Event Analysis

Event Analysis with SmartEvent

The SmartEvent Software BladeClosed Specific security solution (module): (1) On a Security Gateway, each Software Blade inspects specific characteristics of the traffic (2) On a Management Server, each Software Blade enables different management capabilities. is a unified security eventClosed Record of a security or network incident that is based on one or more logs, and on a customizable set of rules that are defined in the Event Policy. management and analysis solution that delivers real-time, graphical threat management information. SmartConsoleClosed Check Point GUI application used to manage a Check Point environment - configure Security Policies, configure devices, monitor products and events, install updates, and so on., SmartView Web Application, and the SmartEvent GUI client consolidate billions of logs and show them as prioritized security events so you can immediately respond to security incidents, and do the necessary actions to prevent more attacks. You can customize the views to monitor the events that are most important to you. You can move from a high level view to detailed forensic analysis in a few clicks. With the free-text search and suggestions, you can quickly run data analysis and identify critical security events.

Note - SmartEvent is not supported in a Full High Availability ClusterClosed Two or more Security Gateways that work together in a redundant configuration - High Availability, or Load Sharing. configuration..

What is an Event?

An event is a record of a security incident. It is based on one or more logs, and on rules that are defined in the Event PolicyClosed Set of rules that define the behavior of SmartEvent..

An example of an event that is based on one log: A High Severity Anti-BotClosed Check Point Software Blade on a Security Gateway that blocks botnet behavior and communication to Command and Control (C&C) centers. Acronyms: AB, ABOT. event. One Anti-Bot log with a Severity of High causes the event to be recorded.

An example of an event that is based on more than one log: A Certificate Sharing event. Two login logs with the same certificate and a different user cause the event to be recorded.

How Are Logs Converted to Events?

SmartEvent automatically defines logs that are not Firewall, VPN, or HTTPS InspectionClosed Feature on a Security Gateway that inspects traffic encrypted by the Secure Sockets Layer (SSL) protocol for malware or suspicious patterns. Synonym: SSL Inspection. Acronyms: HTTPSI, HTTPSi. logs, as events.

Events that are based on a suspicious pattern of one or more logs, are created by the SmartEvent Correlation UnitClosed SmartEvent software component on a SmartEvent Server that analyzes logs and detects events.. These correlated events are defined in the SmartEvent client GUI, in the Policy tab.

Most logs are Firewall, VPN and HTTPS inspection logs. Therefore, SmartEvent does not define them as events by default to avoid a performance impact on the SmartEvent ServerClosed Dedicated Check Point server with the enabled SmartEvent Software Blade that hosts the events database..

For logs from Security Gateways R77.X and lower: To create events for Firewall, in the SmartEvent Policy tab, enable Consolidated Sessions > Firewall Session.

The SmartEvent Architecture

SmartEvent has some components that work together to help track down security threats and make your network more secure.

This is how they work together. The numbers refer to the diagram:

  • SmartEvent Correlation Unit (3) analyzes log entries on Log Servers (2) and stores the event in the same way the log server stores logs.

  • SmartEvent Server (4) contains the Events Database (5).

  • The SmartEvent and SmartConsole clients (6) manage the SmartEvent Server.

Item

Description

Purpose

 

Log data flow

 

Event data flow

1

Check Point Security GatewayClosed Dedicated Check Point server that runs Check Point software to inspect traffic and enforce Security Policies for connected network resources.

Sends logs to the Log ServerClosed Dedicated Check Point server that runs Check Point software to store and process logs..

2

Log Server

Stores logs.

3

SmartEvent Correlation Unit

Identifies events: Analyzes each log entry from a Log Server, and looks for patterns according to the installed Event Policy. The logs contain data from Check Point products and certain third-party devices. When a threat pattern is identified, the SmartEvent Correlation Unit forwards the event to the SmartEvent Server.

4

SmartEvent Server

The SmartEvent Server:

  • Indexes logs for SmartView

  • Defines the event policy

  • Manages correlation units

Note - On a Multi-Domain ServerClosed Dedicated Check Point server that runs Check Point software to host virtual Security Management Servers called Domain Management Servers. Synonym: Multi-Domain Security Management Server. Acronym: MDS., after you define the Global SmartEvent Server object in the Global Domain, you must assign a Global Policy to all Domain Servers, for the Domain Server administrators to be able to log in to SmartEvent Server.

5

Events database

Stores events. Located on the SmartEvent Server.

6

SmartEvent client

Shows the received events. Uses the clients to manage events (for example: to filter and close events), fine-tunes, and installs the Event Policy. The clients are:

  • SmartConsole

  • SmartView Web Application

The SmartEvent components can be installed on one computer (that is, a standaloneClosed Configuration in which the Security Gateway and the Security Management Server products are installed and configured on the same server. deployment) or multiple computers and sites (a distributed deployment). To handle higher volumes of logging activity, we recommend a distributed deployment. Each SmartEvent Correlation Unit can analyze logs from more than one Log Server or Domain Log Server.

SmartEvent Correlation Unit

The SmartEvent Correlation Unit analyzes the log entries and identifies events from them. During analysis, the SmartEvent Correlation Unit:

  • Marks log entries that are not stand-alone events, but can be part of a larger pattern to be identified later.

  • Takes a log entry that meets one of the criteria set in the Events Policy, and generates an event.

  • Takes a new log entry that is part of a group of items. Together, all these items make up a security event. The SmartEvent Correlation Unit adds it to an ongoing event.

  • Discards log entries that do not meet event criteria.

SmartEvent Correlation Unit High Availability

Multiple correlation units can read logs from the same Log Servers. That way, the units provide redundancy if one of them fails. The events that the Correlation Units detect are duplicated in the SmartEvent database. But these events can be disambiguated if you filter them with the Detected By field in the Event Query definition. The Detected By field specifies which SmartEvent Correlation Unit detected the event.

The SmartView Web Application

The SmartView Web Application is one of the SmartEvent clients that you can use to analyze events that occur in your environment. Use the SmartView Web Application to see an overview of the security information for your environment. It has the same event monitoring and analysis views as SmartConsole. The convenience is that you do not have to install a client.

To log in to SmartEvent using SmartView Web Application:

Browse to:

https://<IP Address of Security Management Server >/smartview/

or

https://<Host Name of Security Management Server >/smartview/

Note - The URL is case sensitive.