Configuring SmartEvent Policy and Settings

Opening the SmartEvent GUI Client

Use the Policy tab of the SmartEvent GUI client to configure and customize the events that define the SmartEvent Policy.

To open the SmartEvent GUI client:

  1. Open SmartConsoleClosed Check Point GUI application used to manage a Check Point environment - configure Security Policies, configure devices, monitor products and events, install updates, and so on. > Logs & Monitor.

  2. Click (+) to open a Catalog ( new tab).

  3. Click SmartEvent Settings & Policy.

Policy Tab

Define the EventClosed Record of a security or network incident that is based on one or more logs, and on a customizable set of rules that are defined in the Event Policy. Policy in the Event Policy tab. Most configuration steps occur in the Policy tab. You define system components, such as SmartEvent Correlation UnitClosed SmartEvent software component on a SmartEvent Server that analyzes logs and detects events., lists of blocked IP addresses and other general settings.

The types of events that SmartEvent can detect are listed here, and sorted into a number of categories. To change each event, change the default thresholds and set Automated Responses. You can also disable events.

The Policy tab has these sections:

  • Selector Tree - The navigation pane.

  • Detail pane - The settings of each item in the Selector Tree.

  • Description pane - A description of the selected item.

You can edit the event policyClosed Set of rules that define the behavior of SmartEvent. in one of these ways:

  • Fine-tune the Event Policy.

  • Change the existing Event Definition to see the events that interest you in Modifying Event Definitions.

  • Create new Event Definitions to see the events that are not included in the existing definitions.

Save Event Policy

Modifications to the Event Policy do not take effect until saved on the SmartEvent ServerClosed Dedicated Check Point server with the enabled SmartEvent Software Blade that hosts the events database. and installed to the SmartEvent Correlation Unit.

To enable changes made to the Event Policy:

  1. Click File > Save.

  2. Click Actions > Install Event Policy.

Revert Changes

You can undo changes to the Event Policy, if they were not saved.

To undo changes: click File > Revert Changes.

Event Definitions and General Settings

The Selector tree is divided into two branches: Event Policy and General Settings. The events detectable by SmartEvent are organized by category in the Event Policy branch. Select an event definition to show its configurable properties in the Detail pane, and a description of the event in the Description pane. Clear the property to remove this event type from the Event Policy the next time the Event Policy is installed.

The General Settings branch contains Initial Settings. For example: To define SmartEvent Correlation Unit, which is typically used for the initial configuration. Click a General Settings item to show its configurable properties in the Detail pane.

For details on specified attacks or events, refer to the Event Definition Detail pane.

Event Definition Parameters

When an event definition is selected, its configurable elements appear in the Detail pane, and a description of the event is displayed in the Description pane. These are the usual types of configurable elements:

  • Thresholds, such as Detect the event when more than x connections were detected over y seconds

  • Severity, such as Critical, Medium, Informational, etc.

  • Automatic Reactions such as Block Source or run External Script

  • Exceptions

  • Time Object, such as to issue an event if the following occurs outside the following Working Hours

Not all of these elements appear for every Event Definition. After you install and run SmartEvent for a short time, you will discover which of these elements need to be fine-tuned per Event Definition.

For configuration information regarding most objects in General Settings, see System Administration.

Modifying Event Definitions

SmartEvent constantly takes data from your Log Servers, and searches for patterns in all the network chatter that enters your system.

Depending on the levels set in each Event Definition, the number of events detected can be high. But only a portion of those events can be meaningful. You can change the thresholds and other criteria of an event, to reduce the number of false alarms.

Event Threshold

The Event Threshold allows you to modify the limits that, when exceeded, indicate that an event occurred. Limits include the number of logs, and the timeframe in which they occurred:

Detect the event when more than X logs were detected over a period of Y seconds.

To decrease the number of false alarms based on a particular event, increase the number of logs and/or the timeframe for them to occur.

Severity

To modify the severity of an event, select a severity level from the drop-down list.

If the event is based on Threat Prevention logs, the event gets the severity from the protection type, not from the severity configured here.

To overwrite the severity:

  1. Go to SmartEvent > Policy.

  2. Select an event and right-click > Select Properties.

    The Edit Event Definition window opens.

  3. In the Event Format tab, select Determine event's display name and severity from event logs.