:8080

Hosts connections to Proxy servers

HTTP Proxy Servers - Out to the Web

Scans

IP sweep from internal network

Proxy servers

Any

HTTP/ HTTPS

Proxy servers connections out to various sites

 

Denial of Service (DoS)

High connection rate on internal host on service

Proxy servers

Any

HTTP/ HTTPS

Proxy servers connections out to various sites

 

Anomalies

High connection rate from internal network

Proxy servers

Any

HTTP/ HTTPS

Proxy servers connections out to various sites

 

 

High connection rate from internal hosts on service

Proxy servers

Any

HTTP/ HTTPS

Proxy servers connections out to various sites

 

Anomalies

Abnormal activity on service

Proxy servers

Any

HTTP/ HTTPS

Proxy servers connections out to various sites

UFP Servers

Denial of Service (DoS)

High connection rate on internal host on service

Any

UFP servers

Any/UFP by vendor

Firewall connections to UFP servers

 

Anomalies

High connection rate from internal network

Any

UFP servers

Any/UFP by vendor

Firewall connections to UFP servers

 

Anomalies

High connection rate from internal hosts on service

Any

UFP servers

Any/UFP by vendor

Firewall connections to UFP servers

 

Anomalies

Abnormal activity on service

Any

UFP servers

Any/UFP by vendor

Firewall connections to UFP servers

CVP Servers Request

Denial of Service (DoS)

High connection rate on internal host on service

Any

CVP servers

Any/CVP by vendor

Firewall connections to CVP servers

 

Anomalies

High connection rate from internal network

Any

CVP servers

Any/CVP by vendor

Firewall connections to CVP servers

 

Anomalies

High connection rate from internal hosts on service

Any

CVP servers

Any/CVP by vendor

Firewall connections to CVP servers

 

Anomalies

Abnormal activity on service

Any

CVP servers

Any/CVP by vendor

Firewall connections to CVP servers

CVP Servers Replies

Scans

Port scans from internal network

CVP servers

Any

-

Multiple CVP replies to same GW

 

Scans

IP sweep from internal network

CVP servers

-

CVP

CVP replies to multiple GWs

 

Denial of Service (DoS)

High connection rate on internal host on service

CVP servers

Any

Any/CVP by vendor

CVP replies

 

Anomalies

High connection rate from internal network

CVP servers

Any

Any/CVP by vendor

CVP replies

 

Anomalies

High connection rate from internal hosts on service

CVP servers

Any

Any/CVP by vendor

CVP replies

 

Anomalies

Abnormal activity on service

CVP servers

Any

Any/CVP by vendor

CVP replies

UA Server Request

Denial of Service (DoS)

High connection rate on internal host on service

Any

UA servers

uas-port (TCP:19191 TCP:19194)

Connections to UA servers

 

Anomalies

High connection rate from internal network

Any

UA servers

(TCP:19191 TCP:19194)

Connections to UA servers

 

Anomalies

High connection rate from internal hosts on service

Any

UA servers

uas-port (TCP:19191 TCP:19194)

Connections to UA servers

 

Anomalies

Abnormal activity on service

Any

UA servers

uas-port (TCP:19191 TCP:19194)

Connections to UA servers

UA Servers Replies

Scans

Port scans from internal network

UA servers

Any

-

Multiple UA replies to the same computer

 

Scans

IP sweep from internal network

UA servers

Any

uas-port (TCP:19191 TCP:19194)

Multiple UA replies to multiple computers

 

Denial of Service (DoS)

High connection rate on internal host on service

UA servers

Any

uas-port (TCP:19191 TCP:19194)

UA replies

 

Anomalies

High connection rate from internal network

UA servers

Any

uas-port (TCP:19191 TCP:19194)

UA replies

 

Anomalies

High connection rate from internal hosts on service

UA servers

Any

uas-port (TCP:19191 TCP:19194)

UA replies

 

Anomalies

Abnormal activity on service

UA servers

Any

uas-port (TCP:19191TCP:19194)

UA replies

SMTP Servers

Scans

IP sweep from internal network

SMTP servers

-

SMTP

SMTP servers connections out to various SMTP servers

 

Denial of Service (DoS)

High connection rate on internal host on service

SMTP servers

Any

SMTP

SMTP servers connections out to various SMTP servers

 

Anomalies

High connection rate from internal network

SMTP servers

Any

SMTP

SMTP servers connections out to various SMTP servers

 

Anomalies

High connection rate from internal hosts on service

SMTP servers

Any

SMTP

SMTP servers connections out to various SMTP servers

 

Anomalies

Abnormal activity on service

SMTP servers

Any

SMTP

SMTP servers connections out to various SMTP servers

Anti-Virus Definition Servers

Scans

IP sweep from internal network

AV_Defs servers

-

Any/AV by vendor

Anti-Virus definitions updates deployment

 

Denial of Service (DoS)

High connection rate on internal host on service

AV_Defs servers

-

Any/AV by vendor

Anti-Virus definitions updates deployment

 

Anomalies

High connection rate from internal network

AV_Defs servers

-

Any/AV by vendor

Anti-Virus definitions updates deployment

 

Anomalies

High connection rate from internal hosts on service

AV_Defs servers

-

Any/AV by vendor

Anti-Virus definitions updates deployment

 

Anomalies

Abnormal activity on service

AV_Defs servers

-

Any/AV by vendor

Anti-Virus definitions updates deployment

System Administration

To maintain your SmartEvent system, you can do these tasks from the General Settings section of the Policy tab:

Save Event Policy

Modifications to the Event Policy do not take effect until saved on the SmartEvent server and installed to the SmartEvent Correlation Unit.

To enable changes made to the Event Policy:

  1. Click File > Save.
  2. Click Actions > Install Event Policy.

Revert Changes

You can undo changes to the Event Policy, if they were not saved.

To undo changes: click File > Revert Changes.

Adding Network and Host Objects

Certain objects from the Management server are added during the initial sync with the SmartEvent server and updated at a set interval. But it is useful (or necessary) to add other Network or Host objects, for these reasons:

These screens are locked until initial sync is complete:

You can make a device available to use in SmartEvent.

To make a device that is a host object available in SmartEvent:

  1. From the Policy tab, select General Settings > Objects > Network Objects > Add > Host.
  2. Give the device a significant name.
  3. Enter its IP Address or select Get Address.
  4. Select OK.

To make a device that is a network object available in SmartEvent:

  1. From the Policy tab, select General Settings > Objects > Network Objects > Add > Network.
  2. Give the network a significant name.
  3. Enter the Network Address and Net Mask.
  4. Select OK.

See Defining the Internal Network for information about how to add objects to the Internal Network definition.

Defining the Internal Network

To help SmartEvent conclude if events originated internally or externally, you must define the Internal Network. These are the options to calculate the traffic direction:

To define the Internal Network:

  1. From the Policy tab, select General Settings > Initial Settings > Internal Network.
  2. Add internal objects.

    We recommend you add all internal Network objects, and not Host objects.

Some network objects are copied from the Management server to the SmartEvent Server during the initial sync and updated afterwards.

These screens are locked until initial sync is complete:

SmartEvent High Availability Environment

The SmartEvent database keeps a synchronized copy of management objects locally on the SmartEvent Server. This process, dbsync, allows SmartEvent to work independently of different management versions and different management servers in a High Availability environment.

Management High Availability capability exists for Security Management Servers, and in a Multi-Domain Security Management environment, dbsync supports High Availability for the Multi-Domain Servers and the Domain Servers.

How it works

Dbsync initially connects to the management server with which SIC is established. It retrieves all the objects. After the initial synchronization it gets updates when an object is saved. Dbsync registers all the High Availability management machines and periodically tests the connectivity with the newest management server. If connectivity is lost, it attempts to connect to the other High Availability management servers until it finds an active one and connects to it.

If two management servers are active concurrently, dbsync stays connected to one management server. Dbsync does not get changes made on the other management server until a synchronization operation is done.

Log Server High Availability

In SmartConsole, you can configure a Security Gateway, that when it fails to send its logs to one Log Server, it will send its logs to a secondary Log Server. To support this configuration, you can add Log Servers to a single SmartEvent Correlation Unit. In this way, the SmartEvent Correlation Unit gets an uninterrupted stream of logs from both servers and continues to correlate all logs.

SmartEvent Correlation Unit High Availability

Multiple correlation units can read logs from the same Log Servers. That way, the units provide redundancy if one of them fails. The events that the correlation units detect are duplicated in the SmartEvent database. But these events can be disambiguated if you filter them with the Detected By field in the Event Query definition. The Detected By field specifies which SmartEvent Correlation Unit detected the event.

If the SmartEvent Server becomes unavailable, the correlation units keep the events until it can reconnect with the SmartEvent Server and forward the events.