Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
PhoneBoy
Admin
Admin

Security Visibility Best Practices with SmartEvent

In this TechTalk, Kfir Dadosh and Oren Koren will demonstrate how to leverage SmartEvent to improve visibility of security events occurring in your Check Point environment!

Topics include:

  • Architecture overview
  • How to build custom SmartEvent Reports
  • Upcoming SmartEvent features

Slides: https://community.checkpoint.com/docs/DOC-2795 

Q&A that we did not get to live will be answered as comments below.

Video of session below will be visible to CheckMates members who are logged in.

Video Link : 6357

17 Replies
Kim_Moberg
Advisor

A fantastic webinar that should get one started with SmartEvent.

Just a question

Does anyone have a favorit query smartview for R80.10?

Thanks to Oren, I am working with three views in Smartlog were I filter out the most important antibot, antivirus and IPS event. Those I am trying to work with in smartview. One needs to ask the right question for what the view should answer and it is actually here I would ask if any one have a favorit query and diagram which explain those questions. 

Looking forward to a webinar about sizing then SmartEvent log server(s). 🙂

Thanks 





Best Regards
Kim
0 Kudos
Oren_Koren
Employee Alumnus
Employee Alumnus

Hey Kim Smiley Happy

i will be the first with a simple one Smiley Happy

the business question - did some one reconnaissance my network?

the basic query - 

Blade:ips AND ("Scanner Enforcement Violation") - this query will give us ONLY the basic scanners on the network (not included the vulnerability scanners like 'Muieblackcat PHP Scanner' and others)

  • blade was queried as an indexed field (i used Parenthesis)
  • inside the Parenthesis i queried with apostrophes ("text space text") like in a free text field.

i created the Apostrophes because the query can be changed and you can add different protections or 'Enforceent violation' families.

Blade:ips AND ("Scanner Enforcement Violation" OR "Muieblackcat PHP Scanner")  - will give us both scanners & Muieblackcat  vulnerability scanner.

and we would do with it in SmartView.

  • Create new View
  • Add the query as the top query
  • create the following widgets:
    • Time line of reconnaissance (divided to action [detect/prevent])
    • top scanners (by source field) - find the one who really try to learn your network
    • top Scanned servers (by destination field) - does all the servers you see should be exposed to the world?
    • top protections - understand the method of the attacker.

you will choose the widgets you should use ( graph, phi, text, table, etc...)

As said in the TechTalk - find the business questions you want to have an answer to.

what are the daily work you need to do / what is the need from the management / what is the most interesting thing for you etc...) - based on those questions, build a view/report.

Oren

PhoneBoy
Admin
Admin

Here are some of the questions asked during the Q&A that we did not get to in the session.

Note that many similar questions were summarized.

Additional Q&A will be posted over the coming days.

Is the SmartEvent "Policy" still valid/needed ?  Up till R77.30 we could select what events should be taken in consideration.  To my surprise, in R80.10, it looks like most selectable types are deselected "out-of-the-box".  So, should we add types ?  Or is the policy ignored, in R80.10 ?

Yes, the Event Policy is still used and you may select those predefined events if you wish to look for them in your environment.

How can I use SmartEvent to correlate windows logs and take action and alert?

First, the Windows logs must be imported into SmartEvent, using the WinEventToCPLog tool.

Once you've done that, you can create events based on them.

In the SmartEvent client, go to Actions > New Custom Event

As you step through the Wizard, one of the Product options is Windows OS.

The options you can create events on are below.

What is the different between logs directly go to Solr DB and Correlation Unit?

It boils down to the level of classification that is required for a given log entry. 

Basic firewall/access control logs require correlating multiple log entries to be classified as an event.

Logs that go through other blades are generally already classified and can go directly to the Solr DB. 

Is the Solr DB accessible for external API calls? If so where is the documentation for that?

Not currently, but it's something we can look at for a future release.

Will/can non-admins be able to create a customized query/report?

Yes, this is already possible.

My organization is still in R80 rollout phase, we have Management server at R80.10 along with around 10% of the security gateway. Log server and bulk of the appliances are still at R77.30. Do we need to have everything at R80.10 to get the full benefits of SmartEvent?

Yes, you can leverage the full benefit on SmartEvent. Your gateways do not have to be at R80.10.

Can SmartEvent produce reports on Rule Use within a Gateway Policy?

Yes, this was covered in a previous CheckMates thread: R80 SmartReporter : how to do a report "rule base analysis"? is it possible ? 

Can we use SmartEvent to analyse logs from 3rd party vendors (FW/Routers/Switches etc.)?

While not it's primary purpose, SmartEvent does support logs from other vendors.

You can see a complete list when you create a new custom event as described above.

Is SmartEvent an additional purchase/license?

It depends on what appliances or licenses you have. Please check with your Check Point account team or partner.

I notice within my views that some of the numbers don't line up. seem low in counts. Example is "general overview" on firewall Blade. With a 7day filter it says 355K for log value. I know that I have millions of entries daily. Is there some limitations in the background collection?

Note that many log entries are summarized into sessions by default, which may account for this difference. 

Up to R77.30, customer needed separate license for SmartEvent and SmartReporter. Is it the same in R80+?

SmartReporter was deprecated in R80 and above. All reporting capabilities should now be done with SmartEvent. 

Can custom views or widgets be exported as a template?

In the view you have created, click on Options and select Export Template.

Can your presented views afterwards be distributed on the community to import on own environments?

As noted during the presentation, the view shown in the presentation is undergoing additional testing now.

It will be provided on CheckMates at a later date. 

Garrett_DirSec
Advisor

Thanks for the great session.     I wanted to repeat (ditto) the topic about "best practices" guide.

0 Kudos
Garrett_DirSec
Advisor

Thanks for the posted Q&A.     I posed a question that was missed:

The new HTML5 web interface is FANTASTIC.   Great work to CP engineers on this. 

Do you see the thick client Analyzer.exe being deprecated?

Along this same line of reasoning, with the great HTML results on display in Smartview, do you foresee any other portions of Console thick client becoming exclusively web-based?    

I suggest there may be a huge audience to support this move.

thanks -GA

0 Kudos
PhoneBoy
Admin
Admin

We got a ton of questions, and I hadn't gotten to them all yet, including this one Smiley Happy

I know that we are looking to expose more SmartEvent and SmartLog-type data through web-friendly interfaces.

Whether that ultimately translates to completely eliminating Analyzer.exe, SmartConsole, and the like, I can't say for sure. 

Gary_Lipets
Participant

We probably should have similar thread to top 3 CLI commands with Smart Event; your TOP Smart Event queries. 

PhoneBoy
Admin
Admin

That is actually an excellent idea Smiley Happy

PhoneBoy
Admin
Admin

More of the Q&A.

You guys had a LOT of questions Smiley Happy

For SmartEvent to know if i opened the mail / access the link on the mail do i need the EPM clients ?

Not necessarily, as the other software blades can see the activity. 

If you do use our Endpoint solutions (e.g. SandBlast Agent), that activity can also be correlated with the Network-based solutions.

To get the users receive malicious mail logs, do I have to relay email via the firewall and enable MTA?

When used in MTA mode, Threat Emulation and Extraction can prevent end users from receiving the malicious mail in the first place.

When MTA is not in use, it is still be possible to see (and report on) the malicious activity in email.

Is it possible to use this based on domain and then set viewers (users) to see only the events/reports for their domain?

Generally speaking, yes, though there are a few limitations, as discussed here: SmartEvent in mixed multi domain environment 

Is all this only available on 80.10? Or this GUI can be populated with 77.30 version?

What we're showing here is on R80.10 Management.

While we strongly recommend upgrading your management to R80.10 to leverage the full benefits, you can integrate R80.10 SmartEvent with R77.30 Management. 

Refer to: How to configure an R80/R80.10 SmartEvent Server with an R77.x Security Management 

Hi, will be (already is?) possible to use the objects in the SmartView to filter the reports, views....?

SmartView won't necessarily auto-complete the object names like SmartConsole will in search queries, but yes, you can use object names.

If we don't use AD integration, will SmartEvent show 82 hosts received malicious mail?

Identity Awareness will provide more context if it is used.

Even without this, it's possible to count (by number of IPs) the number of infected hosts.

What would cause an external public IP address, not owned by us to show up in our dashboard as an infected host with bots?

It could point to a misconfiguration or a possible asymmetric traffic condition. 

Recommend engaging with the TAC for further troubleshooting: Contact Support | Check Point Software 

Can we resize the height & width of a custom widget?

All widgets are resizable. 

We have issue with Auto-Update feature for SmartEvent views, every time we need to manually refresh to reflect the latest statistics. Is there any solution?

It's a known limitation that we plan to address in later releases.

Is there an auto-rotate feature between different views?

Not currently.

Can we send mobile device security logs to SmartEvent? or only gateway logs?

SandBlast Mobile logs can be sent to SmartEvent using syslog.

Further integration is planned in later releases.

Please show how alarming to cellular phone is configured

While not an officially supported function, a fellow CheckMates member has figured out how to do this.

Refer to: iPhone Real-time Push notification on SmartEvent

Have any performance/sizing tests been done to help understand scalability and platform requirements?

Yes, and tests are ongoing in this area to ensure our recommendations will provide optimal experience.

We also plan to do a TechTalk on this exact topic at a later date. 

It is best practice for SmartEvent to be on the same system as the Security Management or in a separate machine?

For smaller environments (with a few gateways), it is fine for SmartEvent and Security Management to be on the same system, provided it meets the minimum hardware requirements.

For medium to larger environments, these should be separated.

For multi-domain environments, SmartEvent needs to be on a dedicated appliance.

Is it possible to exclude some networks from all reports and views in general? Or do I have to define a filter for every report and view?

In R77.30 and earlier, if you don't want events to be correlated for specific hosts (and thus not show in reports or views), you can exclude them in the Event Policy.

In R80.x, you will have to define a filter for every report and view as Global Exclusions only apply to traffic processed by the Correlation Unit (CU) and R80.x only uses CUs for firewall logs.

Do we have predefined template's apart from customization?

When you click on the +, you can see a number of pre-defined views and reports.

You can open one of these or clone it to customize as desired.

More Q&A is coming, stay tuned!

0 Kudos
PhoneBoy
Admin
Admin

More Q&A (corrected a few of the answers, also):

I have a problem with my 1400 in SmartEvent. When I query for drops, I do not see the drops from them (R80.10 Management, 1400 with R77.20). Is this problem known?

Firewall Session correlation needs to be enabled in the SmartEvent Policy.

In which cases is Correlation Unit needed or recommended?

In R80+, it is only needed when you want Firewall (not other blade) logs to be correlated for the sake of reporting as well as creating correlated events such as “port scanning” “simultaneous login”, etc.

Are the custom views/reports available to all local users or are they pinned to the user who created them?

Currently they are specific to the user who created them. We do plan to add a feature that will allow sharing reports/views with all administrators.

Can you import a report into R80.10 SmartEvent that was exported from SmartEvent NGSE?

Provided the report is exported from latest NGSE 005 and above, it should be possible. 

Is there a SK teaching how to create a template for the reports? For example to create a report in another language.

Not that I'm aware of. 

However, we already have localized all the predefined reports to many languages.

To create a localized version of your report, just change your locale, and edit the report.
All changes will be saved to the localized version.

Is it possible to export to HTML format ?

Not currently.

Can you consider to allow to enter a comment for a scheduling? Because if you want one report to be sent multiple times with different filters, you cannot tell them apart in the "Scheduled" List view.

This feature has already been added to recent R80.10 Jumbo Hotfix. 

Regarding scheduled reports, have we fixed the reporting for monthly reports, to be able to run a report on the 1st of the month, for last month? In the past we weren't able to do that AFAIK.

You should be able to set the report to "Last Month."

If you're still having issues, please check with the TAC.

0 Kudos
Kfir_Dadosh
Collaborator

More Q & A:

Is there any way to create a repository for smartview reports to share between colleagues? (outside of exporting and importing reports through the smart console)

Currently not. We are working on a new feature to allow sharing views and reports between ALL colleagues. This would also share the generated PDFs of these shared reports between all admins.

Can I control access / data range based on site or department per users?

We have a customer HotFix which allows to limit certain views/reports to specific users based on AD groups.
It is also possible to block the catalog, edit mode, and add a predefined filters for these users.

Please contact me through email if you want to get this HotFix.

Can I narrow down a rule that is open too wide (e.g. rule 10.x/8 to the internet to 10.10.10.0/24 to on https)?

You can do it manually. Open the logs lower panel below the rulebase and select the specific rule.

Filter out the subnets and services you see until there are no logs - "NOT src:10.15.0.0/16 NOT src:10.26.0.0/16 NOT service:https". These are the actual services and subnets that are in use.

Is there any widgets with the status of the S2S VPN?

Currently not.

Is it possible to customize the title page of a SmartEvent report e.g. to add a customer logo?

Yes, it is possible. To change the title, just edit the report, click the title to edit, and change it.

To add a company logo, check out the SmartEvent admin guide - Views and Reports 

Where views/reports queries are stored? Would they be lost after upgrading SmartConsole?

Views and Reports settings are stored on the server, and thus will survive upgrade of both SmartConsole and the server itself.

What is the danger of adding custom views right now, in R80.10, to interfere (negatively) in later upgrades?

No danger at all. This is the main functionality of SmartView, and you are encouraged to create new views and reports.

0 Kudos
Eric_Oakeson
Employee Alumnus
Employee Alumnus

For someone used to SmartReporter in R77, are there any plans to have those Predefined reports be moved into R80.10?

0 Kudos
PhoneBoy
Admin
Admin

I believe some of those pre-defined reports will be brought back to R80.20 

0 Kudos
Garrett_DirSec
Advisor

R77.30 SmartReporter reports to R80.xx SME is GREAT NEWS.     The SmartReporter customers we had that did NGSE EA and R80.10 SmartEvent have consistently asked the same question:   where are the SmartReporter templates?    Especially the VPN usage report which is basically impossible to assemble with NGSE and R80.10 SmartEvent.

-GA

0 Kudos
PhoneBoy
Admin
Admin

Also, some of the predefined views from R77.30 are expected to be in R80.20.

Are there particular SmartReporter reports you or your customers are interested in?

Aside from the VPN usage report you mentioned already Smiley Happy

Garrett_DirSec
Advisor

hello and thanks for quick response.    It was such a big topic months (years?) ago, I'll have to check with customers about "wish list....".   thanks.

0 Kudos
Haichao_Xie
Employee Alumnus
Employee Alumnus

good one!

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events