Share your custom SmartView views & reports at Che...

Tomer_Sole · ‎2018-03-23

Hi everyone,

R80.10 SmartEvent has a very capable engine for customized views and reports based on logs & audit logs. The front-end is called SmartView.

We want to use this community to share our customized dashboards and reports created with SmartView.

Let's have this thread as the main discussion of all custom reports - so that newcomers to SmartEvent will have one place with a repository of custom reports to choose from. I'm thinking of having this thread as the UI-equivalent of the highly popular My Top 3 Check Point CLI commands

Tomer_Sole · ‎2018-03-23

Using SmartView for Change Management:

R80.10 SmartView works with logs as well as audit logs.

In this example, I created a new customized report to describe what were the changes that my administrators performed this week. I used the Cloud Demo Mode for the data.

Please unzip the attached file, and import the .cpr file to your SmartConsole.

Vladimir · ‎2018-03-23

I've noticed that "Policies" and "Sessions" numbers in your report are identical as were in mine. I suspect this is incorrect.

Tomer_Sole · ‎2018-03-24

If both of us used the Cloud Demo Mode which goes live with the same fake logs data then this makes sense.

Vladimir · ‎2018-03-25

Nope, run it in my lab.

Christopher_Ta1 · ‎2018-04-01

I just want to view in the report who did the changes (delete object)?

Tomer_Sole · ‎2018-04-01

Edit this widget and choose to add the column "Administrator".

Matt_Taber · ‎2018-09-04

Great share, thank you! I was starting to manually build this report when I decided to check out Checkmates.

-TJ- · ‎2019-05-13

I'm loving this report! or at least I was, until I ran it.

Does anyone else use Section Titles? I do. Lots of them. Every time a section title is "expanded" or "collapsed" it is recorded as a Modify Object in the audit log (pointless, I know).

I can filter these out in SmartView tracker, but I can't seem to get rid of them in this report. I end up with the example below, instead of Tomer's pretty results

Tomer_Sole · ‎2018-03-23

To share:

1. Export your view or report, either within SmartConsole or from your web browser by clicking here:

2. Open a new tab

3. Navigate to Scheduled Reports-->Archive

4. Find your exported view or report in the list and choose "Download". Save this .cpr file on your computer

5. Now go back to the CheckMates Community and choose to post a new file.

By default, a posted file is a thread of its own, and other users can comment on it. You can choose whether you want to keep these settings, or lock users

In the next steps, we will make sure that we don't go lost by pointing the file to this thread rather than a thread per file.

6. For the clarity of things, you can rename the name of the posted file and add some comments, most importantly - make sure that you post this file under Logs & Monitor.

7. In order to avoid confusion, let's have this thread as the main discussion of all custom reports - so that newcomers to SmartEvent will have one place with a repository of custom reports to choose from. I'm thinking of having this thread as the UI-equivalent of the highly popular My Top 3 Check Point CLI commands

Do this by restricting users from commenting on the topic that was opened for your newly-uploaded file:

8. OK - you have your file posted, now reply in this thread with the link, and add a nice screenshot.

To import a shared file:

In SmartConsole or in your browser, open a new SmartView tab, and choose "Import".

Please note that imported views will appear at the Views page and imported reports will appear at the Reports page. So you may end up importing a report file at Views only to found out it went to the Reports page.

Marco_Valenti · ‎2018-03-23

Nice work thanks for sharing , trying to set up this report for multidomain at the moment

Kaspars_Zibarts · ‎2018-03-23

Silly Q: in MDS case what are actual SmartEvent license requirements? Is it per CMA?

Marco_Valenti · ‎2018-03-23

smart event license is required for using smartview and if I am correct it is not relative to the cma as long you activate the cma in the smart event ofc

PhoneBoy · ‎2018-03-23

In an MDS environment, I believe you have to run SmartEvent on a separate server entirely.

It's licensed based on number of gateways.

That said, I believe SmartView should work without a SmartEvent license since it is also a log viewer.

Kfir_Dadosh · ‎2018-03-23

SmartEvent is global and so is the license.

Make sure to assign global policy from MDS and connect to the MDS or CMA ip.

Vladimir · ‎2018-03-23

Tomer,

Thank you for sharing and I intend to do the same, should I come-up with something worthy:)

Can you suggest how to configure report for the Remote Access duration summary and per user filtered over time?

Kim_Moberg · ‎2018-03-24

Tomer,

Awsome idea. What are the intention of the report? what time frame should be used here?

I mean, I understand the report intention is to track all changes made.

I have imported your report, but the 3rd page doesn't how all changes.. For example if I generate one report from January 1st until today, I know that I made a lot of changes, and the result on page 3, doesn't show all the changes.

Are your intention on weekly basis to generate this kind of report or what are the time line acceptance for this report?

Kim

Best Regards
Kim

Tomer_Sole · ‎2018-03-25

Reports are generated weekly.

Kim_Moberg · ‎2018-03-27

I am trying to use some parts of your report and some from views from a view called cyber kill view made by a collegue of yours. It is a view based on Lockhead Martins Cyber Kill Chain.

So combined with your change mgmt / Audit logs I might being able to generate a Weekly report

When I can the report i only got three pages but when I can the report as a view I had a lot of entries on page 3.

Kim

Best Regards
Kim

Chad_Hubich · ‎2018-03-29

I made this change to make 'Changes in each session' span multiple pages:

Options > Edit > View Settings > Split table across multiple pages with No page limit

Vladimir · ‎2018-03-30

Guys,

I feel like a complete schmuck: I cannot figure out how to create a report for the remote access activity with summary for all users and individual users' logon/logoff and duration.

Help?

Vladimir · ‎2018-03-30

Never mind, there is a bug in your widgets that prevents them from graphing the right stuff: the Duration is being measured in quantities of something, rather than time. Please kick it to RnD to take a look at. See https://community.checkpoint.com/thread/7343-buggy-widgets post for details.

Thank you,

Vladimir

Kiran_Naidu1 · ‎2018-09-25

There are two steps,

a: To customize the report to get the remote access login and logout

b: Overcame the limitation of the number of logs shown in the single report(As it is difficult to fetch the report for more 500 login logoff events)

A: Customize the report to get the remote access login and logout
1: I have used existing "detailed user activity" and cloned it.

2: Click on the options on the top right side, select "Report filter"

3: under 'blades' option select the Mobile Access & Secure Client. Removed other blades.

4: Select the 'settings' and remove all the tabs. now select time, client name action and blade. (add extra tabs based on your requirement, also change the number of logs as per your requirement )

B: Please the find the changes done on the event server to overcome size limitation in the report.

1: Select and open the Report.

2: Click on the options on the top right side, select the edit.

3: Table setting tab is opened, now change Maximum number of logs from default 500 to 100000(We can choose any number based on the requirement. But it will have a performance impact)

4: We were able to increase the number of logs shown in a single report.

Try the above and let me know if you face any issues or any other questions.

Vladimir · ‎2018-09-25

Thank you Kiran!

I'll give it a shot next time I'm working with the client that have requested it and will let you know.

Vladimir · ‎2018-08-16

Tomer,

Is there now a dedicated repository with the custom views and reports?

I only see few links in a few posts and no indications if any of the views were updated or changed over time.

Additionally, there were few problems with some of the widgets that I've been told would be fixed in the future (the future is now) and there is no way to track any of it.

Thank you,

Vladimir

Bob_Bent · ‎2018-10-10

May I suggest Tomer edit the original post and provide there a list with links to each report/view? Another option is to create a category Imports and there only include posts with this category label.

Chad_Hubich · ‎2018-12-17

Has anyone authored a report/view specific to Anti-virus/Anti-bot? I'm thinking of a breakdown of these events by numbers/timeline etc.:

Where would one begin to to construct such?

TYIA

Ricardo_Fernand · ‎2019-01-02

I was using Smart Event 77.30 and I'm missing the main executive report. Had so much more interesting info that the default executive report on the 80.10

Anyone came up with a better one?

Mostly interested in AntiBot, Threat Emulation and Antivirus information

Share your custom SmartView views & reports at CheckMates

Reports