Hey Danny,
Please see answers below:
- Q: Will I receive an immdiate notification about this? This is critical as a malicious file was successfully downloaded.
- A: Notification will not be sent by default, see next answer for instructions how to configure such notification.
(a Detect log will be generated with a reason for file passion (GW is configured as Rapid delivery)
- Q: Is an event being generated? How do I know about this?
- A: in order to get a notification, we can create custom event in SmartEvent, it will be created and send notification when a log with action detect and verdict malicious will be created by Threat Emulation:
- Open SmartConsole and go to Logs and Monitor view
- Open New Tab
- At the bottom-left side menu click on :
![Shiran_Benatar_0-1608113281974.png Shiran_Benatar_0-1608113281974.png](https://community.checkpoint.com/t5/image/serverpage/image-id/9762i5D30DE87D927A56C/image-size/medium?v=v2&px=400)
- SmartEvent GUI will be opened
- Go to Legacy – ThreatPrevention – Right click on ThreatEmulation ad configure the conditions as followed:
![Shiran_Benatar_1-1608104135620.png Shiran_Benatar_1-1608104135620.png](https://community.checkpoint.com/t5/image/serverpage/image-id/9755i0EE64A155E27D09C/image-size/medium?v=v2&px=400)
Click on Save as
After creating this event, you can configure automatic reaction (for more details please refer to logging and monitoring admin guide : https://sc1.checkpoint.com/documents/R81/WebAdminGuides/EN/CP_R81_LoggingAndMonitoring_AdminGuide/To...)
- Q:Which SmartEvent view would allow me to check how many times such situations occurred within the last 30 days?
- A: I have created a view for this propose (attached), in this view you’ll be able to see all files were detected with verdict malicious (you can also use the same filter in log search – Blade:ThreatEmulation AND verdict: Malicious and action: Detect).
The view contain a table with source, destination, filename, Severity, Confidence Level, and you can add/remove other fields according to environment needs.
Hope I was able to assist.
Let me know if further information is required.
Have a nice day,
Shiran