Event Analysis

In This Section: Event Analysis with SmartEvent What is an Event? Sample Application & URL Filtering Event Analysis The SmartEvent Solution Working with SmartEvent

Event Analysis with SmartEvent

The SmartEvent Software Blade is a unified security event management and analysis solution that delivers real-time, graphical threat management information. SmartConsole, SmartView Web Application, and the SmartEvent GUI client consolidate billions of logs and show them as prioritized security events so you can immediately respond to security incidents, and do the necessary actions to prevent more attacks. You can customize the views to monitor the events that are most important to you. You can move from a high level view to detailed forensic analysis in a few clicks. With the free-text search and suggestions, you can quickly run data analysis and identify critical security events.

What is an Event?

An event is a record of a security incident. It is based on one or more logs, and on rules that are defined in the Event Policy.

An example of an event that is based on one log: A High Severity Anti-Bot event. One Anti-Bot log with a Severity of High causes the event to be recorded.

An example of an event that is based on more than one log: A Certificate Sharing event. Two login logs with the same certificate and a different user cause the event to be recorded.

How Are Logs Converted to Events?

SmartEvent automatically defines logs that are not Firewall, VPN, or HTTPS Inspection logs, as events.

Events that are based on a suspicious pattern of two or more logs, are created by the SmartEvent Correlation Unit. These correlated events are defined in the SmartEvent client GUI, in the Policy tab.

Most logs are Firewall, VPN and HTTPS inspection logs. Therefore, SmartEvent does not define them as events by default to avoid a performance impact on the SmartEvent Server. However, enabling consolidated events for Firewall saves disk space so and makes it possible to keep a longer event history. To create events for Firewall, in the SmartEvent Policy tab, enable Consolidated Sessions > Firewall Session.

Sample Application & URL Filtering Event Analysis

To show an Internet browsing event:

1. In the Logs & Monitor view of SmartConsole or the SmartView Web Application, open the General Overview.
2. In the Query search bar, select the time period. For example: Past 24 Hours

   The events of this time period show.

3. In Timeline View, click a circle below High Risk Attacks.

This is an example log of a High Risk event.

Information about the event:

• In the User column, five users tried to access the VTunnel web proxy.
• VTunnel is classified as a High security risk. It is a Web proxy site that lets users go to websites anonymously.
• The names of the five users that tried to go to the VTunnel website are shown.

The SmartEvent Solution

In This Section: The SmartEvent Architecture SmartEvent Correlation Unit The SmartEvent GUI The SmartView Web Application

The SmartEvent Architecture

SmartEvent has some components that work together to help track down security threats and make your network more secure.

This is how they work together. The numbers refer to the diagram:

• SmartEvent Correlation Unit (3) analyzes log entries on Log Servers (2).
• SmartEvent Server (4) contains the Events Database (5).
• The SmartEvent and SmartConsole clients (6) manage the SmartEvent Server.

Item	Description	Purpose
		Log data flow
		Event data flow
1	Check Point Security Gateway	Sends logs to the Log Server.
2	Log Server	Stores logs.
3	SmartEvent Correlation Unit	Identifies events: Analyzes each log entry from a Log Server, and looks for patterns according to the installed Event Policy. The logs contain data from Check Point products and certain third-party devices. When a threat pattern is identified, the SmartEvent Correlation Unit forwards the event to the SmartEvent Server.
4	SmartEvent Server	Receives the items that are identified as events by the SmartEvent Correlation Unit. The SmartEvent Server does further analysis to determine the severity level of the event and what action to do. The event is stored in the system database.
5	Events database	Stores events. Located on the SmartEvent Server.
6	SmartEvent client	Shows the received events. Uses the clients to manage events (for example: to filter and close events), fine-tunes, and installs the Event Policy. The clients are: SmartConsole SmartEvent GUI SmartView Web Application

The SmartEvent components can be installed on one computer (that is, a standalone deployment) or multiple computers and sites (a distributed deployment). To handle higher volumes of logging activity, we recommend a distributed deployment. You can install more than one SmartEvent Correlation Unit. Each SmartEvent Correlation Unit can analyze logs from more than one Log Server or Domain Log Server.

SmartEvent Correlation Unit

The SmartEvent Correlation Unit analyzes the log entries and identifies events from them. During analysis, the SmartEvent Correlation Unit does one of these actions:

• Marks log entries that are not stand-alone events, but can be part of a larger pattern to be identified later.
• Takes a log entry that meets one of the criteria set in the Events Policy, and generates an event.
• Takes a new log entry that is part of a group of items. Together, all these items make up a security event. The SmartEvent Correlation Unit adds it to an ongoing event.
• Discards log entries that do not meet event criteria.

The SmartEvent GUI

The SmartEvent GUI is one of the SmartEvent clients that you can use to analyze events that occur in your environment.

Overviews:

The Overview tab shows top events of all types. When you work with a protection type, you can go directly to the data for that area.

Click the tab for events filtered by Software Blade:

• Application and URL Filtering
• Threat Prevention (IPS, Anti-Bot, Anti-Virus, and Threat Emulation)
• DLP (Data Loss Prevention)

Drill down forensics:

Double-click a result in a pane (such as an IP address or a user name). The other Overview panes are filtered for the selection. The search bar shows the filter applied to the events. For example, if you click one of the Top Sources, the search bar shows: src:"<ip_address>".

Quickly search the database of logs and events:

Use Search Suggestions and Recent Searches. Click in the search bar to see the search suggestions and your recent searches. The search is fast, and the results are from the event database.

For example, to see only important events from 192.168.2.15:

1. Click the Search bar.
2. Select Severity in the Suggestions list.
3. In the list of valid values that shows, click Critical.
4. Click in the Search bar.
5. Select Source in the Suggestions list.
6. If the required IP address not in the list, enter it in the search bar.

   The data in all the panes is updated to match your search.

Filter for standard results:

Click Filters to select a standard filter option. For example, in Application and URL Filtering, you can filter to see only events of Application Control or only events of URL Filtering. You can filter for Action, to see events for Blocked or Allowed traffic.

Free-text search using the log search syntax:

For more sophisticated searching, you can do AND/OR searches with the Query Syntax.

The SmartView Web Application

The SmartView Web Application is one of the SmartEvent clients that you can use to analyze events that occur in your environment. Use the SmartView Web Application to see an overview of the security information for your environment. It has the same real-time event monitoring and analysis views as SmartConsole. The convenience is that you do not have to install a client.

To log in to SmartEvent using SmartView Web Application:

Browse to
https://<Security Management Server IP Address>/smartview/
or
https://<Security Management Server host name>/smartview/

Note - The URL is case sensitive.

Working with SmartEvent

In This Section: Opening the SmartEvent GUI Client Working with Queries Investigating Events Configuring Event Definitions in the SmartEvent Policy Tab System Administration SmartEvent High Availability Environment

Opening the SmartEvent GUI Client

To open the SmartEvent GUI client:

1. Open SmartConsole > Logs & Monitor.
2. Click (+) for a new Catalog tab.
3. Click SmartEvent Settings & Policy.

Working with Queries

SmartEvent uses filtered event views, called queries, to identify and show relevant events. Event window information, timelines, graphs, and reports are based on queries that identify potentially dangerous events and event patterns. You use this information to adjust your Security Policies and protection settings in response to detected threats.

Event Queries in SmartEvent

SmartEvent uses filtered event views, called queries, to define the events to view. Located in the Queries Tree, these queries filter and organize event data for display in the Events, Charts and Maps tabs. Queries are defined by filter properties and charts properties. Filter properties allow you to define what type of events to display and how they should be organized. Charts properties allow you to define how the filtered event data should be displayed in chart form.

Predefined Queries

SmartEvent provides a thorough set of predefined queries, which are appropriate for many scenarios.

Queries are organized by combinations of event properties, for example:

• Threat Prevention, which includes queries of Threat Prevention events, including IPS events.
• Ticketing, such as ticket State.
• More > By IP, either the Source or Destination IP address.
• More > By Severity, such as Critical, High, and Medium.

Custom Queries

SmartEvent gives you the flexibility to define custom queries that show the most related events and trends. After you define custom queries, you can organize them into folders. That way, they are easy to find and use.

Use your queries to:

• Show an overview of events with specified characteristics in the Events tab.
• Generate reports to analyze specified events and trends in the Reports tab.

Customizing Query Filters

You can work with queries in the Events windows. To learn about procedures and to work with report queries, see the Reports section.

To change query filter properties:

1. In SmartEvent, click Events.
2. In the tree, right-click the query and select Options > Properties > Event Query Properties.
3. In the Query Properties window, configure the query.

To clear filter values from a query:

1. In the tree, right-click the query and select Options > Properties > Events Query Properties.
2. In the In Use list, right-click the value in the Filter column and select Clear Filter.

   This filter value changes into Any.

Event Query Properties window - Actions

• Use the Add and Remove buttons to select criteria fields to include in your query.
• Selected criteria show in the In Use list. Deselected criteria show in the Ignored list. You can enter text in the Search Fields box to highlight matching text strings in criteria fields.
• Click the Filter column to define filter criteria. Select or enter criteria values in the window that opens.
• The window type and data entry procedures are different for each criterion type. The default value is Any.
• Optional: Clear the Show option. The criterion column does not show in the Event pane.
• In this case, the criterion filter applies to the query, but the column does not show. By default, the Show option is selected for all criteria.

  Note - If you clear the Show option for a criterion that does not have a filter applied, that criterion automatically moves to the Ignored list. This action is equivalent to the use of the Remove button.

• Optional: Select a field in the In Use list and click Group.
• This shows events with the same field value below a collapsible summary line. This option works best when you select only one criteria field.
• Use the Up and Down buttons to change the criteria column sequence in the Event List.

Optional: Define these additional query settings:

• When running the query prompt for - Select this option to require users to enter, or select a filter value at run time. Select a filter criterion from the list. When enabled, the query shows a Filter window and the user must select or enter the filter value. This makes the query more dynamic, and lets the user to specify values each time the query is run.
• Auto refresh query every 60 seconds - The query automatically updates the Event List at 60 second intervals. This option is cleared by default.
• Run query on OK - The query automatically updates the Event List after you complete the definition and click OK. This option is selected by default.
• Use existing value from the toolbar - Shows only the number of events as defined in the Show up to # toolbar field. This option is selected by default.
• Return maximum of X events per query - Shows only the number of events defined it this field. SmartEvent ignores the value in the Show up to # toolbar field.

Creating Custom Queries

You can create a custom query from scratch in the Custom folder or based on an existing query.

To create a custom query based on the default query:

1. In SmartEvent, click Events.
2. In the Selector tree, right-click on the Custom folder and select New.
3. Enter a name for the custom query.

To create a custom query based on an existing query:

1. Right-click an existing query and select Save As.
2. Enter a name for the new query.
3. To save the query with the Time frame setting from the Events list:
   1. Click More.
   2. Select the Save time frame option.
4. Click Save.

Event Query Results in SmartEvent

The Events tab is the primary part of SmartEvent.

These are the components of the Events tab:

Item	Description
1	Query Tree - Double-click a query to run the query. The results show in the event List.
2	Event Statistics pane - Shows the top events, destinations, sources and users of the query results, either as a chart or in a tallied list.
3	Event List - Shows events generated by a query.
4	Event Preview Pane - Shows the details of the selected event

Event List

The SmartEvent Event List in SmartConsole and in the SmartEvent GUI can show up to 100,000 events. The events shown are the result of a query that ran on the Event Database. To run a different query, double-click a query in the Selector tree. The Event List show the events that match the criteria of the query.

The Event List is where detected events can be filtered, sorted, grouped, sent for review, and exported to a file. This helps to understand your network security status. Event details, such as Start and End Time, Event Name and Severity, are shown in a grid. In the Status bar at the bottom of the SmartConsole and SmartEvent client window, Number of records in view shows a count of new events. Refresh retrieves the data from the database according the active query filter.

The details of an event provide important specifics about the event: Type of event, origin, service, and number of connections. To access event details, double-click the event or show the Event Preview Pane.

Queries are built with default settings that can be changed directly in the Events tab to provide more specified or more comprehensive results.

• The time frame Last... selection lets you select the period of time for which events are shown.
• The Event number selection sets the number of events that show from the query (default is 5,000 events). Up to 100,000 events can be shown and managed at one time.
• The Group By selection is useful to:
  • Divide data by specified criteria.
  • Immediately show the number of events for each grouping.

Filtering Events

After you run a query, you can right-click a column and define the filter parameters to filter the event data. This temporarily includes the filter in the active query and runs the query again against the database to return the matching values.

A green filter icon at the top of a column indicates that a filter is applied to that field. To save the new set of filters as a custom query, select Save from the File menu. To discard the filters that was not saved, run the query again.

To use filters with query results:

• To change the filter criteria, right-click on a column header and select Edit Filter.
• To remove events that have any specific field value, right-click on the value and select Filter out.
• To include only events that have a specific field value, right-click on the value and select Follow.
• To remove the extra conditions you have applied, right-click the filter and select Clear Filter.

Sorting and Searching Events

Running a query can return thousands of matching events. To help you organize the events that have already been returned by the query, click a column header to sort these events

To look for events with specified values, enter values in the Search field. When you search for multiple values, with commas that separate the values, the events that contain the search values return. But the values can be in all event fields. The search can be made case-sensitive or can search data that does not show in columns.

Grouping Events

One of the most powerful ways to analyze event data: To group the data based on the specified columns, and use the Group By button on the toolbar. Group the events by one or more columns. The Event List shows the number of matching events in those groups, presented in descending sequence.

To specify the default grouping that a query uses, mark fields as Grouped in the Events Query Properties window.

The top line of each group in the Event List shows a summary of the events that it contains. Hover over a field in the top line to see details of what data that field contains in this group events.

To group events by one or more fields:

• Click Group By in the toolbar and select the field to group events.
• Click Group By in the toolbar and select More Fields. In the Group By window select one or more field to use to group events.
• Right-click the column in the Event List to use to group events and select Group By This Column.

  To add a column for grouping: In the Event List, right-click the column to use to group events and select Add this Column to the Group.

To remove fields from the grouping:

• Click Ungroup in the toolbar to remove all grouping.
• Click Group By in the toolbar and select More Fields. In the Group By window, remove one or more field from grouping.
• Right-click on the column in the Event List to remove from the grouping and select Remove Column from Group.

Sending an Event

Use event information to show a sign of a security attack or vulnerability that needs to be resolved. For example, another member of your security team can review an event as a sign of an attack. When you report events to Check Point it helps Check Point to improve the IPS technology to detect new threats in an ever-changing security environment. From the Event List: Send event details as an email with your default email client, or send the event details to Check Point over a secure SSL connection.

To send an event with an email:

1. Select the event in the Event List.
2. Right-click on the event and select Send event by Email.

   A new email opens with your default email client. The event information is included in the body of the email.

To report an event to Check Point:

1. Select the event in the Event List.
2. Right-click on the event and select Report Event to Check Point.
3. Include the Event Details only, or include the Packet Capture related to the event.

   Only the event information is sent to Check Point over a secure SSL connection. The data is kept confidential. Check Point uses the information only to improve IPS.

Exporting Events to a File

The Event tab in the SmartEvent GUI can contain thousands of events. Export the events into a text file to review or manipulate the data with external applications. For example: A spreadsheet or text editor.

To export events to a comma-delimited (csv) file:

1. Open SmartConsole > Logs & Monitor.
2. Click (+) for a Catalog (new tab).
3. Click SmartEvent Settings & Policy.
4. Go to the Events tab.
5. From the File menu, select Export to a CSV File.
6. Save the file.

Event Statistics pane

The Event List in the Events tab is accompanied by charts displaying the Top Events, Top Sources, Top Destinations and Top Users for the active query. These statistics are automatically updated as filters are applied to the Event List.

You can filter in or out any value in the Event Statistics Pane to focus the query results on the data that is most important to you. Filtering in the Event Statistics pane is also reflected in the Event List, and clearing filters from the Event Statistics Pane clears all filters that have been applied to the query.

• To remove events that have any specific field value, right-click on the value and select Filter out.
• To include only events that have a specific field value, right-click on the value and select Follow.

To remove the extra conditions you have applied, click on the Clear Filter icon.

Event Details

See the details of an event from the Preview Pane in the Events tab or by double-clicking on the event in the Event List. The Event Details window has two tabs with different data:

• Summary tab - Shows a brief summary of the event in a user-friendly format.
• Details tab - Shows the full, technical details of the event.

These options are available from the Event Details window:

• Copy - Copies the event details to the Windows Clipboard.
• Actions - Actions that you can do that are related to this log. They include:
  • Edit Ticket - Lets you set the state of the event and add a comment.
  • Add Comment - Lets you add a quick comment about the event without changing the state or owner.
• Blade Specific Menu - For example, IPS or Application Control. This menu has different options depending on the Software Blade that is related to the event.
• Previous displays the event that appears before the current event in the Event List.
• Next displays the event that appears after the current event in the Event List.

Details Tab

The Details tab includes:

• Details about the Software Blade and rule that caused the event.
• Ticketing information for the event - Use this to track activity related to the event.
• General Event Information - Includes the severity for the event and a unique ID.
• Traffic Information - Where the event originated, its destination, and the size of the data in bytes.
• Event Detection - How and when the event was detected and by which Security Gateway.
• More - Additional information related to the connections involved in the event and the source.

Summary Tab

The Summary tab includes:

• The source of the activity. If Identity Awareness is enabled, this can be the user name.
• A brief description of the event.
• The action taken on the event.
• The time of the event.
• Other important data related to the event.

Browse Time

The Browse Time feature keeps track of the total time that users are connected to different sites and applications. R76 and later Security Gateways calculate the cumulative connection time for each session and periodically updates this value until the session is closed.

Browse time is calculated as follows:

• Total browse time is calculated for each site from the first HTTP request to the last HTTP response. Idle time of more than two minutes is not included in the browse time.
• The minimum calculated time is two minutes. Any connection of less than two minutes is rounded up to two minutes. However, browse time for each user does not include time spent at more than one site simultaneously. For example, if a user connects to google.com and facebook.com at the same time, only one site is included in the browse time calculation.

Investigating Events

After you arrange the events as you like in the Event List, you can investigate their details and evaluate if they represent a threat.

Tracking Event Resolution using Tickets

Events can be categorized and assigned to administrators to track their path through the workflow of resolving threats. When administrators review an event, they can assign it a status, such as Investigation in Progress, Resolved, or False Alarm; add comments that detail the actions that have been taken with respect to the event. This process is called Ticketing.

After administrators edit the ticket, they can use queries to track the actions taken to mitigate security threats and produce statistics based on those actions.

• To edit an Event Ticket, open the event and click Edit Ticket.

Editing IPS Protection Details

When you review events generated from the IPS blade, review the IPS protections and profiles to understand why an event was generated or attempt to change the way the traffic is handled by the IPS blade.

The IPS menu presents actions that are specific to IPS events. These actions include:

• Go to Protection - opens the SmartConsole to the IPS protection which triggered the event.
• Go to Advisory - opens the Check Point Advisory article which provides background information about the IPS protection.
• Protection description - opens a detailed description of the IPS protection.

Packet Capture

If a log has related packet captures, you can open a packet viewer to see the contents of the captured packet. To examine this more, save the packet capture to a file.

To use the Packet Capture feature, you must activate blades.

To activate blades:

1. In a Security Management Server deployment, activate the Logging & Status Software Blade on the Security Management Server.
2. In a Multi-Domain Security Management deployment:
   1. Connect to SmartConsole for the Domain Server.
   2. In the Gateways & Servers tab, double-click the Domain Server object.
   3. In the General pane, select SmartEvent.

To see a packet capture:

1. In the SmartEvent Events tab, right-click the event in the Event List pane.
2. Select Additional Information > View packet capture from the Options menu.

   The Packet Capture Viewer Output window opens.

3. Optional: Click Save to save the packet capture data as a text file.
4. Optional: Select Actions > Packet Capture Configuration to define an application in which to see packet capture information.

   The options are:

   • The SmartEvent Internal Viewer.
   • A windows program related to this file type.
   • To select a program, enter the program executable file name, and required arguments.

Using Custom Commands

The SmartEvent client provides a convenient way to run frequently used command line executables that help you to examine events. Right-click cells in the Event List that refer to an IP address to show the default list of commands in the context-sensitive menu.

These commands are available by default: ping, whois, nslookup and Telnet. The IP address of the active cell is used as the destination of the command when run. Therefore, the commands show by design only on cells that refer to IP addresses, because t

For example: Right-click a cell with an IP address and select the default ping command. A window opens and three ICMP packets are sent to that address. This behavior is configurable. You can add your own custom commands.

To add (or edit) custom commands:

1. In the SmartEvent GUI, select Actions > Configure Custom Commands.
2. To add a command, select Add...
3. Optional: To edit a command, highlight the command and select Edit.
4. Enter the text to appear in the right-click context menu.
5. Enter the command to run, and any arguments.
6. Configure the command to run in a SmartEvent window or in a separate Windows command window.
7. Select if the command will appear in the context menu only when you right-click in cells with IP address data.
8. Click OK.

Configuring Event Definitions in the SmartEvent Policy Tab

Use the Policy tab of the SmartEvent GUI client to configure and customize the events that define the SmartEvent Event Policy.

Policy Tab

Define the Event Policy in the Event Policy tab. Most configuration steps occur in the Policy tab. You define system components, such as SmartEvent Correlation Unit, lists of blocked IP addresses and other general settings.

The types of events that SmartEvent can detect are listed here, and sorted into a number of categories. To change each event, change the default thresholds and set Automated Responses. You can also disable events.

The Policy tab has these sections:

• Selector Tree - The navigation pane.
• Detail pane - The settings of each item in the Selector Tree.
• Description pane - A description of the selected item.

After the SmartEvent client starts to show events, do these procedures:

• Fine-tune the Event Policy
• Change the existing Event Definition to see the events that interest you
• Create new Event Definitions to see the events that are not included in the existing definitions

Save Event Policy

Modifications to the Event Policy do not take effect until saved on the SmartEvent server and installed to the SmartEvent Correlation Unit.

To enable changes made to the Event Policy:

1. Click File > Save.
2. Click Actions > Install Event Policy.

Revert Changes

You can undo changes to the Event Policy, if they were not saved.

To undo changes: click File > Revert Changes.

Modifying Event Definitions

SmartEvent constantly takes data from your Log Servers, and searches for patterns in all the network chatter that enters your system.

Depending on the levels set in each Event Definition, the number of events detected can be high. But only a portion of those events can be meaningful. You can change the thresholds and other criteria of an event, to reduce the number of false alarms.

To change Event Definitions:

1. Select a type of event from one of the Event Policy categories.
2. Adjust the Event Definitions. The elements that can be modified vary per event definition. Some event types include all; others have just one or two of these configurable elements.
3. To save the Event Policy, click File > Save.
4. From the Actions menu, click Install Event Policy.

Event Definitions and General Settings

The Selector tree is divided into two branches: Event Policy and General Settings. The events detectable by SmartEvent are organized by category in the Event Policy branch. Select an event definition to show its configurable properties in the Detail pane, and a description of the event in the Description pane. Clear the property to remove this event type from the Event Policy the next time the Event Policy is installed.

The General Settings branch contains Initial Settings. For example: To define SmartEvent Correlation Unit, which is typically used for the initial configuration. Click a General Settings item to show its configurable properties in the Detail pane.

For details on specified attacks or events, refer to the Event Definition Detail pane.

Event Definition Parameters

When an event definition is selected, its configurable elements appear in the Detail pane, and a description of the event is displayed in the Description pane. These are the usual types of configurable elements:

• Thresholds, such as Detect the event when more than x connections were detected over y seconds
• Severity, such as Critical, Medium, Informational, etc.
• Automatic Reactions, such as Block Source or run External Script
• Exceptions, such as Apply the following exceptions
• Time Object, such as to issue an event if the following occurs outside the following Working Hours

Not all of these elements appear for every Event Definition. After you install and run SmartEvent for a short time, you will discover which of these elements need to be fine-tuned per Event Definition.

For configuration information regarding most objects in General Settings, see System Administration.

Event Threshold

The Event Threshold allows you to modify the limits that, when exceeded, indicates that an event has occurred. The limits typically are the number of connections, logs, or failures, and the period of time in which they occurred. It appears thus:

Detect the event when more than x connections/logs/failures (etc.) were detected over a period of y seconds.

To decreasing the number of false alarms based on a particular event, increase the number of connections, logs or failures and/or the period of time for them to occur.

Severity

An event severity affects in which queries (among those that filter for severity) this type of event will appear.

To modify the severity of an event, select a severity level from the drop-down list.

Automatic Reactions

When detected, an event can activate an Automatic Reaction. The SmartEvent administrator can create and configure one Automatic Reaction, or many, according to the needs of the system.

For example: A Mail Reaction can be defined to tell the administrator of events to which it is applied. Multiple Automatic Mail Reactions can be created to tell a different responsible party for each type of event.

To create an automatic reaction:

1. Create an automatic reaction object in the Event definition, or from General Settings > Objects > Automatic Reactions.
2. Assign the Automatic Reaction to an event (or to an exception to the event).
3. To save the Event Policy, click File > Save
4. To install the Event Policy on the SmartEvent Correlation Unit, click Actions > Install Event Policy.

These are the types of Automatic Reactions:

• Mail - tell an administrator by email that the event occurred. See Create a Mail Reaction.
• Block Source - instruct the Security Gateway to block the source IP address from which this event was detected for a configurable period of time . Select a period of time from one minute to more than three weeks. See Create a Block Source Reaction
• Block Event activity - instruct the Security Gateway to block a distributed attack that emanates from multiple sources, or attacks multiple destinations for a configurable period of time. Select a period of time from one minute to more than three weeks). See Create a Block Event Activity Reaction.
• External Script - run a script that you provide. See Creating an External Script Automatic Reaction to write a script that can exploit SmartEvent data.
• SNMP Trap - generate an SNMP Trap. See Create an SNMP Trap Reaction.

  You can send event fields in the SNMP Trap message. The format for such an event field is [seam_event_table_field]. This list represents the possible seam_event table fields:

  AdditionalInfo varchar(1024)

  AutoReactionStatus varchar(1024)

  Category varchar(1024)

  DetectedBy integer

  DetectionTime integer

  Direction integer

  DueDate integer

  EndTime integer

  EventNumber integer

  FollowUp integer

  IsLast integer

  LastUpdateTime integer

  MaxNumOfConnections integer

  Name varchar(1024) ,NumOfAcceptedConnections integer

  NumOfRejectedConnections integer

  NumOfUpdates integer

  ProductCategory varchar(1024)

  ProductName varchar(1024)

  Remarks varchar(1024)

  RuleID varchar(48)

  Severity integer

  StartTime integer

  State integer

  TimeInterval integer

  TotalNumOfConnections varchar(20)

  User varchar(1024)

  Uuid varchar(48)

  aba_customer varchar(1024)

  jobID varchar(48)

  policyRuleID varchar(48)

These sections tell how to add an Automatic Reaction to an event:

Creating Automatic Reactions

You can create Automatic reaction from:

• The Policy tab: Select General Settings> Object > Automatic Reactions
• In an Event Definition: Select the icon […] and click Add New.

The first step for each of the next procedures assumes that you are at one of the starting points above.

Creating a Mail Reaction

1. Select Add > Mail.
2. Give the automatic reaction a significant name.
3. Fill out the Mail Parameters of From, To and cc.
4. To add multiple recipients, separate each email address with a semi-colon.

   Note - the Subject field has the default variables of [EventNumber] - [Severity] - [Name]. These variables automatically adds to the mail subject the event number, severity and name of the event that triggered this reaction. These variables can be removed at your discretion.

5. Optional: Include your own standard text for each mail reaction.
6. Enter the domain name of the SMTP server.
7. Select Save.

Creating an SNMP Trap Reaction

1. Select Add > SNMP Trap.
2. Give the automatic reaction a significant name.
3. Fill out the SNMP Trap parameters of Host, Message, OID and Community name.

   The command send_snmp uses values that are found in the file chkpnnt.mib, in the directory $CPDIR/lib/snmp/. An OID value used in the SNMP Trap parameters window must be defined in chkpnnt.mib, or in a file that refers it. If the OID field is left blank, the value is determined from iso.org.dod.internet.private.enterprises.checkpoint.products.fw.fwEvent = 1.3.6.1.4.1.2620.1.1.11.

   When the automatic reaction occurs, the SNMP Trap is sent as a 256 byte DisplayString text. But, if the OID type is not text, the message is not sent.

4. Select Save.

Creating a Block Source Reaction

1. Select Add > Block Source.
2. Give the automatic reaction a significant name.
3. From the drop-down list, select the number of minutes to block this source.
4. Select Save.

Creating a Block Event Activity Reaction

1. Select Add > Block Event Activity.
2. Give the automatic reaction a significant name.
3. From the drop-down list, select the number of minutes to block this source.
4. Select Save.

Creating an External Script Automatic Reaction

To add an External Script:

1. Create the script. See the Guidelines for creating the script below.
2. Put the script on the SmartEvent Server:
   1. In $RTDIR/bin, create the folder ext_commands. Run:
      mkdir $RTDIR/bin/ext_commands
   2. Put the script in $RTDIR/bin/ext_commands/ or in a folder under that location. The path and script name must not contain any spaces.
   3. Give the script executable permissions. Run:
      chmod +x <script_filename>
3. In the SmartEvent GUI client Policy tab, in Automatic Reactions, Select Add > External Script.
4. In the Add Automatic Reaction window:
   1. Give the automatic reaction object a significant Name.
   2. In Command line, enter the name of the script to run. Specify the name of the script that is in $RTDIR/bin/ext_commands/ directory. Use the relative path if needed. Do not specify the full path of $RTDIR/bin/ext_commands/.
   3. Select Save.

Guidelines for creating the script

• Run the script manually and make sure it works as expected
• Make sure the script runs for no longer than 10 minutes, otherwise it will be terminated by the SmartEvent Server.
• Use the event fields in the script:

  To refer to the event in the script, define this environment variable:

  EVENT=$(cat)

  and use $EVENT

  Use line editor commands like awk or sed to parse the event and refer to specific fields. You can print the $EVENT one time to see its format.

  --------------------------------------------------------------------------------------------------

  The format of the event content is a name-value set – a structured set of fields that have the form:

  (name: value ;* );

  where name is a string and value is either free text until a semicolon, or a nested name-value set.

  The following is a sample event:

  (Name: Check Point administrator credential guessing; RuleID:
{F182D6BC-A0AA-444a-9F31-C0C22ACA2114}; Uuid:
<42135c9c,00000000,2e1510ac,131c07b6>; NumOfUpdates: 0; IsLast: 0;
StartTime: 16Feb2015 16:45:45; EndTime: Not Completed; DetectionTime:
16Feb2015 16:45:48; LastUpdateTime: 0; TimeInterval: 600;
MaxNumOfConnections: 3; TotalNumOfConnections: 3; DetectedBy: 2886735150;
Origin: (IP: 192.0.2.4; repetitions: 3; countryname: United States;
hostname: theHost) ; ProductName: SmartDashboard; User: XYZ; Source:
(hostname: theHost; repetitions: 3; IP: 192.0.2.4; countryname: United
States) ; Severity: Critical; EventNumber: EN00000184; State: 0;
NumOfRejectedConnections: 0; NumOfAcceptedConnections: 0) ;

  --------------------------------------------------------------------------------------------------

  If you need to refer to more fields, you can add them to the event:

  1. In the SmartEvent GUI client, in the Policy tab, right click the event, and select Properties > Event Format tab
  2. In the Display column, select the Event fields to have in the Event.
  3. Install the Event Policy on the SmartEvent Correlation Unit.

Assigning an Automatic Reaction to an Event

You can add an Automatic Reaction for SmartEvent to run when this type of event is detected.

1. Select the icon [...].
2. Select an Automatic Reaction that you created from the list, or select Add new…. For details on how to create each type of Automatic Reaction, see section below.
3. Configure the Automatic Reaction.
4. Select Save.
5. Click OK.

Working Hours

Working Hours are used to detect unauthorized attempts to access protected systems and other forbidden operations after-hours. To set the Regular Working Hours for an event, select a Time Object that you have configured from the drop-down list.

To create a Time Object:

1. From the Policy tab, select General Settings > Objects > Time Objects.
2. Click Add.
3. Enter a Name and Description.
4. Select the days and times that are considered Regular Working Hours.
5. Click OK.

To assign a Time Object to an event:

1. From the Policy tab, select an event that requires a Time Object (for example, User Login at irregular hours in the Unauthorized Entry event category).
2. Select the Time Object you created from the drop-down list.
3. Select File > Save.

Exceptions

Exceptions allow an event to be independently configured for the sources or destinations that appear. For example, if the event Port Scan from Internal Network is set to detect an event when 30 port scans have occurred within 60 seconds, you can also define that two port scans detected from host A in 10 seconds of each other is also an event.

To manually add an exception, under the heading Apply the following exceptions, click Add and select the Source and/or Destination of the object to apply different criteria for this event.

Note - If you do not see the host object listed, you may need to create it in SmartEvent.

To modify or delete existing exceptions, select Edit or Remove, respectively.

Creating Event Definitions (User Defined Events)

To create a user-defined event you must have knowledge of the method by which SmartEvent identifies events. This section starts with a high level overview of how logs are analyzed to conclude if an event occurs or occurred.

High Level Overview of Event Identification

Events are detected by the SmartEvent Correlation Unit. The SmartEvent Correlation Unit scans logs for criteria that match an Event Definition.

SmartEvent uses these procedures to identify these events:

• Matching a Log Against Global Exclusions
• Matching a Log Against Each Event Definition
• Creating an Event Candidate
• When a Candidate Becomes an Event

Matching a Log Against Global Exclusions

When the SmartEvent Correlation Unit reads a log, it first checks if the log matches all defined Global Exclusions. Global Exclusions (defined on the Policy tab > Event Policy > Global Exclusions) direct SmartEvent to ignore logs that are not expected to contribute to an event.

If the log matches a Global Exclusion, it is discarded by the system. If not, the SmartEvent Correlation Unit starts to match it against each Event Definition.

Matching a Log Against Each Event Definition

Each Event Definition contains a filter which is comprised of a number of criteria that must be found in all matching logs. The criteria are divided by product: The Event Definition can include a number of different products, but each product has its own criterion.

To match the Event Definition "A", a log from Endpoint Security must match the Action, Event Type, Port, and Protocol values listed in the Endpoint Security column. A log from a Security Gateway must match the values listed in its column.

SmartEvent divides this procedure into two steps. The SmartEvent Correlation Unit first checks if the Product value in the log matches one of the permitted Product values of an Event Definition.

If Log 1 did not contain a permitted Product value, the SmartEvent Correlation Unit compares the log against Event Definition "B", and so on. If the log fails to match against an Event Definition, it is discarded.

The SmartEvent Correlation Unit checks if the log contains the Product-specific criteria to match the Event Definition. For example: The product Endpoint Security generates logs that involve the Firewall, Spyware, Malicious Code Protection, and others. The log contains this information in the field Event Type. If an event is defined to match on Endpoint Security logs with the event type Firewall, an Endpoint Security log with Event Type "Spyware" fails against the Event Definition filter. Other criteria can be specified to the Product.

In our example, Log 1 matched Event Definition "A" with a permitted product value. The SmartEvent Correlation Unit examines if the log contains the necessary criteria for an Endpoint Security log to match.

If the criteria do not match, the SmartEvent Correlation Unit continues to compare the log criteria to other event definitions.

Creating an Event Candidate

When a log matches the criteria, it is added to an Event Candidate. Event candidates let SmartEvent track logs until an event threshold is crossed, at which point an event is generated.

Notes -

• The Event Candidate can track logs from multiple products
• The logs must be from the same source
• The Event Candidate tracks logs before all of the criteria were matched

Each Event Definition can have multiple event candidates, each of which keeps track of logs grouped by equivalent properties. In the figure above the logs that create the event candidate have a common source value. They were dropped, blocked or rejected by a Firewall. They are grouped together because the Event Definition is designed to detect this type of activity, that originates from one source.

When a log matches the event definition, but has properties different than those of the existing event candidates, a new event candidate is created. This event candidate is added to what can be thought of as the Event Candidate Pool.

Note - SmartEvent creates a new event candidate for a log with a different source.

To illustrate more, an event defined detects a high rate of blocked connections. SmartEvent tracks the number of blocked connections for each Firewall, and the logs of the blocked traffic at each Firewall forms an event candidate. When the threshold of blocked connection logs from a Firewall is surpassed, that Firewall event candidate becomes an event. While this Event Definition creates one event candidate for each Firewall monitored, other Event Definitions can create many more.

The Event Candidate Pool is a dynamic environment, with new logs added and older logs discarded when they have exceeded an Event Definition time threshold.

When a Candidate Becomes an Event

When a candidate becomes an event, the SmartEvent Correlation Unit forwards the event to the Event Database. But to discover an event does not mean that SmartEvent stops to track logs related to it. The SmartEvent Correlation Unit adds matching logs to the event as long as they continue to arrive during the event threshold. To keep the event open condenses what can appear as many instances of the same event to one, and provides accurate, up-to-date information as to the start and end time of the event.

Creating a User-Defined Event

To create New Event Definitions, right-click an existing Event Definition, or use the Actions menu:

Right Click	Actions Menu	Description
New	New Custom Event	Launches the Event Definition Wizard, which allows you to select how to base the event: on an existing Event Definition, or from scratch.
Save As	Save Event As	Creates an Event Definition based on the properties of the highlighted Event Definition. When you select Save As, the system prompts you to save the selected Event Definition with a new name for later editing. Save As can also be accessed from the Properties window.

All User Defined Events are saved at Policy tab > Event Policy > User Defined Events. When an Event Definition exists it can be modified through the Properties window, available by right-click and from the Actions menu.

Creating a New Event Definition

To create a User Defined Event based on an existing event:

1. From the Actions menu, select New Custom Event.

   The Event Definition Wizard opens.

2. For Create an event
   1. Select that is based on an existing event.
   2. Select an event that has equivalent properties to the event you want to create.
   3. Click Next.
3. Name the Event Definition.
4. Enter a Description.
5. Select a Severity level.
6. Click Next.
7. Set which of these options generates the event:
   • A single log — Frequently depicts an event, such as a log from a virus scanner that reports that a virus has been found.
   • Multiple logs — Required if the event can only be identified as a result of a combination of multiple logs, such as a High Connection Rate.

   Click Next.

8. Examine the products that can cause this event.
9. Select Next.
10. Optional: Edit the product filters:
    • If you added a product you can edit the filters for each product (Edit all product filters), or those of new products you added (Edit only newly selected product filters).
    • If you did not add other products, edit the filters of existing products (Yes) or skip this step (No, Leave the original files).

    Click Next.

11. Edit or add product filters for each log necessary in the Event Definition filter:
    1. Select the Log field from the available Log Field list.
    2. Click Add to edit the filter.
    3. Make sure that the filter matches on All Conditions or Any Conditions.
    4. Double-click the Log field and select the values to use in the filter.

    Click Next.

12. When you defined the filters for each product, select values for these options to define how to process logs:
    • Detect the event when at least __ logs occurred over a period of __ seconds contains the event thresholds that define the event. You can modify the event thresholds by altering the number of logs and/or the period of time that define the event.
    • Each event definition may have multiple Event Candidates existing simultaneously allows you to set whether SmartEvent creates distinct Event Candidates based on a field (or set of fields) that you select below.

      Select the field(s) by which distinct Event Candidates will be created allows you to set the field (or set of fields) that are used to differentiate between Event Candidates.

    • Use unique values of the __ field when counting logs directs SmartEvent to count unique values of the specified field when determining whether the Event Threshold has been surpassed. When this property is not selected, SmartEvent counts the total number of logs received.
13. Click Finish.

To edit a user-defined event:

1. From the Policy tab > Event Policy > User Defined Events, right-click a User-Defined Event and select Properties.
2. In the tabs provided, make the necessary changes:
   • Name - Name the Event Definition, enter a Description and select a Severity level. The text you enter in the Description field shows in the Event Description area (below the event configurable properties).
   • Filter - To edit a product filter:
     1. Select the product.
     2. Select the Log field from the available Log Fields list.
     3. If the necessary field does not show select Show more fields... to add a field to the Log Fields list.
     4. Click Add to edit the filter.
     5. Select if the filter matches on All Conditions or Any Conditions.
   • Count logs

     This screen defines how SmartEvent counts logs related to this event.

     • A Single log — Frequently depicts an event, such as a log from a virus scanner that reports that a virus is found.
     • With this option you can set the fields that are used to group events into Event Candidates. Logs with matching values for these fields are added to the same event. For example: Multiple logs that report a virus detected on the same source with the same virus name are combined into the same event.
     • Multiple logs — Required for events that identify an activity level, such as a High Connection Rate.
     • When the event is triggered by multiple logs, set the behavior of Event Candidates:
     • Detect the event when at least... — Set the Event Threshold that, when exceeded, indicates that an event has occurred.
     • Select the field(s) by which distinct event candidates will be created — An event is generated by logs with the same values in the fields specified here. To define how logs are grouped into Event Candidates, select the related fields here.
     • Use unique values of the ...— Only logs with unique values for the fields specified here are counted in the event candidate. For example: A port scan event counts logs that include unique ports scanned. Also, the logs do not increment the log count for logs that contain ports already encountered in the event candidate.
     • Advanced — Define the keep=alive time for the event, and how often the SmartEvent Correlation Unit updates the SmartEvent server with new logs for the created event.
   • Event Format

     When an event is generated, information about the event is presented in the Event Detail pane.

     This screen lets you specify if the information will be added to the detailed pane and from which Log Field the information is taken.

     You can clear it in the Display column. The Event Field will not be populated.

   • GUI representation

     All events can be configured. This screen lets you select the configuration parameters that show.

     • The Threshold section shows the number of logs that must matched to create the event. This is usually not shown for one log events and shown for multiple log events.
     • The Exclude section lets you specify the log fields that show when you add an event exclusion.
     • The Exception section lets you specify the log fields that show when you add an event exception.
3. Click OK to save your changes.

Eliminating False Positives

This section shows you how to reduce false positives.

Services that Generate Events

Some types of services are characterized by a high quantity of traffic that can be misidentified as events. These are examples of services and protocols that can potentially generate events:

• Software that does a routine scan of the network to make sure that everything runs correctly. Configuration of SmartEvent to exclude this source from a scan event eliminates a source of false positive events.
• High connection rate on a web server. Set SmartEvent to allow a higher connection rate for each minute on a busy web server, or to exclude this source from a scan event.

Common Events by Service

The information in this table provides a list of server types where high activity is frequently used. To change the Event Policy, adjust event thresholds and add Exclusions for servers and services . You can decrease more the quantity of false positives detected.

Common events by service

Server Type	Category	Event Name	Source	Dest	Service	Reason
SNMP	Scans	IP sweep from internal network	Any	Any	SNMP-read	Hosts that query other hosts
DNS Servers	Scans	IP sweep from internal network	DNS servers	-	DNS	Inter-DNS servers updates
	Denial of Service (DoS)	High connection rate on internal host on service	Any	DNS servers	DNS	DNS requests and inter-DNS servers updates
	Anomalies	High connection rate from internal network	Any	Any	DNS	DNS requests and inter-DNS servers updates
	Anomalies	High connection rate from internal network on service	Any	Any	DNS	DNS requests and inter-DNS servers updates
	Anomalies	Abnormal activity on service	Any	Any	DNS	DNS requests and inter-DNS servers updates
NIS Servers	Scans	Port scan from internal network	NIS servers	Any	-	Multiple NIS queries
	Denial of Service (DoS)	High connection rate on internal host on service	Any	NIS servers	NIS	NIS queries
	Anomalies	High connection rate from internal network	Any	Any	NIS	NIS queries
	Anomalies	High connection rate from internal network on service	Any	Any	NIS	NIS queries
	Anomalies	Abnormal activity on service	Any	Any	NIS	NIS queries
LDAP Servers	Denial of Service (DoS)	High connection rate on internal host on service	Any	LDAP servers	LDAP	LDAP requests
	Anomalies	High connection rate from internal network	Any	LDAP servers	LDAP	LDAP requests
	Anomalies	High connection rate from internal network on service	Any	LDAP servers	LDAP	LDAP requests
	Anomalies	Abnormal activity on service	Any	LDAP servers	LDAP	LDAP requests
HTTP Proxy Servers - Hosts To Proxy Server	Denial of Service (DoS)	High connection rate on internal host on service	Any	Proxy servers	HTTP:8080	Hosts connections to Proxy servers
	Anomalies	High connection rate from internal network	Any	Proxy servers	HTTP:8080	Hosts connections to Proxy servers
	Anomalies	High connection rate from internal hosts on service	Any	Proxy servers	HTTP:8080	Hosts connections to Proxy servers
	Anomalies	Abnormal activity on service	Any	Proxy servers	HTTP:8080	Hosts connections to Proxy servers
HTTP Proxy Servers - Out to the Web	Scans	IP sweep from internal network	Proxy servers	Any	HTTP/ HTTPS	Proxy servers connections out to various sites
	Denial of Service (DoS)	High connection rate on internal host on service	Proxy servers	Any	HTTP/ HTTPS	Proxy servers connections out to various sites
	Anomalies	High connection rate from internal network	Proxy servers	Any	HTTP/ HTTPS	Proxy servers connections out to various sites
		High connection rate from internal hosts on service	Proxy servers	Any	HTTP/ HTTPS	Proxy servers connections out to various sites
	Anomalies	Abnormal activity on service	Proxy servers	Any	HTTP/ HTTPS	Proxy servers connections out to various sites
UFP Servers	Denial of Service (DoS)	High connection rate on internal host on service	Any	UFP servers	Any/UFP by vendor	Firewall connections to UFP servers
	Anomalies	High connection rate from internal network	Any	UFP servers	Any/UFP by vendor	Firewall connections to UFP servers
	Anomalies	High connection rate from internal hosts on service	Any	UFP servers	Any/UFP by vendor	Firewall connections to UFP servers
	Anomalies	Abnormal activity on service	Any	UFP servers	Any/UFP by vendor	Firewall connections to UFP servers
CVP Servers Request	Denial of Service (DoS)	High connection rate on internal host on service	Any	CVP servers	Any/CVP by vendor	Firewall connections to CVP servers
	Anomalies	High connection rate from internal network	Any	CVP servers	Any/CVP by vendor	Firewall connections to CVP servers
	Anomalies	High connection rate from internal hosts on service	Any	CVP servers	Any/CVP by vendor	Firewall connections to CVP servers
	Anomalies	Abnormal activity on service	Any	CVP servers	Any/CVP by vendor	Firewall connections to CVP servers
CVP Servers Replies	Scans	Port scans from internal network	CVP servers	Any	-	Multiple CVP replies to same GW
	Scans	IP sweep from internal network	CVP servers	-	CVP	CVP replies to multiple GWs
	Denial of Service (DoS)	High connection rate on internal host on service	CVP servers	Any	Any/CVP by vendor	CVP replies
	Anomalies	High connection rate from internal network	CVP servers	Any	Any/CVP by vendor	CVP replies
	Anomalies	High connection rate from internal hosts on service	CVP servers	Any	Any/CVP by vendor	CVP replies
	Anomalies	Abnormal activity on service	CVP servers	Any	Any/CVP by vendor	CVP replies
UA Server Request	Denial of Service (DoS)	High connection rate on internal host on service	Any	UA servers	uas-port (TCP:19191 TCP:19194)	Connections to UA servers
	Anomalies	High connection rate from internal network	Any	UA servers	(TCP:19191 TCP:19194)	Connections to UA servers
	Anomalies	High connection rate from internal hosts on service	Any	UA servers	uas-port (TCP:19191 TCP:19194)	Connections to UA servers
	Anomalies	Abnormal activity on service	Any	UA servers	uas-port (TCP:19191 TCP:19194)	Connections to UA servers
UA Servers Replies	Scans	Port scans from internal network	UA servers	Any	-	Multiple UA replies to the same computer
	Scans	IP sweep from internal network	UA servers	Any	uas-port (TCP:19191 TCP:19194)	Multiple UA replies to multiple computers
	Denial of Service (DoS)	High connection rate on internal host on service	UA servers	Any	uas-port (TCP:19191 TCP:19194)	UA replies
	Anomalies	High connection rate from internal network	UA servers	Any	uas-port (TCP:19191 TCP:19194)	UA replies
	Anomalies	High connection rate from internal hosts on service	UA servers	Any	uas-port (TCP:19191 TCP:19194)	UA replies
	Anomalies	Abnormal activity on service	UA servers	Any	uas-port (TCP:19191TCP:19194)	UA replies
SMTP Servers	Scans	IP sweep from internal network	SMTP servers	-	SMTP	SMTP servers connections out to various SMTP servers
	Denial of Service (DoS)	High connection rate on internal host on service	SMTP servers	Any	SMTP	SMTP servers connections out to various SMTP servers
	Anomalies	High connection rate from internal network	SMTP servers	Any	SMTP	SMTP servers connections out to various SMTP servers
	Anomalies	High connection rate from internal hosts on service	SMTP servers	Any	SMTP	SMTP servers connections out to various SMTP servers
	Anomalies	Abnormal activity on service	SMTP servers	Any	SMTP	SMTP servers connections out to various SMTP servers
Anti-Virus Definition Servers	Scans	IP sweep from internal network	AV_Defs servers	-	Any/AV by vendor	Anti-Virus definitions updates deployment
	Denial of Service (DoS)	High connection rate on internal host on service	AV_Defs servers	-	Any/AV by vendor	Anti-Virus definitions updates deployment
	Anomalies	High connection rate from internal network	AV_Defs servers	-	Any/AV by vendor	Anti-Virus definitions updates deployment
	Anomalies	High connection rate from internal hosts on service	AV_Defs servers	-	Any/AV by vendor	Anti-Virus definitions updates deployment
	Anomalies	Abnormal activity on service	AV_Defs servers	-	Any/AV by vendor	Anti-Virus definitions updates deployment

System Administration

To maintain your SmartEvent system, you can do these tasks from the General Settings section of the Policy tab:

• Adding a SmartEvent Correlation Unit and Log Servers
• Create offline jobs analyze historical log files
• Adding objects to the Internal Network
• Creating scripts to run as Automatic Reactions for certain events
• Creating objects for use in filters

Save Event Policy

Modifications to the Event Policy do not take effect until saved on the SmartEvent server and installed to the SmartEvent Correlation Unit.

To enable changes made to the Event Policy:

1. Click File > Save.
2. Click Actions > Install Event Policy.

Revert Changes

You can undo changes to the Event Policy, if they were not saved.

To undo changes: click File > Revert Changes.

Adding Network and Host Objects

Certain objects from the Management server are added during the initial sync with the SmartEvent server and updated at a set interval. But it is useful (or necessary) to add other Network or Host objects, for these reasons:

• If some devices or networks are not represented on the Management server, and are important to define your internal network.
• When you add sources or destinations to exclusions or exceptions in Event Definitions.
• When you select sources or destinations in a filter.

These screens are locked until initial sync is complete:

• Network Objects
• Internal Network
• SmartEvent Correlation Unit

You can make a device available to use in SmartEvent.

To make a device that is a host object available in SmartEvent:

1. From the Policy tab, select General Settings > Objects > Network Objects > Add > Host.
2. Give the device a significant name.
3. Enter its IP Address or select Get Address.
4. Select OK.

To make a device that is a network object available in SmartEvent:

1. From the Policy tab, select General Settings > Objects > Network Objects > Add > Network.
2. Give the network a significant name.
3. Enter the Network Address and Net Mask.
4. Select OK.

See Defining the Internal Network for information about how to add objects to the Internal Network definition.

Defining the Internal Network

To help SmartEvent conclude if events originated internally or externally, you must define the Internal Network. These are the options to calculate the traffic direction:

• Incoming – all the sources are external to the network and all destinations are inner
• Outgoing – all sources are in the network and all destinations external
• Internal – sources and destinations are all in the network
• Other – a mixture of and internal and external values makes the result indeterminate

To define the Internal Network:

1. From the Policy tab, select General Settings > Initial Settings > Internal Network.
2. Add internal objects.

   We recommend you add all internal Network objects, and not Host objects.

Some network objects are copied from the Management server to the SmartEvent Server during the initial sync and updated afterwards.

These screens are locked until initial sync is complete:

• Network Objects
• Internal Network
• Correlation Units

SmartEvent High Availability Environment

The SmartEvent database keeps a synchronized copy of management objects locally on the SmartEvent Server. This process, dbsync, allows SmartEvent to work independently of different management versions and different management servers in a High Availability environment.

Management High Availability capability exists for Security Management Servers, and in a Multi-Domain Security Management environment, dbsync supports High Availability for the Multi-Domain Servers and the Domain Servers.

How it works

Dbsync initially connects to the management server with which SIC is established. It retrieves all the objects. After the initial synchronization it gets updates when an object is saved. Dbsync registers all the High Availability management machines and periodically tests the connectivity with the newest management server. If connectivity is lost, it attempts to connect to the other High Availability management servers until it finds an active one and connects to it.

If two management servers are active concurrently, dbsync stays connected to one management server. Dbsync does not get changes made on the other management server until a synchronization operation is done.

Log Server High Availability

In SmartConsole, you can configure a Security Gateway, that when it fails to send its logs to one Log Server, it will send its logs to a secondary Log Server. To support this configuration, you can add Log Servers to a single SmartEvent Correlation Unit. In this way, the SmartEvent Correlation Unit gets an uninterrupted stream of logs from both servers and continues to correlate all logs.

SmartEvent Correlation Unit High Availability

Multiple correlation units can read logs from the same Log Servers. That way, the units provide redundancy if one of them fails. The events that the correlation units detect are duplicated in the SmartEvent database. But these events can be disambiguated if you filter them with the Detected By field in the Event Query definition. The Detected By field specifies which SmartEvent Correlation Unit detected the event.

If the SmartEvent Server becomes unavailable, the correlation units keep the events until it can reconnect with the SmartEvent Server and forward the events.