Creating a User-Defined Event

To create New Event Record of a security or network incident that is based on one or more logs, and on a customizable set of rules that are defined in the Event Policy. Definitions, right-click an existing Event Definition, or use the Actions menu:

Right Click	Actions Menu	Description
New	New Custom Event	Launches the Event Definition Wizard, which allows you to select how to base the event: on an existing Event Definition, or from scratch.
Save As	Save Event As	Creates an Event Definition based on the properties of the highlighted Event Definition. When you select Save As, the system prompts you to save the selected Event Definition with a new name for later editing. Save As can also be accessed from the Properties window.

All User Defined Events are saved at Policy tab > Event Policy > User Defined Events. When an Event Definition exists it can be modified through the Properties window, available by right-click and from the Actions menu.

Creating a New Event Definition

You can edit all events, not only user-defined events. If you change a predefined event,the result is saved as a new user defined event.

To create a new event definition:

1. From the Actions menu, select New Custom Event.

   The Event Definition Wizard opens.

2. For Create an event

   1. Select that is based on an existing event.

   2. Select an event that has equivalent properties to the event you want to create.

   3. Click Next.

3. Name the Event Definition.

4. Enter a Description.

5. Select a Severity level.

6. Click Next.

7. Set which of these options generates the event:

   • A single log - Frequently depicts an event, such as a log from a virus scanner that reports that a virus has been found.

   • Multiple logs - Required if the event can only be identified as a result of a combination of multiple logs, such as a High Connection Rate.

   Click Next.

8. Examine the products that can cause this event.

9. Select Next.

10. Optional: Edit the product filters:

    • If you added a product you can edit the filters for each product (Edit all product filters), or those of new products you added (Edit only newly selected productfilters).

    • If you did not add other products, edit the filters of existing products (Yes) or skip this step (No, Leave the original files).

    Click Next.

11. Edit or add product filters for each log necessary in the Event Definition filter

    1. Select the Log field from the available Log Field list.

    2. Click Add to edit the filter.

    3. Make sure that the filter matches on All Conditions or Any Conditions.

    4. Double-click the Log field and select the values to use in the filter.

    Click Next.

12. When you defined the filters for each product, select values for these options to define how to process logs

    • Detect the event when at least__ logs occurred over a period of __ seconds contains the event thresholds that define the event. You can modify the event thresholds by altering the number of logs and/or the period of time that define the event.

    • Each event definition may have multiple Event Candidates existing simultaneously allows you to set whether SmartEvent creates distinct Event Candidates based on a field (or set of fields) that you select below.

      Select the field(s) by which distinct Event Candidates will be created allows you to set the field (or set of fields) that are used to differentiate between Event Candidates.

    • Use unique values of the __ field when counting logs directs SmartEvent to count unique values of the specified field when determining whether the Event Threshold has been surpassed. When this property is not selected, SmartEvent counts the total number of logs received.

13. Click Finish.

Customizing a User-Defined Event

Customizing a user-defined event:

1. From the Policy tab > Event Policy > User Defined Events, right-click a User-Defined Event and select Properties.

2. In the tabs provided, make the necessary changes

   • Name - Name the Event Definition, enter a Description and select a Severity level. The text you enter in the Description field shows in the Event Description area (below the event configurable properties).

   • Filter - To edit a product filter

     1. Select the product.

     2. Select the Log field from the available Log Fields list.

     3. If the necessary field does not show select Show more fields... to add a field to the Log Fields list.

     4. Click Add to edit the filter.

     5. Select if the filter matches on All Conditions or Any Conditions.

   • Count logs

     This screen defines how SmartEvent counts logs related to this event.

     • A Single log - Frequently depicts an event, such as a log from a virus scanner that reports that a virus is found.

     • With this option you can set the fields that are used to group events into Event Candidates. Logs with matching values for these fields are added to the same event. For example: Multiple logs that report Summary of network activity and Security Policy enforcement that is generated by Check Point products, such as SmartEvent. a virus detected on the same source with the same virus name are combined into the same event.

     • Multiple logs - Required for events that identify an activity level, such as a High Connection Rate.

     • When the event is triggered by multiple logs, set the behavior of Event Candidates:

     • Detect the event when at least... - Set the Event Threshold that, when exceeded, indicates that an event has occurred.

     • Select the field(s) by which distinct event candidates will be created - An event is generated by logs with the same values in the fields specified here. To define how logs are grouped into Event Candidates, select the related fields here.

     • Use unique values of the ... - Only logs with unique values for the fields specified here are counted in the event candidate. For example: A port scan event counts logs that include unique ports scanned. Also, the logs do not increment the log count for logs that contain ports already encountered in the event candidate.

     • Advanced - Define the keep=alive time for the event, and how often the SmartEvent Correlation Unit SmartEvent software component on a SmartEvent Server that analyzes logs and detects events. updates the SmartEvent Server Dedicated Check Point server with the enabled SmartEvent Software Blade that hosts the events database. with new logs for the created event.

   • Event Format

     When an event is generated, information about the event is presented in the Event Detail pane.

     This screen lets you specify if the information will be added to the detailed pane and from which Log Field the information is taken.

     You can clear it in the Display column. The Event Field will not be populated.

   • GUI representation

     All events can be configured. This screen lets you select the configuration parameters that show.

     • The Threshold section shows the number of logs that must matched to create the event. This is usually not shown for one log events and shown for multiple log events.

     • The Exclude section lets you specify the log fields that show when you add an event exclusion.

     • The Exception section lets you specify the log fields that show when you add an event exception.

3. Click OK to save your changes.