Check Point Smart Event. Mini guide

In this article I want to talk about CheckE's SmartEvent product. This product complements and expands the capabilities of Check Point Firewall, turning it into an effective tool that helps identify, recognize and handle information security incidents. Most recently, my colleague published an article about Check Point dashboards . Let's continue this topic and see how the Smart Event blade works.

Checkpoint firewall software blades generate a huge variety of messages that are stored in the logging database. For the most part, these are messages about allowed and blocked connections, less often - messages about the operation of IPS protection and other product blades. Information stored in the form of logs can be used to study and analyze security incidents, but it is extremely difficult to identify these incidents promptly on the basis of logs. First of all, because there are a lot of these logs. You can of course use filtering mechanisms, but you need to know that filtering and revealing various logs for various incidents is important. The solution can be the automation of the log analysis process. It is the task of automating the analysis of logs in order to identify security incidents in the first place that SmartEvent solves.
')

Product architecture

Let's look at what parts SmartEvent product consists of and what functions these parts perform:



The log server collects logs from various sources.

Correlation Unit (CU) - Real-time reads records from the current log file of the Log Server and analyzes them using the Correlation Policy, generating security events that it sends to the Event Server.

Analyzer Server - Downloads the Event Policy to the Correlation Unit, stores the security events from the Correlation Unit in its database, and interacts with the Security Management Server to block the source of the threat on Check Point Security Gateways. It loads the necessary objects from the Security Management Server. Provides data for generating reports Reporting Server.

Analyzer Client - Organizes the interaction and management interface with the Event Server, displays information collected on the Event Server in various views.

All these three parts of the product can be deployed on a single hardware module or on different ones. SmartEvent can be purchased either as a software blade or as an applice (Smart-1 SmartEvent).

Event policy

SmartEvent immediately after deployment has a set of built-in policies sufficient to detect a large number of security events. Politicians are grouped.
To open the list of Event Policies for version R80.10, in the SmartConsole, in the Logs & Monitor section, open a new tab and select SmartEvent Settings & Policy at the bottom of the window. A new window will open with a list of policies. Active policies will be ticked.



To view the settings of the policy you are interested in, right-click on it and select Properties .



The policy has five tabs of properties. The first tab ( Name ) sets the name and description of the policy, as well as the level of importance of the security event generated by the policy.



On the second tab ( Filter ) of the policy properties, a filter is set for log entries. Each of the Event Products corresponds to a specific set of fields, filled in by this product in the log file. For these fields, a filter is formed. For example, in the “High connection rate for internal traffic on service” policy we are considering for the Check Point Endpoint Security product, log entries are perceived in which the Source IP address belongs to the address space from internal networks.



The third tab ( Count Logs ) configures the criteria for generating a security event. In the policy we are considering, a security event with an importance level of Medium will be generated if within 60 seconds 200 calls are detected on the same service / protocol between a pair of IP addresses.



The Event Format tab determines which significant fields will be in the security event message and which fields from the log file will be written to them.



On the GUI Representation tab, the Threshold, Exclude, and Exception sections of the policy are configured.



How these sections look in the policy description:

1. Threshold
2. Exclude
3. Exception

Tuning Event Policy

As a rule, Event Policy require “tuning” in order to eliminate false positives and improve accuracy. Tuning is to configure policy settings and add exceptions. Exceptions are of two types:

1. Exclusion - sets the parameters of the logs (for the policy we are considering, these are Source, Destination, Service) that the policy will not accept during its work.
2. Exception - Specific security events that will be ignored by the policy.

You can also set an automatic response for each policy. The reaction may be the execution of a given set of actions, including:

1. Email sending
2. SNMP Trap
3. Source IP Blocking
4. Block attack (Block Event activity)
5. Execute external script.

I hope this article will help you to better understand such a necessary product as Check Point SmartEvent.
If you are interested in full Check Point courses, you can see them in our catalog . More articles and tutorials on Check Point from our colleagues - VK , Telegram , YouTube .