Creating a User-Defined Event

To create New Event Record of a security or network incident that is based on one or more logs, and on a customizable set of rules that are defined in the Event Policy. Definitions, right-click an existing Event Definition, or use the Actions menu:

Right-Click	Menu "Actions"	Description
New	New Custom Event	Launches the Event Definition Wizard, which allows you to select how to base the event: on an existing Event Definition, or from scratch.
Save As	Save Event As	Creates an Event Definition based on the properties of the highlighted Event Definition. When you select Save As, the system prompts you to save the selected Event Definition with a new name for later editing. You can also access Save As from the Properties window.

Right-Click

Menu "Actions"

Description

New

New Custom Event

Launches the Event Definition Wizard, which allows you to select how to base the event: on an existing Event Definition, or from scratch.

Save As

Save Event As

Creates an Event Definition based on the properties of the highlighted Event Definition.

When you select Save As, the system prompts you to save the selected Event Definition with a new name for later editing.

You can also access Save As from the Properties window.

All User Defined Events are saved at Policy tab > Event Policy > User Defined Events. When an Event Definition exists it can be modified through the Properties window, available by right-click and from the Actions menu.

Creating a New Event Definition

You can edit all events, not only user-defined events. If you change a predefined event,the result is saved as a new user defined event.

To create a new event definition:

In SmartConsole Check Point GUI application used to manage a Check Point environment - configure Security Policies, configure devices, monitor products and events, install updates, and so on., from the left navigation panel, click the Logs & Monitor view.
At the top, click + to open a new tab.
In the bottom section External Apps, click SmartEvent Settings & Policy.
From the Menu > Actions menu, select New Custom Event.

The Event Definition Wizard opens.
In the Step 1 of 7 window:
1. Select that is based on an existing event.
2. Select an event that has equivalent properties to the event you want to create.
3. Click Next.
In the Step 2 of 7 window:
1. In the Name field, enter a significant name.
2. Optional: In the Description field, enter a significant text.
3. In the Severity field, select the required level.
4. Click Next.
In the Step 3 of 7 window:
1. Slect the applicable option that generates the event:
  - A single log - Frequently depicts an event, such as a log from a virus scanner that reports that a virus has been found.
  - Multiple logs - Required if the event can only be identified as a result of a combination of multiple logs, such as a High Connection Rate.
2. Click Next.
In the Step 4 of 7 window:
1. Select the required products. You can add a new product name.
2. Click Next.
In the Step 5 of 7 window:
1. Select the applicable option:
  - Edit all product filters
  - Edit only newly selected product filters
2. Click Next.
In the Step 6.x of 7 windows:
1. At the top of this window, pay attention to the Product.
2. In the left panel Available Log Field, click the required field to select it.
3. Click Add to edit the filter.
4. Click Add to configure the required value for the selected field > enter the value > click OK.
5. In the top right corner, you can select Not to negate the configured filter.
6. Click OK.
7. In the right panel Match, select the required option - All Conditions or Any Conditions.
8. To edit an added Log field, double-click it.
9. Click Next.
In the Step 7 of 7 window:
1. In the fields Detect the event when at least __ logs occurred over a period of __ seconds, configure the required values.
2. The option Each event definition may have multiple Event Candidates existing simultaneously controls whether SmartEvent creates distinct Event Candidates based on a field (or set of fields) that you select below.
  
  Select the field(s) by which distinct Event Candidates will be created allows you to set the field (or set of fields) that are used to differentiate between Event Candidates.
3. The option Use unique values of the __ field when counting logs directs SmartEvent to count unique values of the specified field when determining whether the Event Threshold has been surpassed. When this option is not selected, SmartEvent counts the total number of logs received.
Click Finish.
The modified event is saved in the folder Event policy > User Defined Events.
Click Menu > File > Save.
Click Menu > Actions > Install Event Policy.

Customizing a User-Defined Event

Customizing a user-defined event:

In SmartConsole, from the left navigation panel, click the Logs & Monitor view.
At the top, click + to open a new tab.
In the bottom section External Apps, click SmartEvent Settings & Policy.
In the folder Event Policy > User Defined Events, right-click a User-Defined Event and click Properties.
On the Name tab:
1. In the Name field, enter a significant name.
2. Optional: In the Description field, enter a significant text.
3. In the Severity field, select the required level.
On the Filter tab:
1. In the left panel Event Products, select the required product.
2. In the middle panel Log Fields, select the required field.
  
  If the necessary field does not appear, click Show more fields > click the applicable option Existing field or New field > select the existing field or configure the new field > click OK.
3. Click Add to configure the required value for the selected field > enter the value > click OK.
4. In the top right corner, you can select Not to negate the configured filter.
5. Click OK.
6. In the right panel Match, select the required option - All Conditions or Any Conditions.
7. To edit an added Log field, double-click it.
8. Select if the filter matches on All Conditions or Any Conditions.
On the Count log tab:
1. In the fields Detect the event when at least __ logs occurred over a period of __ seconds, configure the required values.
2. The option Each event definition may have multiple Event Candidates existing simultaneously controls whether SmartEvent creates distinct Event Candidates based on a field (or set of fields) that you select below.
  
  Select the field(s) by which distinct Event Candidates will be created allows you to set the field (or set of fields) that are used to differentiate between Event Candidates.
3. The option Use unique values of the __ field when counting logs directs SmartEvent to count unique values of the specified field when determining whether the Event Threshold has been surpassed. When this option is not selected, SmartEvent counts the total number of logs received.
4. Click the Advanced button:
  1. In the Keep event open for field, enter the required number of seconds.
  2. In the Update event data after field, enter the required number of seconds.
  3. Click OK.
On the Event Format tab:

When an event is generated, information about the event is presented in the Event Detail pane.

On this page you can specify if the information will be added to the detailed pane and from which Log Field the information is taken.

You can clear it in the Display column. The Event Field will not be populated.
On the GUI representation tab:
1. Select the Threshold section option to show the number of logs that must matched to create the event. This is usually not shown for one log events and shown for multiple log events.
2. Select the Exclude section option to specify the log fields that appear when you add an event exclusion.
3. Select the Exception section option to specify the log fields that appear when you add an event exception.
Click OK.
Click Menu > File > Save.
Click Menu > Actions > Install Event Policy.