I've been asked to set up an alert on traffic (even a single incident) that is prevented from an internal IP -> DMZ. This seems easy, but is not possible with Smart Event. It's rare that this traffic would be correlated, the PREVENT just shows up as a single log - type NOT correlated. THUS, the alert doesn't fire. Does anyone know if there is a way?
Creating Event Definitions (User Defined Events) - page 56 of the R77 smart event guide (I'm on R80.30, but this has the best documentation on user defined events. To create a user-defined event you must have knowledge of the method by which SmartEvent identifies events. This section starts with a high level overview of how logs are analyzed to conclude if an event occurs or occurred.
When you create a user defined event, there is a COUNT LOGS tab and inside a radio button 'single log', this NEEDs to be updated to say single correlated log for accuracy.