manualshive.com logo in svg

Novell SENTINEL 6.1 SP2, User Manual, Page: 93 / 528

Share
Download
Novell SENTINEL 6.1 SP2 User Manual Download Page 93

Incidents Tab

4

93

no

vd

ocx 

(e

n)

  

7 Ja
nua
ry 201

0

4

Incidents Tab

Section 4.1, “Understanding an Incident,” on page 93

Section 4.2, “Introduction to User Interface,” on page 93

Section 4.3, “Manage Incident Views,” on page 95

Section 4.4, “Manage Incidents,” on page 99

Section 4.5, “Switch between existing Incident Views,” on page 106

4.1  Understanding an Incident

In Sentinel, a set of related events (for example, a possible attack) can be grouped together form an 
Incident. An Incident in “open” state alerts you to investigate, resolve, and close the incident. For 
example, the resolution to an attack might be to close a port, block a source IP, or rebuild a machine.

Incidents can be created:

Manually, by a security analyst monitoring incoming data or querying past data.

Automatically, as a result of a correlation rule being triggered. For more information, see 
“Correlation Tab” section.

In the Incidents Tab, you can:

Manage Incident Views 

Manage Incidents

Switch between existing Incident Views

NOTE: 

You need to have appropriate permissions to access this tab. Only an Administrator has 

controls to enable/disable access to the features of Incidents for a user.

4.2  Introduction to User Interface

In the Incidents Tab, you will see the Display Incident View, Create Incident and Attachment 
Viewer Configuration.

You can navigate to these functions from:

Table 4-1   

Table 4-1: Incident Tab -User Interface

The Incident menu in the Menu Bar

Summary of Contents for SENTINEL 6.1 SP2

Page 1: ...Novell www novell com novdocx en 7 January 2010 AUTHORIZED DOCUMENTATION Sentinel 6 1 User Guide SentinelTM 6 1 SP2 February 2010 User Guide ...

Page 2: ...and the trade laws of other countries You agree to comply with all export control regulations and to obtain any required licenses or classification to export re export or import deliverables You agree not to export or re export to entities on the current U S export exclusion lists or to any embargoed or terrorist countries as specified in the U S export laws You agree to not use deliverables for p...

Page 3: ...ll Trademarks For Novell trademarks see the Novell Trademark and Service Mark list http www novell com company legal trademarks tmlist html Third Party Materials All third party trademarks are the property of their respective owners ...

Page 4: ...4 Sentinel 6 1 User Guide novdocx en 7 January 2010 ...

Page 5: ...assword 30 1 3 9 Hostname updates 30 1 3 10 Configuring the Attachment Viewer 32 2 Active Views Tab 35 2 1 Understanding Active Views 35 2 2 Introduction to the User Interface 36 2 3 Reconfiguring Total Display Time 39 2 4 Viewing Real Time Events 39 2 4 1 To Reset Parameters and Chart Type of an Active View 41 2 4 2 Rotating a 3D Bar or Ribbon Chart 43 2 5 Showing and Hiding Event Details 43 2 6 ...

Page 6: ... a Correlation Rule 80 3 3 10 Importing a Correlation Rule 80 3 3 11 Exporting a Correlation Rule 81 3 4 Dynamic Lists 82 3 4 1 Adding a Dynamic List 83 3 4 2 Modifying a Dynamic List 84 3 4 3 Deleting a Dynamic List 84 3 4 4 Removing Dynamic List Elements 84 3 4 5 Using a Dynamic List in a Correlation Rule 84 3 5 Correlation Engine 85 3 5 1 Starting or Stopping Correlation Engine 86 3 5 2 Renamin...

Page 7: ...9 5 5 7 End Step 120 5 5 8 Adding Steps to a Workflow 120 5 5 9 Managing Steps 121 5 6 Transitions 125 5 6 1 Unconditional Transitions 125 5 6 2 Conditional Transitions 126 5 6 3 Else Transitions 130 5 6 4 Timeout Transitions 131 5 6 5 Alert Transitions 131 5 6 6 Error Transition 132 5 6 7 Managing Transitions 132 5 7 Activities 133 5 7 1 Incident Command Activity 134 5 7 2 Incident Internal Activ...

Page 8: ...roducts for Exploit Detection 165 8 4 Downloading the Advisor Feed 166 8 4 1 Configuring the Sentinel Server for Automated Downloads 166 8 4 2 Downloading the Advisor Feed Manually 167 8 5 Viewing the Advisor Status 167 8 6 Viewing the Advisor Data 169 8 7 Advisor Reports 170 8 7 1 Generating the Advisor Reports 170 8 7 2 Viewing the Advisor Reports 170 8 8 Resetting the Advisor Password 171 8 9 D...

Page 9: ...Report Configuration 229 11 4 Servers View 231 11 4 1 Monitoring a Process 232 11 4 2 Creating a Servers View 233 11 4 3 Starting Stopping and Restarting Processes 233 11 5 Filters 234 11 5 1 Public Filters 234 11 5 2 Private Filters 234 11 5 3 Global Filters 235 11 5 4 Configuring Public and Private Filters 237 11 5 5 Color Filter Configuration 240 11 6 Configure Menu Options 243 11 6 1 Adding an...

Page 10: ...and Line 289 12 3 1 General Syntax of the SDM command 289 12 3 2 Starting SDM GUI 289 12 3 3 Viewing Sentinel Database Space Usage 289 13 Utilities 291 13 1 Introduction to Sentinel Utilities 291 13 2 Starting and Stopping Sentinel Server 291 13 2 1 Starting a Sentinel Server 292 13 2 2 Stopping a Sentinel Server 292 13 3 Sentinel Scripts 292 13 3 1 Operational Scripts 293 13 3 2 Troubleshooting S...

Page 11: ... Pack 358 15 4 6 Documenting a Solution Pack 362 15 4 7 Editing a Solution Pack 363 15 5 Deploying an Edited Solution Pack 364 16 Actions and Integrator 365 16 1 Overview 365 16 2 Action Manager 366 16 2 1 Permissions for Using Action Plugins 366 16 3 Action Plugins 367 16 3 1 Importing JavaScript Action Plugins 367 16 3 2 Importing JavaScript Files 370 16 4 Actions 379 16 4 1 Creating Actions 379...

Page 12: ...le Details 436 18 3 Reports 439 A Sentinel Architecture 441 A 1 Sentinel Features 441 A 2 Functional Architecture 441 A 3 Architecture Overview 442 A 3 1 iSCALE Platform 442 A 3 2 Sentinel Event 444 A 3 3 Event Source Management 447 A 3 4 Application Integration 448 A 3 5 Time 448 A 3 6 System Events 449 A 3 7 Processes 450 A 4 Logical Architecture 452 A 4 1 Collection and Enrichment Layer 453 A 4...

Page 13: ...5 8 Event Insertion is blocked 479 B 5 9 Event Insertion is resumed 480 B 5 10 Event Message Queue Overflow 480 B 5 11 Event Processing Failed 481 B 5 12 No Space In The Database 481 B 5 13 Opening Archive File failed 481 B 5 14 Partition Configuration 482 B 5 15 Writing to Archive File failed 482 B 5 16 Writing to the overflow partition P_MAX 482 B 6 Database Aggregation 483 B 6 1 Creating Summar...

Page 14: ...lector Manager Initialized 499 B 10 2 Collector Manager Is Down 499 B 10 3 Collector Manager Started 499 B 10 4 Collector Manager Stopped 500 B 10 5 Collector Service Callback 500 B 10 6 Cyclical Dependency 500 B 10 7 Event Source Manager Callback 501 B 10 8 Initializing Collector Manager 501 B 10 9 Lost Contact With Collector Manager 501 B 10 10 No Data Alert 502 B 10 11 Persistent Process Died 5...

Page 15: ... 515 B 17 2 Deleting an Activity 516 B 17 3 Saving an Activity 516 B 18 Incidents and Workflows 516 B 18 1 Add Events To Incident 516 B 18 2 Adding Process Definition 517 B 18 3 Create Incident 517 B 18 4 Creating Group 517 B 18 5 Creating User 518 B 18 6 Delete Incident 518 B 18 7 Deleting Group 518 B 18 8 Deleting Process Definition 519 B 18 9 Deleting User 519 B 18 10 E mail Incident 519 B 18 1...

Page 16: ...6 Sentinel 6 1 User Guide novdocx en 7 January 2010 B 19 15 Stopping Processes 526 B 19 16 Store Esec Taxonomy From XML 526 B 19 17 Watchdog Process is started 526 B 19 18 Watchdog Process is stopped 527 ...

Page 17: ...ter 11 Administration on page 227 Chapter 12 Sentinel Data Manager on page 281 Chapter 13 Utilities on page 291 Chapter 14 Quick Start on page 307 Chapter 15 Solution Packs on page 331 Chapter 16 Actions and Integrator on page 365 Chapter 17 Sentinel Link Solution on page 393 Chapter 18 Identity Integration on page 431 Appendix A Sentinel Architecture on page 441 Appendix B System Events for Senti...

Page 18: ...s Control Panel to perform this action Multiple actions in a step References For more information see Section Name if in the same Chapter For more information see Chapter Name if in the same Guide For more information see Section Name in Chapter Name Name of the Guide if in a different Guide In Novell documentation a greater than symbol is used to separate actions within a step and items in a cros...

Page 19: ...index jsp http download novell com index jsp 24x7 support http www novell com company contact html http www novell com company contact html For Collectors Connectors Reports Correlation Hotfixes TIDS http support novell com products sentinel http support novell com products sentinel ...

Page 20: ...20 Sentinel 6 1 User Guide novdocx en 7 January 2010 ...

Page 21: ...nel presents the collected data in a more sensible GUI identifies security or compliance issues and tracks remediation activities streamlining previously error prone processes and building a more rigorous and secure management program The Sentinel Control Center includes the following functional tabs and interfaces Section 1 1 1 Active Views on page 21 Section 1 1 2 Incidents on page 22 Section 1 ...

Page 22: ...ocesses into Sentinel In the iTRAC tab you can Create custom workflow templates Edit workflow templates Create custom activities Edit activities Associate activities with workflow steps Initiate and execute Processes 1 1 4 Analysis The Analysis tab is the historical reporting interface for Sentinel Reports are published on a Web server and can be rendered in the analysis tab or in an external brow...

Page 23: ...lists 1 1 8 Event Source Management The Event Source Management ESM interface is available through the Sentinel Control Center menu It allows you to manage and monitor connections between Sentinel and its event sources using Sentinel Connectors and Sentinel Collectors In the ESM you can Import export Connectors and Collectors from to the centralized repository available in ESM Add edit connections...

Page 24: ...nality on several levels With the Identity Browser you can Look up the following information about a user Contact information Accounts associated with that user Most recent authentication events Most recent access events Most recent permissions changes Lookup from events 1 2 Log in to the Sentinel Control Center To Start the Sentinel Control Center on Windows 1 Go to Start Programs Sentinel and se...

Page 25: ...command control_center sh 3 Provide your username and password and click OK 4 A Certificate window displays if you select Accept this message displays every time you try to start Sentinel on your system To avoid this you can select Accept permanently 1 3 Introduction to the User Interface In the Sentinel Control Center user interface you can perform the activities through the following components ...

Page 26: ...The availability of other menus depends on your location in the console and permissions 1 3 2 Toolbar The Tool Bar allows you to perform the Tab specific functions There are four system wide toolbar buttons that are always displayed These toolbar buttons are View Sentinel Help Cascade All Display Windows Tile All Display Windows and Save User Preferences The availability of other toolbar buttons d...

Page 27: ...more information on Tabs specific toolbar buttons see the sections on each of the Tabs mentioned in the list above 1 3 3 Tabs Depending on your access permissions Sentinel Control Center displays the following tabs Active ViewsTM Correlation Incidents iTRACTM Analysis Advisor Admin For more information about Tabs see the sections on each tab Toolbar View Active Views Correlation Incidents iTRAC An...

Page 28: ...icon NOTE You can undo dragging or reset to default position using the toolbar buttons 1 3 5 Navigating through Sentinel Control Center To navigate using Toolbar 1 Click the tab you need to work on 2 Click toolbar buttons to perform the actions To navigate using Menu bar 1 Click the tab menu in the Menu bar 2 Select an action you need to perform NOTE This procedure is generic for all the tabs in S...

Page 29: ...indows 1 Click Windows Tile All 2 Select from the following to meet your requirement Tile Best Fit Tile Vertical Tile Horizontal Minimizing and Restoring Windows To minimize all windows 1 Click Windows Minimize All All open windows in the right panel minimize To restore windows to original size 1 Click Windows Restore All All open windows in the right panel restores to their original size NOTE Use...

Page 30: ...ndary windows opened from one of the primary windows in the Admin Navigator Column widths in Active Views To save your preferences 1 Click File Save Preferences or click 1 3 8 Changing Password To change your Sentinel Control Center password 1 Click Options Change Password 2 Provide the old password 3 Provide the new password and matching confirm password 4 Click OK NOTE For more information on pa...

Page 31: ...nd Windows using the following commands On Unix execute dbconfig a config h new DB hostname On Windows execute dbconfig a config h new DB hostname You require the Database Hostname to login to SDM To login to SDM you might need to update the Database Hostname in SDM login window To Update SDM 1 Open Sentinel Data Manager 2 In the login window provide details of the Database new hostname and other ...

Page 32: ...that connects the Communication Server and Sentinel processes needs to be updated You might need to perform the steps given below on all machines with DAS Correlation Engine Collector Manager and Sentinel Control Center installed To update DAS Correlation Engine Collector Manager and Sentinel Control Center 1 Go to ESEC_HOME config and edit configuration xml 2 Replace the four occurrences of the C...

Page 33: ...ry 2010 2 Click Add The Attachment Identification window displays Specify the extension type such as doc xls txt html and so on and click Browse or type in the application program to launch the file type such as notepad exe for Notepad 3 Click OK ...

Page 34: ...34 Sentinel 6 1 User Guide novdocx en 7 January 2010 ...

Page 35: ...ion on page 60 Section 2 15 Using Custom Menu Options with Events on page 61 Section 2 16 Managing Columns in a Snapshot or Navigator Window on page 61 Section 2 17 Taking a Snapshot of a Navigator Window on page 62 Section 2 18 Sorting Columns in a Snapshot on page 63 Section 2 19 Closing a Snapshot or Navigator on page 63 Section 2 20 Adding Events to an Incident on page 63 2 1 Understanding Act...

Page 36: ...rts you can perform queries for recent events NOTE Access to these features can be enabled or disabled for each user For more information see Sentinel Database Users Roles and Access Permissions in Sentinel 6 1 Reference Guide 2 2 Introduction to the User Interface In Active Views you can see Create Active View and Event Query You can navigate to these functions from Table 2 1 Active View User Int...

Page 37: ...l Format A near Real Time Event Table with graphical presentation and Snapshot are the two types of Active Views Near Real Time Event Table Holds up to 750 events per 30 second period If there are more than 750 events the events are displayed in the following priority order correlated events events that are sent to the GUI only using a global filter and all remaining events By default the client m...

Page 38: ...tive View displays data for the last hour Snapshot Time stamped views of a Real Time Event View table The following is what makes an Active View unique Filter assigned to an Active View The z axis attribute The security filter assigned to a user The Active Views Tab allows you to You can change labels column names to user friendly names and the new names will be populated throughout the system For...

Page 39: ...er 2 4 Viewing Real Time Events To View Real Time Events 1 Click the Active Views tab 2 Click Active Views Create Active View or click Create Active View icon 3 In the Event Visualization Wizard window click the down arrows to select your Event Attribute Z Axis Filter and to Display Events Yes or No NOTE In the Filter Selection window you can build your own filter or select one of the already buil...

Page 40: ...tacked Bar 2D 4 If you click Next click the down arrows to select your Display Interval and Refresh rate Display Interval is the Time interval to display events Refresh Rate is the rate at which Active Views should refresh Total Display Time Amount of time to display the chart Y axis Either total Event Count or Event Count per Second Click Next 5 Select your chart type from the drop down list and ...

Page 41: ...click the Lock button additional available buttons are 2 4 1 To Reset Parameters and Chart Type of an Active View When viewing an Active View you can reset your chart parameters change your chart type To Reset Parameters and Chart Type of an Active View 1 Within an Active View displaying a chart right click and select Properties ...

Page 42: ...y Interval Time between each interval Refresh Rate Number of seconds for event rate to be updated Total Display Time Amount of time to display the chart Y axis Either total Event Count or Event Count per Second Under the Chart Types tab you can set your chart to Stacked Bar2D Bar 3D Line or Ribbon ...

Page 43: ...ils displays in the left panel of the Real Time Event Table To hide an event detail 1 In an Real Time Event Table of the Navigator or Snapshot with event details displayed in the left panel right click an event and click Show Details The Event Details window closes 2 6 Sending Mail Messages about Events and Incidents To send mail messages from within the Sentinel Control Center you must have an SM...

Page 44: ...il Message 3 Click OK To e mail an Incident 1 After you save your incident click the Incidents tab Incidents Incidents View 2 Click All Incidents option in the Switch View drop down list located at the bottom right corner 3 Double click an Incident 4 Click Email Incident 5 Provide the following information Email Address ...

Page 45: ...me between display in the Real Time Events window and insertion into the database If this occurs it will take a few minutes for the original events to finally be inserted into the database and display in the incident To create an incident 1 In a Real Time Event Table of the Navigator or a Snapshot Real Time Event Table select an event or a group of events and right click and select Create Incident...

Page 46: ...SensorType field is set to C However the following are the exceptions The SensorType field is set to T for the Correlated events that are routed to gui only If you are using the action Configure Correlated Event with a Correlation rule and you set the Resource field to any value the Resource field displays the value that you have set The View Trigger Events option is enabled only for Correlated ev...

Page 47: ...s in the selected events This is particularly useful to view the relationship between the initiatiors IP port event sensor type Collector and the targets IP port event sensor type Collector name of the selected events but any fields can be used Below is an illustration of initiator IP addresses mapped to target IP addresses Figure 2 5 Graph Mapper 2 9 1 Investigate Event Query This function allows...

Page 48: ...m and To fields and click Finish The Graph Mapper window displays The following is a graphic depiction of Sensor Name to Event Name of severity 5 in an organic format You can view a graphic mapping in the following formats Option Function Show More Events to this target Events with the same Destination IP address Show More Events from this source Events with the same Initiator IP address What are ...

Page 49: ...e filter and severity criteria in required batch size You can export the results in HTML or CSV file format To query events in Historical Event Query window 1 In the Active Views tab select Active Views Event Query You can also open Historical Event Query window by clicking Historical Query Icon on the toolbar The Historical Event Query window displays Circular Hierarchical Organic Orthogonal ...

Page 50: ... system time 5 Select a batch size from the Batch size drop down The events queried displays in the batch size you specify If you select a batch size of 100 the first 100 events are displayed in the window first After the query is processed the Begin Searching icon changes to More results icon You can see next 100 events along with the previous events by clicking More results icon 6 Click Begin Se...

Page 51: ...egories are defined The numbers in the parentheses against these sub categories displays the total number of event counts corresponding to the value of the metatag To view events in Active Browser 1 In the Active Views tab highlight the event s you want to view in Active Browser 2 Right click event s and select View in Active Browser The selected event s displays in the Active Browser window Or 3 ...

Page 52: ...search for in the Search field 2 Press Enter or click the Search icon against the search field to search NOTE You can move between the various searches by using the Forward and Backward button above the search field To add attributes in Active Browser 1 Click Add an attribute for categorization icon as shown below 2 Select an attribute in the Add an attribute for categorization window that display...

Page 53: ... supported Intrusion Detection Systems are listed in Chapter 8 Advisor Usage and Maintenance on page 159 To View Advisor Data 1 In a Real Time Event Table of the Navigator or Snapshot right click an event or a series of selected events Analyze Advisor Data If the DeviceAttackName field is properly populated a report similar to the one below displays This example is for a WEB MISC amazon 1 click co...

Page 54: ...st run your asset management Collector to view this data The available data for viewing are Hardware MAC Address Name Type Vendor Product Version Value Criticality Network IP Address Hostname Software Name Type Vendor Product Version Contacts Order Name Role Email Phone Number Location Location Address To view Asset Data 1 In the Active Views table of the Navigator or Snapshot window right click a...

Page 55: ...Ps can be seen for the current time or for the time of the selected events Vulnerability Visualization requires that a vulnerability Collector is running and adding vulnerability scan information to the Sentinel database The Novell Web site http support novell com products sentinel collectors html provides Collectors for several industry standard vulnerability scanners and additional vulnerability...

Page 56: ...view that lists relevant fields depending on which vulnerability scanner you have IP Host Vulnerability Port protocol Figure 2 6 Viewing Vulnerability The graphical display is a rendering of vulnerabilities that link them to an event through common ports Below are the examples of the four available views ...

Page 57: ...Active Views Tab 57 novdocx en 7 January 2010 Figure 2 7 Organic View Figure 2 8 Hierarchical View ...

Page 58: ...nerabilities to a port protocol combination of a resource IP address For example if a resource has five unique port protocol combinations that are vulnerable there are five nodes attached to that resource The resources are grouped together under the scanner that scanned the resources and reported the vulnerabilities If two different scanners are used ISS and Nessus there are two independent scanne...

Page 59: ...ls Events panel When in the Details tab clicking on a node results in displaying node details When in the Events tab clicking on an event associated with a node the node displays in tabular form as in a Real Time or Event Query window To run a Vulnerability Visualization 1 In an Real Time Event Table of the Navigator or Snapshot right click an event or a series of selected events and click Analysi...

Page 60: ...vell com products sentinel sentinel61 html http support novell com products sentinel sentinel61 html NOTE The permission to create Remedy incidents is controlled by the administrator on a user by user basis 2 14 Viewing User Information Novell provides optional integration with identity management systems specifically Novell Identity Manager With this integration user identity information will be ...

Page 61: ...iple events You can further assign user permissions to View Vulnerability You can add options using the Event Menu Configuration option on the Admin tab 2 16 Managing Columns in a Snapshot or Navigator Window To select and arrange columns in a Snapshot or Navigator 1 With a Snapshot or Navigator window open click Active View Event Real Time Manage Columns or click the Manage Columns of Real Time E...

Page 62: ...ve Preferences or click Save User Preference icon 2 17 Taking a Snapshot of a Navigator Window To perform this function you must have user permission Snapshot This is useful to study events of interest because the Navigator refreshes automatically and the alert or alerts of interest will scroll off the screen Also within a snapshot you can sort by column To take a snapshot of a Real Time Event Tab...

Page 63: ...r in Windows or upper right corner in Windows SUSE Linux Red Hat Linux or upper left corner in Solaris NOTE The view or snapshot will not redisplay when you close and reopen the Sentinel Control Center 2 20 Adding Events to an Incident To perform this function you must have user permissions to Modify Incident s and Add to existing Incident s To add events to an incident 1 In a Real Time Event Tabl...

Page 64: ...Incident window 4 Highlight an incident and click Add 5 Click OK The event or events selected are added to the incident in the Incidents Navigator NOTE If events are not initially displayed in a newly created Incident it is most likely because of a lag in the time between display in the Real Time Events window and insertion into the database If this occurs it will take a few minutes for the origin...

Page 65: ...nel 6 0 the correlation engine is built with a pluggable framework which allows the addition of new correlation engines in the future Correlation rules define a pattern of events that should trigger or fire a rule Using either the correlation rule wizard or the simple RuleLG language you can create rules that range from simple to extremely complex for example High severity event from a finance ser...

Page 66: ...rge numbers of correlation rules or extremely high event rates it might be advantageous to install more than one correlation engine and redeploy some rules to the new correlation engine The ability to deploy multiple correlation engines provides the ability to scale as the Sentinel system incorporates additional data sources or as event rates increase Sentinel s correlation is near real time and d...

Page 67: ...ngine Manager Correlation Action Manager and Dynamic Lists You can navigate to these functions from Table 3 1 Correlation User Interface 3 3 Correlation Rules Correlation Rules are created modified renamed deployed undeployed in the Correlation Rule Manager Correlation Rules are organized into Rule Folders which can also be managed in the Correlation Rule Manager NOTE There is no limit to the numb...

Page 68: ...Renaming a Rule Folder To rename a Rule Folder 1 Open the Correlation Rules Manager window and click Manage Folder 2 Select a folder and click Rename Change the name of the folder To delete a Rule Folder 1 Open the Correlation Rules Manager window and click Manage Folder 2 Select a folder and click Delete Click Yes when the system asks for confirmation 3 3 4 Creating a Correlation Rule To create a...

Page 69: ...on Rule wizard by walking through the wizard or by choosing the Custom Freeform option to write the rule in the proprietary RuleLG language All rule definitions are stored in the database in RuleLG Correlation rules can be defined based on any populated event field NOTE When creating a Rule you can refer to a dynamic list to it For more information see Section 3 4 5 Using a Dynamic List in a Corre...

Page 70: ...le 1 Open the Correlation Rules Manager window and select a folder from the drop down list to which this rule is added 2 Click Add button located on the top left corner of the screen The Correlation Rule window displays Select Simple Rule 3 In the Simple Rule window define a condition for this rule Select the Property and Operator values from the drop down lists and specify data in value field ...

Page 71: ...he number of times the subrule must fire within a specific time window in order to trigger the aggregate rule For example an aggregate rule might require that a subrule fire 10 times within 5 minutes for the aggregate rule to fire Aggregate rules have an optional group by field which can be any populated field from the events For example an aggregate rule might require that a subrule fire 10 times...

Page 72: ... to which this rule is added 2 Click Add button located on the top left corner of the screen The Correlation Rule window displays Select Aggregate Rule 3 In Aggregate Rule window you can select a sub rule to create an aggregate rule To select a sub rule click Add Rule button Add Rule window displays NOTE You can select only one sub rule when creating an aggregate rule ...

Page 73: ...rule from this wizard Select your option and click Next Composite Rule A composite rule is comprised of 2 or more subrules A composite rule can be defined so that all or a specified number of the subrules must fire within the defined timeframe Composite rules have an optional group by field which can be any populated field from the events NOTE When a subrule is used to create a composite rule a co...

Page 74: ...e Update Criteria window displays 8 Update criteria for the rule to fire and click Next 9 Provide a name to this rule You have an option to modify the rule folder 10 Provide rule description and click Next 11 You have an option to create another rule from this wizard Select your option and click Next Sequence A sequence rule is comprised of 2 or more subrules that must have been triggered in a spe...

Page 75: ...the rule in RuleLg preview box Click Next the Update Criteria window displays 7 Update criteria for the rule to fire and click Next 8 Provide a name to this rule You have an option to modify the rule folder 9 Provide rule description and click Next 10 You have an option to create another rule from this wizard Select your option and click Next Custom or Freeform Correlation Rules The custom or free...

Page 76: ...dow write the condition for the rule and click Validate to test the validity of the rule 4 After validation of the rule click Next the Update Criteria window displays Update the criteria for the rule to fire and click Next 5 Provide a name to this rule You have an option to modify the rule folder 6 Provide rule description and click Next 7 You have an option to create another rule from this wizard...

Page 77: ...eates a Sentinel incident Any Action configured in the Action Manager that was created from an Action plugin that takes a Correlated Event as input For more information on Action Manager page 366 see the Chapter 16 Actions and Integrator on page 365 To deploy Correlation Rules in Correlation Engine Manager 1 Open the Correlation Engine Manager window 2 Highlight and right click the engine you want...

Page 78: ...deploy Correlation Rules in Correlation Rule Manager 1 Open the Correlation Rule Manager window 2 Highlight a rule and click Deploy rules link The Deploy Rule window displays 3 In the Deploy Rule window select the Engine to deploy the rule from the drop down list 4 Optional Select an action or add a new action ...

Page 79: ...ule 2 Alternatively in the Correlation Rule Manager highlight the rule and click Undeploy rule link To Undeploy All Correlation Rules 1 Open the Correlation Engine Manager window 2 Right click the Correlation Engine and select Undeploy All Rules 3 3 7 Enabling Disabling Rules To Enable Disable Rule 1 Open the Correlation Engine Manager window 2 Highlight and right click the rule or set of rules an...

Page 80: ... Click OK To delete a Correlation Rule 1 Open the Correlation Rules Manager window and select the rule you want to delete 2 If the rule is deployed click Undeploy Rule link to undeploy the rule 3 Click Delete link Click Yes when the system prompts for confirmation 3 3 9 Moving a Correlation Rule To move a Correlation Rule 1 Open the Correlation Rules Manager window and click Manage Folder 2 Click ...

Page 81: ...Finish NOTE When importing a correlation rule in a folder if the correlation rule with the same name exists the system displays a message and does not import the file IMPORTANT If you import a correlation rule using the inlist operator the dynamic list aligned to that rule must exist or you must create the dynamic list with the same name on the system to it is imported 3 3 11 Exporting a Correlati...

Page 82: ...st A Dynamic List can be built using the text values for any event metatag Elements can be added to the list manually by an administrator or automatically whenever a correlation rule fires Elements can be removed from a list if manually by an administrator automatically whenever a correlation rule fires when their time limit expires or when the maximum list size is reached IMPORTANT The Time To Li...

Page 83: ...ions or hyphens For MSSP customers provide an intuitive name so that it can be easily identified as MSSP customer dynamic list 4 Click Add The Add Element window displays 5 Provide name of the Element To make the Element persistent check Make Persistent Check box and Click OK NOTE To make an existing element persistent select the checkbox before the element name in the Dynamic Properties window 6 ...

Page 84: ... Delete link against it Confirmation message alert displays 3 Click Yes to delete 3 4 4 Removing Dynamic List Elements There are several ways an element can be removed from a Dynamic List A user can remove it manually The element can be removed by a correlation rule action The Transient elements life span can expire If the maximum number of elements for a Dynamic List is reached elements are remov...

Page 85: ... this rule You have an option to modify the rule folder 8 Provide rule description and click Next 9 You have an option to create another rule from this wizard Select your option and click Next NOTE Users must have the permission to Start Stop Correlation Engine to perform these actions The two states of Correlation engine are Enable Disable When the Correlation Engine is enabled it processes activ...

Page 86: ...gure repeatable Actions There are several different types of Actions that can be configured and then associated with a correlation rule deployment Configure a Correlated Event Add to Dynamic List Remove from Dynamic List Execute a Command Send an Email Create an Incident Any Imported JavaScript Action Plugin that is marked by the plugin developer as requiring a Correlated Event as input NOTE Altho...

Page 87: ... Figure 3 2 Configure Correlated Event NOTE This type of action can only be used in Correlation deployments To override the default values for the correlated event created when a rule fires an action can be created to populate the following fields in the correlated event Severity Event Name Message Resource SubResource Field Name Default Values Severity 4 Event Name Final Event Name Message messag...

Page 88: ...s for both Element Values and Attribute Names both are added to the Dynamic List when the rule fires If the Element Value is filled in and the Element Type is Transient the timestamp for the element in the Dynamic List is updated each time the rule fires Option Function Element Values optional Specify a constant value to add to the dynamic list If this is blank Attribute Name must be populated Ele...

Page 89: ...an event attribute such as Target IP or Initiator User Name from an existing Dynamic List The various parameters available are Table 3 5 Parameters Option Function Element Values Specify a constant value to remove from the list Dynamic List Name Select an existing Dynamic List from the dropdown menu Attribute Names For every event that is part of a correlated event the value or values of the selec...

Page 90: ...to event attributes must use the values in the metatag column enclosed in or symbols For example InitIP represents the Initiator IP address value from the Correlated Event except in the Configure Correlated Event action Because the correlated event has not been created before the action is executed the InitIP value comes from the trigger event InitIP always represents the value from the current ev...

Page 91: ...an be written to a different directory by specifying a different storage location of the output file in the script 3 6 5 Create Incident Figure 3 6 Configure Action Create Incident NOTE This type of action can only be used in Correlation deployments This action type create an incident whenever a correlated event fires You can also initiate an iTRAC workflow process for remediation of that incident...

Page 92: ...nd an Email when a correlated event triggers The various parameters available are Table 3 6 Parameters 3 6 7 Imported JavaScript Action Plugins For information on the JavaScript related actions and how to debug them see Section 16 2 Action Manager on page 366 in Chapter 16 Actions and Integrator on page 365 The JavaScript Actions can be used in many places throughout the Sentinel interface Option ...

Page 93: ... block a source IP or rebuild a machine Incidents can be created Manually by a security analyst monitoring incoming data or querying past data Automatically as a result of a correlation rule being triggered For more information see Correlation Tab section In the Incidents Tab you can Manage Incident Views Manage Incidents Switch between existing Incident Views NOTE You need to have appropriate per...

Page 94: ... and select Display Incident Views or click Display Incident View button in the Tool Bar 4 2 2 Incident When you add edit an incident you will see the tabs listed below where you can perform the incident related activities As you investigate and remediate an incident additional information can be added to these tabs Except for Events and History entering information on the tabs is optional The Nav...

Page 95: ...tion iTRAC Allows you to add a workflow to incident from iTRAC Tab History Lists activities performed on the current incident Attachments Allows you to add an attachment to the incident created in the system Notes Allows you to add notes to the incident 4 3 Manage Incident Views Manage View allows you to Add Views Edit Views Delete Views Mark a View as default 4 3 1 Adding a View To add an Inciden...

Page 96: ...lecting Manage Views and then clicking the Add View button 3 Provide a name in the Option Name field Click each button listed below to specify the options Fields The variables of the events attached to incidents are displayed as fields By default all the fields are arranged as columns in the Incident View In the Field options window you can add or remove columns that display and arrange the order ...

Page 97: ...Incidents Tab 97 novdocx en 7 January 2010 Sort By You can set rules to sort the incidents in the display view ...

Page 98: ...tch your filter displays in the View Leaf Attribute You can select an attribute from the list which is displayed as the first column in the Incident View 4 Click Save 4 3 2 Modifying a View To edit an Incident View 1 Click Incidents Display Incident View or click Display Incident View Manager button on the Tool Bar ...

Page 99: ...the Manage Views button located in bottom right corner of the screen and select Manage View from the list The Manage View window displays Select a view and click Delete A confirmation message alert displays 3 Click Yes to delete 4 3 4 Default View To mark a View as default 1 Click Incidents Display Incident View Manager or click Display Incident View Manager icon on the Tool Bar 2 Click the down a...

Page 100: ...ncident select from the drop down list Priority To mention the priority of the incident select from the drop down list Category Specify the category of the Incident Responsible To assign the responsibility to investigate and close the incident select from the drop down list Description Specify the description of the Incident in the text area Resolution Specify the resolution description in the tex...

Page 101: ... the Incident window click iTRAC Tab 3 Select an iTRAC process from the drop down list 4 Click Save NOTE You can attach only one process to an incident 4 4 4 Adding Notes to Incidents To add a note to an Incident 1 In the Incident window click Notes Tab 2 Click Add Add Notes to Incident window displays 3 Provide your notes and click OK 4 Click Save NOTE To edit or delete the note select a note in ...

Page 102: ...ame Description Type Subtype Click OK click Save NOTE Right click the attachment to view or save 4 4 6 Executing Incident Actions Any configured Javascript action or iTRAC activity can be executed on an incident To execute an incident action 1 Open an Incident 2 Click Execute Incident Action or select Actions Execute Incident Action The Execute Incident Action window displays ...

Page 103: ...ry 2010 3 Select an Action or click Add Action to create a new one 4 Click Execute If the action is a Javascript Action a window opens to show the progress of the action 5 To add the command output to the Incident click Attach to Incident ...

Page 104: ...stalled Email Incident action you must have an SMTP Integrator is configured with valid connection information and with the property SentinelDefaultEMailServer set to true For more information see SMTP Integrator documentation available at Novell website http www novell com documentation sentinel61 To email an Incident 1 Open an incident 2 Click Email Incident button The Email Incident window disp...

Page 105: ...cks incident history attachments and notes 5 Click OK 4 4 8 Modifying Incidents To edit an Incident 1 Click Incident tab Click Incidents Display Incident View Alternatively click Display Incident View button on the Tool Bar Incident View window displays with the list of incidents 2 Right click the incident you want to edit and select Modify 3 Incident window displays Edit the following information...

Page 106: ...k Incidents Display Incident View Manager or click Display Incident View button on the Tool Bar The Incident View window displays 2 Right click the incident you want to delete and select Delete 3 A confirmation Message displays Select Yes 4 5 Switch between existing Incident Views To switch between Incident views 1 Click the down arrow on the Switch View button on the bottom right corner of the sc...

Page 107: ...mprehensive reporting allows administrators to understand and fine tune the incident response processes NOTE Access to manage iTRAC templates activities and processes can be enabled on a user by user basis by any user with the ability to change user permissions The iTRAC system uses three Sentinel objects that can be defined outside the iTRAC framework Table 5 1 Sentinel Objects used by iTRAC iTRA...

Page 108: ...e workflow moves from one state Activity to another this can be determined by an analyst action by the value of a variable or by the amount of time elapsed Templates A Template is a design for a workflow that controls the flow of execution of a process in iTRAC The template consists of a network of manual and automated Steps Activities and criteria for transition between them Workflow templates de...

Page 109: ... Define workflow Steps Manual or Automated Description of Step or instructions for iTRAC users Define transitions between Steps Transition type Escalation procedures Timeout and alert attributes Figure 5 1 iTRAC workflow 5 3 1 Default Templates iTRAC is shipped with the following templates to use as examples The process and activity attributes for these templates are set to pre defined values User...

Page 110: ... more information on creating a Workflow Template see Section 5 4 1 Creating Templates on page 112 Quick Edit Select a Step or Transition to see its properties This pane allows you to edit process attributes To edit the details of steps using Quick Edit Click the Process Attribute value in the Quick Edit Pane The attribute values are highlighted indicating Edit Mode Modify the value and click anyw...

Page 111: ... have a Start Step Decision Step This step provides different execution paths depending on the value of a variable defined in a previous Step Mail Step This step sends a pre written email Manual Step This step indicates that manual work must be performed often outside the Sentinel system For example telephoning the owner of the affected system or analyzing the results of a scan Activity Step This ...

Page 112: ...s Or right click Start step select Insert New and select one of the following Step types 6 Add as many Steps and Activities as needed to create the Template 7 Create transitions between each Step To create Transitions right click the step after which you need to add transition and click Add Transition NOTE Any step except for the End step might have one or more exit transition lines A Decision ste...

Page 113: ...is to copy one of the default Templates and modify it To copy a Template 1 Click the iTRAC tab 2 In the Navigator click iTRAC Administration Template Manager 3 Highlight a template and click Copy A Template Builder with the copied template displays 4 Provide a new name save and edit the template as needed Deleting Templates Even if you delete a Template any instantiated workflow processes that are...

Page 114: ...flow process reaches the Manual Step When a user accepts the worklist item it is removed from the queue of the other users in that Role For more information about worklists and stepping through a workflow process see Section 6 1 1 Work Item Summary on page 147 section The description of the step should indicate what work needs to be performed The user is expected to perform that work and then ackn...

Page 115: ...e user to hold the event rate Output transitions from the Manual Step can be defined so that if the event rate is greater than 500 one path is followed else another path is followed To create a variable 1 Click iTRAC tab 2 In the Navigator click iTRAC Administration Template Manager 3 Click Add button in upper left corner to open a new template or highlight an existing template click View Edit 4 R...

Page 116: ...116 Sentinel 6 1 User Guide novdocx en 7 January 2010 Integer Variable String Variable ...

Page 117: ...iTRAC Workflows 117 novdocx en 7 January 2010 Float Variable 6 Click OK From a Manual Step you can set Conditional Unconditional Timeout or Alert transitions ...

Page 118: ...teps This step sends a pre written email A Mail Step includes the following attributes Name of step To addressee From addressee Subject of email Body of email From a Mail Step you can set a Conditional Unconditional Timeout Alert or Error transition An Error transition should always be included so error conditions can be handled properly NOTE If the first step of a workflow fails without an error ...

Page 119: ...flow path to take The command and its arguments can each be specified explicitly by the person designing the workflow or be set as a string variable If either one is set as a string variable there must be a previous step in the Template where the variable is set to a string value From a Command Step you can set Conditional Unconditional Timeout or Alert or Error transitions An Error transition sho...

Page 120: ...tte or using a right click in the Process Builder When adding steps to a workflow a yellow entry field indicates an invalid entry To add a Step from the Step Palette 1 Drag and drop a step from the Step Palette 2 Right click the step and select Edit Step 3 Edit the details of the step and click Save To add a Step using a Right Click 1 Right click an existing step in the Process Builder and select ...

Page 121: ...and select Copy Step 5 The Step window opens in edit mode with all the attributes of the selected step Specify a name to the new step 6 Edit step attributes as required Click OK Modifying Steps To edit a Step 1 Click the iTRAC tab 2 In the Navigator click iTRAC Administration Template Manager 3 Highlight an existing template click View Edit iTRAC Process Builder window displays 4 Select an existin...

Page 122: ...227 4 Click Associate to associate a Variable select the variable from the list or create new variables to be associated Set a default value as desired 5 Check the Read Only box if this variable is to be forced to the default value 6 Click Description tab to provide description for this step 7 Click Preview to preview the step you created 8 Click OK To edit a Decision Step 1 Right click a Decision...

Page 123: ...scription tab to provide description for this step 4 Click OK To edit a Mail Step 1 Right click a Mail Step and select Edit Step 2 Provide Name for the step 3 Provide To and From mail addresses and Subject in the General Tab 4 Click Body tab and type the message 5 Click OK ...

Page 124: ...ss check the Use Variables box 5 Specify any command line arguments to pass to the command or script If you want to use the contents of a variable that gets populated during the workflow process check the Use Variables box 6 Specify a variable to hold output from the command or script Any standard output is placed into these variables 7 Click Description tab to provide description for this step 8 ...

Page 125: ...are associated with different transition types Table 5 5 Steps and Valid Transition 5 6 1 Unconditional Transitions An unconditional transition must always be used from a Start step Manual Command Activity and Mail Steps can also have unconditional transitions The only parameter for an unconditional transition is the next step This path is taken when the current step is completed unless a timeout ...

Page 126: ... iTRAC variables set in a Manual or Command step NOTE You can add Conditional Transitions only from a Decision Step to any other step When creating a Conditional Transition the conditional expressions can be based on comparing a variable that is populated during the workflow process to a specific value or to another variable populated during the workflow process Multiple conditional expressions ca...

Page 127: ...ression window displays 7 Click EXP to add the first expression The evaluation expression is an expression that evaluates to TRUE or FALSE during the workflow process Select the appropriate dropdown under Relations to compare a variable to a constant value Variables and Values or to another variable Variables and Variables ...

Page 128: ...ect a variable from the Attribute dropdown or add a new one if desired 9 Select a condition from the Condition dropdown The condition list varies depending on the type of Attribute variable chosen String Variable Conditions Integer and Float Variable Conditions ...

Page 129: ...12 If a second expression is desired highlight the root folder 13 Repeat steps 7 12 as needed 14 By default all expressions at the root level is separated by AND operators To nest expressions or to use the OR operator click the appropriate operator button and drag and drop expressions onto that operator ...

Page 130: ...m a Decision Step when the criteria for the Conditional transitions are not met This transition only applies to Decision Steps and every Decision Step must have an Else transition The workflow path with the Else transition is only followed if none of the criteria for the Conditional transitions is met NOTE You can add Else Transitions only from a Decision Step to any other step To add an Else Tran...

Page 131: ...5 6 5 Alert Transitions An Alert transition leads to a path that is taken when a user specified amount of time minutes hours or days elapses after step_activated_time or step_accepted_time At this point the workflow process is usually escalated to a user who can intervene and take action Step_activated_time is the time that iTRAC activates this step within the workflow process Step_accepted_time i...

Page 132: ...all to the Command Mail or Activity Step fails If there is an internal error with the Command script or the mail server fails this does not satisfy the conditions for an Error transition Only the destination Step can be specified along with a description To add an Error Transition 1 Open the Process Builder 2 Select an existing Decision step right click and select Add Transition 3 Select the Trans...

Page 133: ...ndow displays 4 Select an existing step right click and select Remove Transition 5 In the Alert Message window click Yes 5 7 Activities An Activity is very similar to a Command Step except that Activities are reusable and cannot use input or output variables The Activities pane shows a library of user defined reusable Activities that can reduce the amount of configuration necessary when building T...

Page 134: ...xec directory on the iTRAC workflow server usually the same machine where the Data Access Server DAS is installed 5 7 2 Incident Internal Activity An Incident Internal Activity enables you to mail and or attach information from the Sentinel database to the incident associated with the workflow process Each of these options has a prerequisite Vulnerability for the Initiator IP address SIP or the Ta...

Page 135: ... Incident Composite Activity enables combine one or more existing Command and Internal activities 5 7 4 Creating iTRAC Activities To create an iTRAC Activity 1 Click iTRAC tab 2 In the Navigator click iTRAC Administration Activity Manager or click the Add button in the Activity Pane 3 Highlight an existing activity and click Add button Activity Wizard window displays 4 Select an Activity type Comm...

Page 136: ... the necessary settings for the type of activity you chose Incident Command Activity In the Command Arguments Wizard specify the Command Provide the Arguments for this command You can select None Incident Output Values from the Drop down list or provide Custom values ...

Page 137: ... Next You can configure an Incident Command Activity to email the output to a specific address and or attach the output to the incident associated with the workflow process in this window Select Mail and specify the To and From email address and Subject ...

Page 138: ...lick Next View and confirm the details you chose in the Summary page and click Finish Incident Internal Activity In the Command Arguments wizard specify the Command Provide the Arguments for this command You can select None Incident Output Values from the Drop down list or specify Custom values ...

Page 139: ...0 Click Next Select your options Mail and attach If you select Mail you are prompted to provide To From email address and Subject Provide this information and click Next View and confirm the details you chose in the Summary page and click Finish ...

Page 140: ...reating an Activity you can modify import or export it Modifying Activities To modify an Activity 1 Click the iTRAC tab 2 In the Navigator click iTRAC Administration Activity Manager 3 Highlight activity that needs modification and click View Edit Edit Activity window displays 4 Edit information in General Attachment and Mail tabs 5 Click OK Exporting Activities To export an Activity 1 Click iTRAC...

Page 141: ...or more activities to be exported 8 Click Next and click Finish Importing Activities To import an Activity 1 Click iTRAC tab 2 In the Navigator click iTRAC Administration Activity Manager 3 Click Import Export Activity icon Import Export Wizard window displays 4 Select Import Activity and click Explore 5 Navigate to your import file Click Import 6 Click Next You will see a list of activities that ...

Page 142: ...o an iTRAC process instance 5 8 1 Instantiating a Process An iTRAC process can be instantiated in the iTRAC server by associating an incident to an iTRAC process by the following three methods Associate an iTRAC process to the incident at the time of incident creation Associate an iTRAC process to incident after an incident has been created Associate an iTRAC process to an incident through correla...

Page 143: ...lly by clicking on the Refresh button the process monitor also provides an audit trail of all the actions performed by the iTRAC server when executing the process Activities that are running are represented by and those completed by and terminated by icons respectively 5 8 5 Displaying Status of a Process To display Status 1 Click iTRAC tab 2 Click Display Process Manager icon 3 Click down arrow o...

Page 144: ... January 2010 5 The current step is highlighted in red 6 To close click X in the upper right corner 5 8 6 Changing Views in Process Manager To Change the View in the Process View Manager 1 Click iTRAC tab 2 Click Display Process Manager icon ...

Page 145: ... with Tree Display set to Status running and not started 5 8 7 Starting or Terminating a Process To Start or Terminate a Process 1 Click iTRAC tab 2 Click Display Process Manager icon Alternatively you can select iTRAC Display Process Manager 3 Click drop down arrow on the Switch Views button to select a view or create a new view 4 In the Process View Manager window highlight a process right click...

Page 146: ...146 Sentinel 6 1 User Guide novdocx en 7 January 2010 ...

Page 147: ...assign it to you or acquire the work item management permissions If you have Work Item management permission you can manage work items of other users 6 1 1 Work Item Summary The Work Item Summary lists the work items allocated to a user as an individual and as a member of a group it can be referred as an incident workflow to do list for a user who is a part of the Incident response process In the ...

Page 148: ...plays and shows the name and ID of the incident the workflow process name and the step name and description 2 Double click any work item and click View Details Work Item Details window displays and shows the Process Details including any detailed instructions included by the iTRAC workflow developer and any variables that need to be set in the step 3 Click Process Overview to view an overview of t...

Page 149: ...ils of the associated incident 5 To take responsibility for this work item click Acquire Otherwise click Cancel NOTE Any changes to the Incident from this screen must be saved There is a Save button on the toolbar and Save button if you scroll down to the bottom of the screen ...

Page 150: ... two steps in a row are assigned to the same Role the user who acquires the first step will also be assigned the second step Non consecutive steps are independent For example if a workflow proceeds from steps that are assigned to the Tier 1 Analyst group to the Tier 2 Analyst group and then back to the Tier 1 Analyst group the third step will be available to the entire Tier 1 Analyst group it is n...

Page 151: ...he completion of the task to the iTRAC server The updateable variables from the work item are processed by the server to move to the next step which depends on how the workflow is defined The work item is removed from the user s worklist and appears in the worklist of the individual or role associated with the next step in the process 6 3 Manage Work Items Of Other Users The Administration functio...

Page 152: ...e Analyst group Owner Select either All all processes acquired or not me acquired processes or Group un acquired processes Process Name of the process In the above example all processes acquired by jr1 who belongs to Group Analyst with all processes listed 4 To release the Work Item high light the Work item and click Release Release changes to Acquire not available In this example only a member of...

Page 153: ...ew predefined reports You can also customize reports to meet your requirements NOTE Sentinel is integrated with Crystal Reports Server to generate and display reports The administrator must configure the location of the Crystal Reports Server that publishes reports in the Crystal Report Configuration window of the Admin tab The Navigator window on the Analysis tab shows a list of available reports...

Page 154: ...airs Top 10 Source User Names Top 10 Virus Names Event Count by Top 10 Assets Event Count by Top 10 Departments Event Count by Top 10 Taxonomy Level 3 Incidents by Top 10 Assets Incidents by Top 10 Users The Top 10 reports are enabled by default and the following summaries are turned on to enable the Top 10 reports EventDestSummary EventSevSummary EventSrcSummary If Top 10 reports are not needed y...

Page 155: ...k the status Active Inactive of that summary 3 Select Yes to confirm that you want to change the status of the summary To enable or disable EventFileRedirectSerice 1 At your DAS machine using text editor open For UNIX ESEC_HOME config das_binary xml For Windows ESEC_HOME config das_binary xml 2 For EventFileRedirectService change the status to on or off as appropriate For example property name sta...

Page 156: ...tor open the Historical Events folder 3 Click Historical Event Queries 4 Click Analysis Create Report or click Create Report icon An Event Query window displays 5 Set the following time frame filter severity level batch size this is the number of events to view events display from oldest events to newer events 6 Click Begin Searching 7 To view the next batch of events click More results icon 8 Rea...

Page 157: ...enu Bar The Offline Query window displays Alternatively you can click Offline Query button on the Tool Bar 2 In the Offline Query window Click Add button located on the top left corner of the screen The Add Offline Query window displays 3 Provide a Query Name Select an existing filter to be used for generation of offline query For more information on the selection and creation of filters see Chapt...

Page 158: ...line Query in the Active Browser window CSV Click CSV to generate a Comma Separated Value file with the queried information HTML Click HTML to generate an HTML file with the queried information Delete Click Delete to delete the Offline Query Confirmation message alert displays Click Yes to delete Details Click Details to view the details of the Offline Query as specified when adding the Query ...

Page 159: ...g Exploit Detection feature depend on the mappings between the attacks against enterprise assets and the known vulnerabilities of those assets The Advisor and the Exploit Detection features require the following data to work with the Advisor products Vulnerability scan data The vulnerability scanners check enterprise assets for known vulnerabilities The scanned data can then be loaded into the Sen...

Page 160: ...ng IP ranges from matching incorrectly The vulnerability scanner and intrusion detection system products must be supported by the Advisor service This data uses specific product identifiers to ensure proper matching The specific reported attacks and vulnerabilities must be known to the Advisor service and Exploit Detection All Collectors shipped by Novell meet these requirements as long as they ar...

Page 161: ...vidual customer For either type of company the value in the intrusion detection systems Collector must exactly match with the value in the vulnerability Collector These values are used by the Mapping Service to populate the VULN field in the event This value is used to evaluate the incoming events to determine whether a vulnerability is exploited or not When the vulnerability field VULN equals 1 t...

Page 162: ...e the time from 1800000 30 minutes to 180000 3 minutes NOTE You must restart the das_query services after you change the time 8 2 3 Viewing the Events To view events that indicate a possible exploitation create an Active View with a filter that has the Vulnerability value set to 1 Within an event the values in the Vulnerability field convey the following 1 the asset or destination device is possib...

Page 163: ...ocessing of the feed files For more information on processing the Advisor feed see Section 8 3 2 Processing the Advisor Feed on page 164 Exploit Detection Lists the vulnerable products that are included in the feed files and enables you to configure the products for exploit detection For more information see Section 8 3 3 Configuring the Advisor Products for Exploit Detection on page 165 Location ...

Page 164: ... to automatically process the feed files at scheduled time intervals Processing the Feed Files Manually on page 164 Processing the Feed Files Automatically on page 165 Processing the Feed Files Manually 1 In the Advisor window select the directory where you downloaded the latest Advisor feed files The initial Advisor feed is loaded at ESEC_HOME data updates advisor 2 Click Process Now to process a...

Page 165: ...the corresponding check box 2 Conditional To remove any product from the list deselect the corresponding check box 3 Click Save to save the changes made to the Advisor products list After the product list is saved the exploitdetection csv file is updated For more information on exploit detection see Generating the Exploit Detection File on page 162 4 Optional Click Reset to undo the changes made t...

Page 166: ...utomated downloads at fixed intervals NOTE To download Advisor updates you must purchase the Advisor Data Subscription and obtain the credentials Section 8 4 1 Configuring the Sentinel Server for Automated Downloads on page 166 Section 8 4 2 Downloading the Advisor Feed Manually on page 167 8 4 1 Configuring the Sentinel Server for Automated Downloads You can use the Download Manager to configure ...

Page 167: ...d The Novell eLogin username and password must be associated with the Advisor license 2 Download all the zip and md5 files 3 Copy the downloaded feed files to the Sentinel 6 1 server To process the downloaded feed you must provide the location where you have saved the feed in Admin Advisor window The default location is ESEC_HOME data updates advisor 8 5 Viewing the Advisor Status The Advisor Stat...

Page 168: ...n System IDS or Firewall Number of Signatures Shows the number of signatures for the product by Nexus Last Update Time stamp indicating when the product was last updated Feed File Name Shows the name of the feed files that have been processed and are currently being processed Process Start Time stamp indicating when processing the feed file started Process End Time stamp indicating when processing...

Page 169: ...nel Control Center click Active Views 2 In the real time events table right click an event that has the Vulnerability field value set to 1 3 Click Create Incident Advisor or click Analyze Advisor Data Figure 8 4 Advisor Data Analysis tab 1 In the Sentinel Control Center click Analysis Offline Queries 2 Add an offline query that filters events with the Vulnerability value set to1 For more informati...

Page 170: ...r more information see Configuring the Sentinel Control Center to Integrate with Crystal Reports Server in Crystal Reports for Windows or Crystal Reports for Linux in the Sentinel 6 1 Installation Guide 8 7 2 Viewing the Advisor Reports Viewing the Advisor Reports in Crystal Reports Server on page 170 Viewing the Advisor Reports in the Sentinel Control Center on page 170 Viewing the Advisor Report...

Page 171: ...ct the download configuration for which you want to change the password then click Edit The Edit window is displayed 3 Specify the new password in the Password field 4 Optional Click Validate to validate the URL and the login credentials The URL and its credentials are validated and a confirmation message is displayed If the validation fails you must provide a valid URL and the login credentials 5...

Page 172: ...172 Sentinel 6 1 User Guide novdocx en 7 January 2010 ...

Page 173: ...wnload Configuration on page 174 Section 9 3 Editing a Download Configuration on page 176 Section 9 4 Downloading the Feed Instantly on page 177 Section 9 5 Deleting a Download Configuration on page 177 Section 9 6 Audit Events for the Download Manager on page 177 9 1 Understanding the Download Manager User Interface You can access the Download Manager GUI from the Tools menu and also by clicking ...

Page 174: ... 1 Open the Download Manager window by doing one of the following Click Tools Download Manager Click the icon on the toolbar 2 Click Add to configure the download feed Status Icon Description Download in progress Indicates that the download is in progress Download successful Indicates that the latest download was successful Download not initiated Indicates that a download has never been initiated ...

Page 175: ... repository name as Novell Advisor URL URL where the download feed is located For example to download Advisor data specify the Advisor URL Advisor Data Feed https secure www novell com sentinel download advisor feed Anonymous Select the check box to download the information as an anonymous user If Anonymous is selected the Username and Password fields are disabled You can only access the URLs that...

Page 176: ...ration settings are updated and displayed in the Download Manager window If the download status is changed to Enable the Advisor feed is downloaded at the specified time interval Download Directory Specify the location and name of the directory where you want to save the feed Ensure that you specify the absolute path The directory is created on the Sentinel server at the specified path while downl...

Page 177: ... tool bar 2 Select the download configuration that you want to delete then click Delete A message is displayed to confirm whether you want to delete the selected configuration 3 Click Yes to confirm deletion The selected configuration is deleted 9 6 Audit Events for the Download Manager The Download Manager generates an audit event whenever you perform any of the following actions Create a downloa...

Page 178: ...178 Sentinel 6 1 User Guide novdocx en 7 January 2010 ...

Page 179: ...sources and the software components that are processing data from that event source Each component can be easily deployed to quickly integrate the devices in the enterprise and then can be monitored in real time within the ESM interface NOTE You need to have appropriate permissions to access this tab Only a Sentinel Administrator has controls to enable disable access to the ESM panel for other use...

Page 180: ...nnectors to Sentinel Hot Fixes and New Functionality In the future some Sentinel enhancements and defect fixes might be available as plugins After you import a plugin into Sentinel it is centrally stored in the Plugin Repository The appropriate Sentinel component on other machines automatically starts using the plugin Auxiliary Files Some plugins such as database Connectors require one or more aux...

Page 181: ...View Tools and Help options Figure 10 2 Event Source Management Menu Bar The following are the options available in the each of the Menu Bar options which are described in the document File Export Configuration Import Configuration Save Preferences Close View Reset Layout Redo Layout Undo Layout Tools Connect to Event Source Import plugin ...

Page 182: ...ting to a new Event Source Import Export Reload Event Source Management Configurations and plugging The tool bar contains several tools for displaying objects in ESM You can zoom the entire Graphical view in and out or zoom directly to a selected region The Magnifying Glass allows you to enlarge the text and icons for a small portion of the Graphical view without affecting the overall zoom level T...

Page 183: ...ttribute Filter The Attribute Filter allows you to display the components of ESM You can specify the components to be displayed based on the component name and status Figure 10 3 Attribute Filter frame Text Filter It allow you to filter the nodes that are displayed in the graphical and tabular view based on the text they type in State Filter It allows you to filter the nodes that are displayed in ...

Page 184: ... 2 Click the Hierarchy Filter frame 3 Select the Hierarchy Level to display the components Connectors Connectors are plugins in Sentinel Importing a Connector implements the Connector mechanism in the system Connectors frame allows you to Add Remove and Refresh connectors and Add auxiliary file in the system Figure 10 5 Connector frame Table 10 2 Connector frame Icons Add Add Connectors to the sys...

Page 185: ...d to manage the importing and updating of Collectors also called Scripts into Sentinel Figure 10 6 Scripts frame Table 10 3 Scripts frame Icons To add Collector Plugins 1 In Sentinel Control Center click the Event Source Management in the menu bar and select Live View or Scratch Pad 2 Click the Script or Connectors frame You can import Collectors from here For more information see Adding Connector...

Page 186: ...s of immediate children nodes of a parent main node when you click the parent node This frame is useful to manage children of nodes which have been contracted in the Graphical View To perform any action in ESM right click a component and select from options listed For more information see Section 10 3 3 Right Click Menu on page 190 Figure 10 8 Children frame Status Details This frame displays the ...

Page 187: ...frame allows you to quickly move across the graphical view This is particularly useful when there are a lot of objects in the screen Figure 10 10 Overview frame 10 3 Live View The ESM panel provides the main user interface to Event Source Management You can view configuration data in Graphical or Tabular view ...

Page 188: ... connected nodes Figure 10 11 Graphical View By default the Health Monitor Display frame displays in the Graphical View The data can be displayed in seven different layouts The default layout in graph is the Hierarchic Left to Right layout You can change between these layouts by selecting the layout format from the drop down list in the Tool Bar Figure 10 12 Layout Selection TIP Click in the Graph...

Page 189: ...plays the number of immediate children next to the node for example WMI Connector 3 Collector name Number of immediate children The Children panel of a contracted node shows the immediate children of that node each of which can be managed in the same way as nodes in the Tabular ESM View NOTE Event Source Server node do not have or sign after its name even if it contains children Double clicking a ...

Page 190: ...he Event Source connection Error A textual description of an error that occurred in the running object TIP Use the Table Graph tabs to change to Tabular Graphical views 10 3 3 Right Click Menu The Health Monitor Display View provides a set of right click menus that helps you execute a set of actions as described below NOTE The right click actions available depend on the kind of object you clicked ...

Page 191: ...ough the selected object Open Active View You can open Active View window that only displays events that have been generated by data from or flowing through the selected object Zoom You can zoom in the graphical view display on the selected object Show in Tabular Graphical View You can switch over to the other view to tabular view if on graphical view or to graphical view if on tabular view and au...

Page 192: ...llectors instantiate the parsing logic for data from a particular event source Each Collector icon in ESM refers to a deployed Collector script as well as the runtime configuration of a set of parameters for that Collector Connector Connectors are used to provide the protocol level communication with an event source using industry standards like Syslog JDBC and so forth Each instance of a Connecto...

Page 193: ...untime configuration about the event source In some cases a single Event Source could represent many real sources of event data for example if multiple devices are writing to a single file Stopped Indicates that the component is stopped Running Indicates that the component is running Warning Indicates that a warning is associated with the component At this time this warning indicator is primarily ...

Page 194: ...ctors Generate Events Start Right click the Collector and select Start the Collector to generate Events Debug Collectors For any errors in the output of a Collector select the Collector right click and select Debug For more information see Section 10 5 Debugging on page 211 Edit Collectors To troubleshoot any misbehavior of a Collector you can edit the Collector The method for editing the Collecto...

Page 195: ... zip Click Next 3 Browse to a location of the Connector Plugin package file and click OK Click Next NOTE If the file imported is not in the format specified for the Collector scripts or for the Connector plugin package system displays an error message 4 Plugin details window displays Select the Deploy Plugin option to deploy the plugin from this window For more information see To connect to the Ev...

Page 196: ...window displays 4a Click the button next to id field to generate UUID 4b The name and author details are displayed Edit the details as per your requirement Specify Version number 4c Browse and attach the help file NOTE If the help file is not in the plugin directory the system prompts to copy the help file to the plugin directory before import Click Yes 4d Provide description and click Next Suppor...

Page 197: ...the correct user s desktop To update a Connector or Collector plugin 1 Click Tools Menu and select Import plugin Import Plugin Wizard window displays 2 You can select from the two options available in this window Click Next 3 Browse to a location of the Connector or Collector Plugin package file and click OK Click Next NOTE If the file imported is not in the format specified for the Collector scri...

Page 198: ...8 Sentinel 6 1 User Guide novdocx en 7 January 2010 5 Plugin details window displays Check the Update Deployed Plugins option to update any currently deployed plugins that use this Connector or Collector ...

Page 199: ...e Affected Connectors Event Sources Event Source Servers or Affected Collectors These are the components whose configuration is affected because of adding already existing Connectors Collectors in ESM Affected Event Sources Connectors Event Source Servers Affected Collectors Click Finish NOTE When you add a plugin into Sentinel it is placed in the Plugin Repository which enables Sentinel component...

Page 200: ...d Connector menu item 3 Follow the prompts in the Add Connector wizard 4 Click Finish Deploying an Event Source To add an Event Source 1 In the main ESM display locate the Connector to which the new Event Source will be associated 2 Right click the Connector and select the Add Event Source menu item 3 Follow the prompts in the Add Event Source wizard 4 Click Finish Deploying Event Source Servers C...

Page 201: ...r the Event Source Server If you want this server to be running select the Run checkbox 5 Click Finish In the Health Monitor Display frame the Event Source Server added here displays with a dashed blue line showing the Collector Manager to which it is associated to NOTE This Add Event Source Server wizard can also be initiated from within the Add Connector wizard if a compatible Event Source Serve...

Page 202: ...ools on the Menu Bar and select Connect to Event Source Alternatively click the Connect to Event Source button on the Tool Bar Connect to Event Source window displays NOTE Event Source types for which you currently have compatible Collector parsing scripts are listed here 2 Select an Event Source from the list to which you want to connect to and collect data from You can click Add More to import a...

Page 203: ...ist You can also install additional Collector scripts click Install More Scripts that support your Event source if it is not listed here For more information on installing a Collector script see Adding Connectors Collector Plugins on page 194 Click Next Select Connection Method window displays ...

Page 204: ...nnection method from the list You can also install additional connectors by clicking on the Install More Connectors button For more information see Adding Connectors Collector Plugins on page 194 to install connectors Click Next Event Source Management window displays ...

Page 205: ...in your system that is compatible with your new Event Source one or more of these options might be unavailable Create a new Collector and Connector Select this option to create a new Collector and Connector to manage the Event Source connection 1 After you select this option and click Next Select Collector Manager window displays 2 Select the Collector Manager you want to use and click Next Config...

Page 206: ...06 Sentinel 6 1 User Guide novdocx en 7 January 2010 3 Configure the parameters available and click Next Configure Collector window displays 4 Provide the name of the Collector and configure the options ...

Page 207: ...um number of records per second You can set filter through Set Filter button You can check Trust Event Source Time to display the Device Time time when the event occurred instead of Event Source Time time when the event was reported to console NOTE If Trust Event Source Time option is selected then all data flowing through the Collector will have there Event Source Time trusted even if the Event S...

Page 208: ...t this option to use an existing Collector and to create a new Connector to manage the Event Source connection 1 After you select this option and click Next the Select Collector window displays 2 Select the Collector you want to use and click Next The Configure Connector window displays 3 Provide the name of the Connector and configure the options Check the Run checkbox if you want to run your Con...

Page 209: ... existing Connector to manage the Event Source connection 1 After you select this option and click Next the Select Connector window displays 2 Select the Connector you want to use and click Next 6 The Records Per Second window displays 7 Set the number of records to be transferred per second and click Next The General window displays ...

Page 210: ...ent Source Time time when the event was reported to console You can set filter through Set Filter button In the Filter window add edit the filters and click OK 8 Click Next The Summary window displays Click Test Connection to test the event source Test Event Source window displays with Data and Error tabs The Error tab displays the error message if there is any error in the configuration of event ...

Page 211: ...esigned to be easily customizable and to be created by customers and partners There are two types of Sentinel Collectors proprietary or legacy Collectors that are written in a language developed for Sentinel and JavaScript Collectors The debugging interface is slightly different for each type and is intended to analyze the Collector code running in place on the Collector Manager For more informati...

Page 212: ...Location ESEC_HOME data collector_mgr cache collector_instances on each Collector Manager 4 In order to edit a Collector you need to use the ESM Debuggger Download button which will copy the Collector to the local Collector Workspace on the client machine the machine where you are running SCC Edits are made against that local copy and then uploaded back into the central Plugin Repository Location ...

Page 213: ... to make modifications The debugger has the following four controls Table 10 6 Debugger Icons NOTE The Command list and the Variable list are not displayed in the debugger when the Script is Running To see the Command list and the Variable list the debugger must be Stepping Paused or Stopped Run Run the script until the next breakpoint is encountered Step Into Step one instruction at a time Pause ...

Page 214: ...n the main ESM display locate the Collector that to run Debugging 2 Right click the Collector and select Debug 3 In the Debug Collector window select a variable from the list of variables in the right pane click Run Debug button 4 After debugging all the variables close the Debug window 5 Start the Collector to generate the Events 10 5 3 Debugging JavaScript Collectors The debugger for JavaScript ...

Page 215: ...ce code CTRL G go to a line number CTRL M to find the parenthesis or brace that matches the highlighted one You can also open a script file set break point step through the script code and watch variables and methods values at each step You can debug Collectors in Standalone or Connected modes To debug a Collector 1 Log into Sentinel Control Center On the menu bar click Event Source Management Liv...

Page 216: ...put file should be a text file with log data in nvp format and for Collector that uses File Connector input text file with log data in csv format For standalone mode Output from the script is to an output file rather than live Events You must specify the path to the output file that the script will use for output If you specify an output file that does not exist the system creates the file for you...

Page 217: ... step through the code Click to pause debugging whenever required 6 After debugging is complete click to stop debugging 7 Click Upload Download tab in the debugger window 8 Click Download and specify a location to download the script file 9 Open with any JavaScript editor or a text editor 10 Make your edits in the code and save the file Click Upload 11 Debug the uploaded script to have a Collector...

Page 218: ...n Live debug mode the script engine will be executed on the local box rather than the actual box that the associated Collector Manager is running on The Connectors Event Sources will still run on the same box as the Collector Manager When running debug mode data will automatically be routed from the Event Sources to the script engine running in debug on the local box 10 5 4 Generating a Flat File ...

Page 219: ... you export the configuration of ESM objects along with their Collector script and the Connector plugins NOTE You can export any object in the ESM panel Depending on the object selected all its children and parent should be displayed in the Select Data window of Export Configuration wizard To export your configurations 1 Go to Menu Bar and click File Export Configuration or right click an object i...

Page 220: ...220 Sentinel 6 1 User Guide novdocx en 7 January 2010 3 Select the Collector scripts from the list to export You can select or deselect all Click Next Select Connectors Plugin window displays ...

Page 221: ...mary page with the details of the configurations and plugins selected to export displays 7 Click Finish to export The file is exported in zip format 10 7 Import Configuration Import configuration helps you to import the configuration of ESM objects exported to a zip file along with the plugins 10 7 1 Enable Disable Import Configuration The import configuration option is enabled in Live view when y...

Page 222: ... Tool Bar Import Configuration window displays NOTE You can also import configuration by right clicking on the object in the ESM panel Depending on the object you have selected in the ESM panel the node along with its child nodes are displayed in the Select Data window of Import Configuration wizard 2 Browse and select the configurations file and click Next Select Data window displays NOTE Configu...

Page 223: ...ect Collector Scripts and Select Connector Plugins window to indicate whether the plugin is already present in the repository or not If the plugin does not present in the repository then the color is displayed as red and if same version of plugin exists then the color is green else it is orange 5 Click Next Select Connector Plugins window displays ...

Page 224: ...mporting the plugin then Affected Collectors or Affected Connectors window is displayed 7 Click Next Summary page with the details of the configurations and plugin selected to import displays 8 Click Finish 10 7 2 Reset Layout To reset to default settings 1 Click View on the Menu Bar and select Reset Layout Alternatively click the Reset button on the Tool Bar 10 7 3 Undo Layout To undo layout chan...

Page 225: ...s have been rolled up into ESM Along with the Sentinel 5 component name there is a hint at where to find the related functionality in ESM Table 10 7 Comparison Table Components Sentinel 5 x Sentinel 6 0 Build Edit Collector Building Modifying or editing a Collector was possible in Collector Builder in 5 x Building Modifying or editing a Collector is possible in Collector Builder in 6 0 Import Coll...

Page 226: ... Port Configurations The configuration of the connection to the event source as well as the Collector to parse the data from the event source Port Configurations were managed from Collector Builder in Sentinel 5 x In ESM this configuration is now managed in the ESM panel in Sentinel Control Center The connection mechanisms are now plugins which must be added to plugin repository before being deplo...

Page 227: ...he users The Admin tab allows you to access Crystal Report Configuration page 229 Configure connection to Crystal Reports Server Servers View page 231 View health of server components Filters page 234 Create and edit filters DAS Statistics page 249 View health statistics for DAS components Color Filter Configuration page 240 Format events based on filter criteria Mapping page 251 Configure mapping...

Page 228: ... en 7 January 2010 Figure 11 1 Sentinel Control Center 11 2 Introduction to User Interface In Admin tab you can see Server views Filter Configuration and User Configuration in the Admin Navigator You can navigate to these functions from ...

Page 229: ...ry 2010 Table 11 1 Admin Tab User Interface 11 3 Crystal Report Configuration To configure the URL for Analysis and Advisor Reports 1 Click Admin The Admin menu in the Menu Bar The Navigation Tree in the Navigation Pane The Toolbar Buttons ...

Page 230: ... host name For more information see Crystal Reports for Windows in Sentinel 6 1 Installation Guide For Crystal Reports Server running on Linux SUSE and Red Hat In the Analysis URL box specify the URL for the Crystal Reports Server and click Refresh http hostname_or_IP_of_web_server web_server_port_default_8080 esec script GetReports jsp APS hostname user Guest password tab Analysis where hostname_...

Page 231: ...wser your command line must be followed by a URL For example C Program Files Internet Explorer IEXPLORE EXE URL 3 Wait for the Refresh button to turn green and click Save You must logout of the Sentinel Control Center and login again 11 4 Servers View Through Servers View you can Start Stop Restart the processes that get installed on the product installation Server Views allows you to monitor the ...

Page 232: ...rts in the context of the Server View are defined as follows Starts The number of times the process was started for whatever reason This includes starts initiated by the user through the GUI or done automatically AutoRestarts The number of times the process was automatically restarted Because this only applies to purely automatic restart scenarios it does not apply to restarts initiated by a user ...

Page 233: ...ick Fields To group different attributes click GroupBy To sort by different attributes click Sort To filter click Filter To change the display values of the processes shown in the servers view click Leaf Attribute 3 Click Save 11 4 3 Starting Stopping and Restarting Processes To Start Stop and Restart Processes 1 Click the Admin tab Click Servers View Alternatively in Navigator click Servers View ...

Page 234: ...to see Filters are created in the Admin tab of the Sentinel Control Center NOTE The following are invalid filter name characters There are three types of filters Section 11 5 1 Public Filters on page 234 Section 11 5 2 Private Filters on page 234 Section 11 5 3 Global Filters on page 235 Color Filters 11 5 1 Public Filters Public filters are system owned Public filters can be used as security filt...

Page 235: ...abled or disabled as required Global Filters enable routing actions and JavaScript actions on events Routing actions include dropping events or routing events to database database and GUI SCC or only to GUI SCC This section includes the following topics Create Global Filter Rearrange a Global Filter Delete a Global Filter Figure 11 4 Global Filter Configuration Creating a Global Filter To create a...

Page 236: ... Routing determines how the event is handled The following are the options available in the Route drop down list drop Events are dropped and are not sent to Sentinel Control Center or the Sentinel Server database database Events are sent directly to the Sentinel Server database bypassing the Sentinel Control Center database and gui Events are sent to the Sentinel Control Center and Sentinel Server...

Page 237: ...bal Filters To Rearrange Global Filters 1 In the Global Configuration window select a filter and click Up or Down to move it to a different location on the list 2 Click Save Deleting a Global Filter NOTE When deleting a Global Filter the confirmation message will not display To delete a global filter 1 In the Global Configuration window select a filter from the list and click Delete 2 Click Save 1...

Page 238: ... Filter To add a public and private filter 1 Click Admin Filter Manager or select File Manager under the Filter Configuration folder in the Navigator click Add 2 Select an Owner ID public or private user owned Add a Filter View the Details of a Filter Clone a Filter Delete a Filter Modify a Filter ...

Page 239: ...ect the criteria for the following columns Property Operator Value columns NOTE In order to include special characters in the Value column you should provide the hexadecimal value character code of the special character For example if the Value is 10 1 1 1 then you should enter x2210 1 1 1 x22 to embed the double quote in a string value The Expression string box displays the filters that you creat...

Page 240: ...ange any of the criteria as desired You will not be able to change the Owner ID and the Filter Name Click Save Viewing the Details of a Public and Private Filter To view a public or private filter 1 Open the Filter Manager window 2 Select a filter and click Details Deleting a Public and Private Filter To delete a Public and Private filter 1 Open the Filter Manager window 2 Select a filter and clic...

Page 241: ...ev 2 with background color red and text color yellow Color filter configuration 2 sev 1 with background color white and text color black Any event with severity 2 will meet the criteria for both color filters but since the sev 2 color filter configuration is at the top all the events with sev 2 will be coded as per color filter configuration 1 All the other events with sev 1 For example sev 3 4 5 ...

Page 242: ...s on page 237 5 In the Color Filter Configuration window click Text Color The Pick a Color window displays Select a color from the Swatches tab Alternatively click HSB or RGB tab and specify the HSB or RGB color value in the respective tab Click OK 6 In the Color Filter Configuration window click Background Color The Pick a Color window displays Select a color from the Swatches tab Alternatively c...

Page 243: ...ration button 2 Select a Color Filter Configuration row 3 Click Up or Down button to set the priority NOTE The Up and Down button will be active only when there is more than one color filter configuration row available in the Color Filter Configuration window 11 6 Configure Menu Options NOTE To use this feature you must have the user permission Event Menu Configuration Use the Event Menu Configura...

Page 244: ...configuration details for any of these options select the item and click Details The following is the nslookup configuration Figure 11 8 Menu Item In addition new options can be customized to execute a command open a Web browser or execute a JavaScript Action configured through the Action Manager NOTE The Execute Command scripts commands or applications must be available in ESEC_HOME config exec o...

Page 245: ...te Command Executes a script or an application opens the output in a specified application This can take the value of a field or fields as input This action can only be executed on a single event Launch a Web Browser Launches a web browser with a specified URL This can take the value of a field or fields as input This action can only be executed on a single event JavaScript Actions configured thro...

Page 246: ...one 3 In the Event Menu Configuration dialog box edit Name Description Action Option Description Use browser Displays the output of your command using the defaults configured for the web browser based on the file type below This is only available with the Execute Command Action File Type If you selected the Action Execute Command your Browser settings are setup to Use Default Browser and you selec...

Page 247: ...n is added to the list of menu items in the Event Menu Configuration window 11 6 3 Modifying an Event Menu Option To modify an Event Menu Configuration option 1 Open the Event Menu Configuration window 2 Double click a menu option 3 Type your desired changes and click OK 11 6 4 Viewing Event Menu Option Parameters To view the parameters for an Event Menu Configuration menu option 1 Open the Event ...

Page 248: ... option allows you to send your Event Menu output to an external browser The external browser can be any application It is not restricted to Internet Browsers By changing the file extension you can launch whatever application is associated with that extension For example txt is often associated with Notepad You can also select to launch a specific program for example you can set txt files to be op...

Page 249: ...launches into Internet Explorer 3 After you set your configuration click OK 11 7 DAS Statistics This feature is for internal monitoring of your system It is not intended for the average user DAS Statistics monitors the following DAS_Binary DAS_Query DAS_rt Collector_ Manager Correlation _Engine DAS_iTRAC Statistics are broken down as follows Service Name of service such as DAS_Query Time Time sinc...

Page 250: ...quest needs to wait for an available thread even if the service is not heavily used If the statistics indicate that the wait time for a request is large and the number of requests for that service is low check the information about the thread pools The numbers next to an entry are the sum for all its children So requests 15 means that there are 15 requests for all requests method calls Under that ...

Page 251: ...a string or number range The following are the default maps available AccountIdentity Contains information about identities and the accounts associated with them The keys are UserName UserDomain and CustomerName for MSSPs This map is populated from information in the Account and Identity tables in the Sentinel database Asset Contains the data from the map data source file asset csv The asset csv i...

Page 252: ...click Map Data Configuration button 2 Click Add 3 If you are creating a new map folder click New Dir Specify a folder name 4 Ensure that the folder you want to provide your map definition into is selected that is the folder indicates that it is open 5 Specify your Map Name 6 Click Next NOTE The Map Type field box is disabled 7 Select either Local File or Remote File Local File Allows you to browse...

Page 253: ...d numbers The street address of 1313 LION DOG TOWER could be a string Number Range A number range NumberRange is a range of numbers For example 10 to 200 are represented as 10 200 To use the range map functionality a map definition must have exactly one key column and the key column must be of type NumberRange If there are any other key columns or the key column is of a different type the mapping ...

Page 254: ...ated ESEC_HOME data map_data Specify a file name and click OK 11 8 2 Adding a Number Range Map Definition To use the range map functionality a map definition must have exactly one key column and the key column must be of type NumberRange If there are any other key columns or the key column is of a different type the mapping service will not consider the map a range map To create a range map select...

Page 255: ... Range Map Definition The example table gets transformed to Figure 11 11 Table Transformation An example event configuration on the above map might look like Figure 11 12 Event Configuration Where CustomerVar97 is expected to contain a numeric value or is of a type that can be converted to a numeric value such as an IP or Date ...

Page 256: ... tags are TargetIP dip InitIP sip Date tags are CustomerVar11 to CustomerVar20 cv11 to cv20 DateTime dt ReservedVar11 to ReservedVar20 rv11 to rv20 DeviceEventTime SentinelProcessTime BeginTime EndTime For more information on meta tags see Sentinel Event Fields in Sentinel 6 1 Reference Guide For example for the table below column 1 is numerical range equivalent to an IP range of 10 0 0 0 to 10 0 ...

Page 257: ...le number range positive for example 234 In this case the min and the max will both be 234 Range from negative number to max number for example 234 In this case the min will be 234 and the max will be 2 63 1 Range from positive number to max number for example 234 In this case the min will be 234 and the max will be 2 63 1 NOTE In all cases the min must be less than or equal to the max for example...

Page 258: ...o Admin tab and select Map Data Configuration from the navigation pane or click Map Data Configuration button 2 Expand the folder of interest 3 Highlight the map definition to be deleted 4 Click Delete NOTE Default Sentinel maps cannot be edited or deleted set your delimiters set which row to start your map rename your columns activate or deactivate a column set your column keys column filter ...

Page 259: ...s from the command line using map_updater sh or map_updater bat There are two map locations the location referenced by the Event Map Configuration which is a user defined location and the location where Sentinel stores its internal representation of the map ESEC_HOME data map_data The internal representation of the map should never be manually updated To update map data from the Sentinel Control C...

Page 260: ...ted version of the existing map data source file If needed you can obtain the existing map data source file from the location For Windows ESEC_HOME data map_data For UNIX ESEC_HOME data map_data 2 Log into the Sentinel database 3 Find UUID for the map in the MD_CONFIG table refer to the CONFIG_ID column for the appropriate map listed in the VALUE column 4 On the Sentinel Server machine log in as e...

Page 261: ... is applied system wide to all events from all Collectors Additionally Sentinel will automatically distribute map data to all processes that perform event mappings as well as keep the map data in these processes up to date For these reasons Event Mapping provides significant capabilities to support enterprise deployments Event Mapping comprises of four main parts Controller Stores all map informat...

Page 262: ... Finance35 NOTE When a column is set as a key it will not appear in the Column drop down field Figure 11 16 Physical Assent Name corresponds to Asset Name You can have more than one column set as a key as you do not want the map to be a Range Map Range Maps can only have one key column with that column type set to NumberRange For instance with column type set to String the AttackId tag has the Dev...

Page 263: ...e original Event Tag name displays above the Label field In addition the description of the event column is provided 3 Click Referenced from Map to configure the event tag to be populated with data from a map Click External to keep whatever value the Collector put in the event tag if any 4 Click the Map Name field down arrow Select one of the available default maps or a map you have created 5 Clic...

Page 264: ...he corresponding Map Key Field column The rows in the Key Configuration table will depend on the Map Name selected NOTE A key is a unique identifier for the row of data in the map data 7 Click Apply NOTE Clicking Apply saves the changes you made for the currently selected event column in a temporary buffer If you don t click Apply when you select a different event column the changes you made to th...

Page 265: ... if the event tag labeled Ct2 is renamed to City the variable that must be used in a Collector script to reference this meta tag will still be s_CT2 Any references to this variable in correlation or filters will still work even if they were originally written using Ct2 Below is a before and after illustration of this feature in an Active View Figure 11 19 Active View window Before illustration Fig...

Page 266: ...t particular summary and will shorten the execution time for any report that uses the summary table Sentinel Top 10 reports use summary tables A summary is a defined set of attributes that make up the key for which to compute the number of unique occurrences event count by each hour time period event time In the case of the EventSevDestPortSummary when active it saves the count of events for each ...

Page 267: ...tion EventSrcSummary EVT_SRC_SMRY_1 This summary sums the event count by source ip source asset information source port source user taxonomy event_name resource Collector protocol severity and event time by hour EventDestSummary EVT_DEST_SMRY_1 This summary sums the event count by destination ip destination asset information destination port destination user taxonomy event_name resource Collector ...

Page 268: ...the das_binary xml located For UNIX ESEC_HOME config das_binary xml For Windows ESEC_HOME config das_binary xml NOTE To enable the summary you must set the property Status to ON for EventFileRedirect in das_binary xml To view information for a Summary 1 Click Report Data Configuration in the navigation pane or click the Report Data Configuration button 2 Click the button in the Attributes column t...

Page 269: ...t to query 4 Select a time interval 5 Click Show Graph 6 The green bars signify that the summary is complete for that time frame The red sections signify that the summary is missing data during that time period NOTE To complete summaries see To run Eventfiles for a summary on page 270 To query the Eventfiles for a summary 1 Click Report Data Configuration in the navigation pane or click the Report...

Page 270: ...ies see To run Eventfiles for a summary on page 270 To run Eventfiles for a summary 1 Click Report Data Configuration in the navigation pane or click the Report Data Configuration button 2 Select Status 3 Select the Summary or Summaries you want to query 4 Select a time interval 5 Click Show Event 6 The Eventfiles needed to complete the summary displays in a list format 7 Check the Eventfiles that...

Page 271: ...d esecrpt Sentinel Reporter User password as the admin user ESEC_CORR Sentinel Correlation Engine users used to create incidents esecapp Sentinel application username for connecting to the database 11 11 2 Windows Authentication Sentinel DB Administrator Schema owner configurable at install time Sentinel Administrator Sentinel administrator user configurable at install time Sentinel Report User Se...

Page 272: ...ould select a password you can remember that is still complex For example Msi5 YOld My Son is 5 years old or IhliCf5 yN I have lived in California for 5 years now To use this feature you must have the User Management user permission User permissions are fairly detailed For more information see Sentinel Database Users Roles and Access Permissions in the Sentinel 6 1 Reference Guide Creating an LDAP...

Page 273: ...urity filter to a user you cannot delete that filter 5d Specify the fully qualified Distinguished Name of the LDAP user in the LDAP USER DN field Do not leave the LDAP User DN field empty For example cn sentinel_ldap_user o novell This field is available only if you have specified n for Anonymous searches on LDAP directory parameter while configuring LDAP authentication For more information see LD...

Page 274: ...r permissions For more information about permissions see Sentinel Control Center User Permissions in the Sentinel 6 1 Reference Guide 5g Click the Roles tab and select an iTRAC workflow role for the user This affects what work items appear in the user s work list 5h Click OK You can now log in to Sentinel Control Center and Sentinel Solution Designer using your LDAP username and password ...

Page 275: ...or click Add to create and then select a new filter NOTE After assigning a security filter to a user you cannot delete that filter Optional Under Details specify First Name Last Name Department Phone Email 8 Click the Permissions tab and assign user permissions 9 Click the Roles tab and select an iTRAC workflow role for the user 10 Click OK NOTE Oracle does not allow the creation of users named th...

Page 276: ...sign user permissions For more information about permissions see Sentinel Control Center User Permissions in Sentinel 6 1 Reference Guide 8 Click the Roles tab and select an iTRAC workflow role for the user This affects what work items appear in the user s work list 9 Click OK NOTE Oracle does not allow the creation of users named the same as one of the Oracle Reserved words Also Sentinel does not...

Page 277: ... close the window 11 11 7 Cloning a User Account To clone a user account 1 Open the User Manager window 2 Select a user account ID right click Clone User Change the user information and the user permissions Click Save 11 11 8 Deleting a User Account To use this feature you must have the User Management permission To delete a user account 1 Open the User Manager window 2 Select a user account ID ri...

Page 278: ...e IP Address displayed in the Active User Sessions window might not be the desired IP address as the non loop back IP address of the first NetworkInterface returned by the system is displayed 11 11 10 Adding an iTRAC Role To add an iTRAC Role 1 Open the Role Manager window 2 Click Add a new Role or right click Add New Role 11 11 11 Deleting an iTRAC Role To delete an iTRAC Role 1 Open the Role Man...

Page 279: ...Administration 279 novdocx en 7 January 2010 11 11 12 Viewing Details of a Role To view role details 1 Open the Role Manager window 2 Select a role right click Role Details ...

Page 280: ...280 Sentinel 6 1 User Guide novdocx en 7 January 2010 ...

Page 281: ...moved from SDM to Sentinel Control Center in Sentinel 6 x 12 2 Starting the SDM GUI There are several prerequisites to run the SDM GUI on a machine If using an Oracle database the Oracle JDBC driver must be downloaded and placed in the ESEC_HOME lib UNIX or ESEC_HOME lib Windows directory As of the print date of this document this file could be found at the following URL http otn oracle com softwa...

Page 282: ...you must log into the SDM machine using the Sentinel Database Administrator account 2 Start the SDM GUI using the appropriate procedure for Windows or UNIX 3 Select the database type Oracle or MSSQL 4 Specify the Database instance name used during the Sentinel database installation 5 Specify the Database Host hostname or IP address 6 Specify the port used for database communications 7 If using SQL...

Page 283: ... the SDM allows users to view and manage database partitions for the tables that hold event data correlated event data and summary data To view partitions in the GUI 1 Click the Partitions tab 2 Select the table in the dropdown list you want to see SDM displays the partitions of the currently selected Database Table Each row in the Segments table displays the related Database Table Time Range Stat...

Page 284: ...titions to flat files in a specified pre existing directory Import Partitions Drop Partitions Many of these operations can be executed automatically in the database using stored procedures but this tab allows the administrator to perform these tasks manually To manage partitions 1 Click the Partitions tab 2 Select the table in the dropdown list Offline Archived Partition with data that has been ar...

Page 285: ...ore you must schedule the offline delete archive operations in such a way that the online partitions should not exceed 255 To delete partitions 1 Select the Delete partitions tab 2 Specify the number of days for which older partitions will be deleted 3 Click Delete To import partitions 1 Select the Import partitions tab 2 Select the partition in the Segment table into which the data will be import...

Page 286: ... of days for which older partitions will be archived NOTE You can specify the archive directory in the Archive Destination field in Partition configuration tab in SDM GUI 3 Click Archive Oracle Archive Partitions tab Microsoft SQL Archive Partitions tab 12 2 2 Tablespaces Tab The Tablespaces tab in the SDM allows users to view the current database space utilization including Total space allocated ...

Page 287: ...lespace NOTE On Microsoft SQL Server tablespace usage represents filegroup usage 12 2 3 Partition Configuration The Partition Configuration tab in the SDM allows you to set parameters to auto archive partitions It also allows you to auto add partitions To configure auto archive parameters 1 Click the Partition Configuration tab The Partition Configuration window displays ...

Page 288: ... be retrieved using SDM You should almost always select the archive option 4 Specify the Job Schedule parameters Check Jobs Enabled checkbox if it s not selected By default the Jobs Enabled checkbox is checked if you have selected this feature during the installation Schedule adding partitions and offline operation parameters then click Save NOTE Partitioning Job scheduling through SDM is reflecte...

Page 289: ...job for SDM operations but Novell recommends using auto archiving instead Auto archiving can be configured on the Partition Configuration tab of the SDM GUI The first step to using the SDM command line is to create a file that stores the connection properties for the database Section 12 3 1 General Syntax of the SDM command on page 289 Section 12 3 2 Starting SDM GUI on page 289 Section 12 3 3 Vie...

Page 290: ... Line 1 Execute the following command action dbStats connectFile filePath The following example displays the tablespaces of Sentinel database with their total space used space and free space available Oracle Example sdm action dbStats connectFile sdm connect SQL Server Example Sdm action dbStats connectFile sdm connect action dbstats connectFile filePath ...

Page 291: ... of the following components Communication Server Correlation Engine DAS Collector Manager Any combination of the above components can be installed in a particular Sentinel Server In a distributed installation of Sentinel it is likely that there will be more than one machine with a Sentinel Server running on it In this case all of the Sentinel Servers work together to provide the complete Sentinel...

Page 292: ...er To stop the UNIX Sentinel Server 1 Log into the machine where the Sentinel Server you want to stop is installed as the Sentinel Administrator operating system user by default esecadm 2 Go to the ESEC_HOME bin directory 3 Run the following command sentinel sh stop To stop the Windows Sentinel Server 1 Click Start Settings Control Panel 2 Double click Administrative Tools 3 Double click Services ...

Page 293: ... utilities For more information contact Novell Technical Support http support novell com phone html sourceidint suplnav4_phonesup Clean_Database bat Clean_Database sh Used to delete Incident and or Identity information from the database For more information see Section 13 5 Database Cleanup on page 299 control_center bat control_center sh Launches the Sentinel Control Center graphical user interfa...

Page 294: ...ation Guide runadvisor_client bat runadvisor_client sh Launches the client to download Advisor data sdm bat sdm Launches the Sentinel Data Manager application For more information see Chapter 12 Sentinel Data Manager on page 281 sentinel sh sentinel bat Starts or stops the Sentinel Server For more information see Section 13 2 Starting and Stopping Sentinel Server on page 291 setadvenv bat setadven...

Page 295: ...iated Sentinel Server process These scripts are useful when troubleshooting a problem with a Sentinel Server process that is not running properly and when no helpful error message is written to the log file Before running one of these scripts make sure the associated process is not already running on that machine event_file_info bat event_file_info Displays information about an event file that wil...

Page 296: ..._broker sh Stopping the Communication Server in Console Mode These scripts stop the Communication Server on the command line in console mode These scripts are useful for troubleshooting the Communication Server without forcing you to stop the rest of Sentinel Server NOTE During normal operations you should not use these scripts Instead follow the procedures in the Section 13 2 2 Stopping a Sentine...

Page 297: ...ter Below are the names of the Sentinel Server processes that can be restarted using the procedure described below The name must be used in the command line exactly as shown below Table 13 3 Sentinel Server process names To restart a Sentinel Server process Windows 1 Go to ESEC_HOME bin 2 Specify Name Description Correlation_Engine Processes Correlation Rules Collector_Manager Process raw event so...

Page 298: ...or example stop_container sh localhost DAS_RT 13 4 Version Information Below listed provides information about versions 13 4 1 Executable Version Information Sentinel has a command line option to display the version information of the following executable agentengine To display Sentinel executable version information UNIX 1 Go to ESEC_HOME bin 2 Specify process version For example agentengine vers...

Page 299: ...is installed as the Sentinel Administrator operating system user default is esecadm on UNIX or as an Administrator on Windows 2 Go to For UNIX ESEC_HOME bin For Windows ESEC_HOME bin 3 At the command line Specify For UNIX versionreader sh path jar file name For Windows versionreader bat path jar file name 13 5 Database Cleanup The Clean_Database bat and Clean_Database sh scripts are used to purge ...

Page 300: ...QL Server Stored procedure used to delete Incidents specified by an SQL query esec_incidents_pkg delete_incidents_by_rule Oracle delete_incidents_by_rule SQL Server Stored procedure used to delete Incidents created by a specified Correlation Rule esec_incidents_pkg delete_incident_by_id Oracle delete_incidents_by_id SQL Server Stored procedure used to delete an Incident with a specified ID esec_id...

Page 301: ...o and a DBA would be required to run the DDL again WARNING If identity information is cleaned out of the database and then reloaded the new identity information will not be synchronized with any past events that had identity information injected Therefore attempts to perform identity lookups on past events received before the cleanup or run reports on past events with identity information will not...

Page 302: ...ncidents where inc_id 500 NOTE The SELECT statement cannot include quotation marks 2 Delete Incidents By Rule You will be prompted to enter the name of the Correlation Rule s that created the Incident s For example My Test Rule 3 Delete Incidents By Id You will be prompted to enter the ID of a specific Incident For example 101 q Quit without action 4f At the Incident Cleanup Confirmation prompt ty...

Page 303: ...Database name for example ESEC Database authentication option 1 for Windows Authentication and 2 for SQL Authentication esecdba password NOTE This option is only required if using SQL Authentication If using Windows Authentication you must run the script as the domain user equivalent to esecdba The database connection is verified before proceeding to the next step 4 If cleaning Incidents the follo...

Page 304: ...rt to quit without performing the Identity cleanup 5b The results of the Identity Cleanup will be written to the specified log file NOTE You should review the log file for any errors before continuing 5c In addition to deleting the Identity information from the database tables the script will attempt to delete the Identity Account Map file identityAccountMap csv So at the prompt Please enter usern...

Page 305: ...our primary key Press enter To update your license key Windows 1 Log into the machine where the DAS component is installed as a user with administrative rights 2 Go to ESEC_HOME bin 3 Specify the following command softwarekey bat 4 Specify the number 1 to set your primary key Press enter ...

Page 306: ...306 Sentinel 6 1 User Guide novdocx en 7 January 2010 ...

Page 307: ...is document assumes your Security Administrator has built the necessary filters and configured Collectors for your system 14 1 1 Active Views Tab In the Active Views tab you can monitor events as they happen performing queries on these events You can monitor them in a table form or through a 3 D graphical representation To get a Real Time events started 1 Go to the Active View tab 2 Click Active V...

Page 308: ...Display Events down arrow and select No 14 1 2 Exploit Detection For information on how exploit detection works and which Intrusion Detection Systems and Vulnerability Scanners are supported see Chapter 8 Advisor Usage and Maintenance on page 159 14 1 3 Asset Data To view Asset information for any event right click an event or events Analysis Asset Data a window similar to the one below displays ...

Page 309: ...nges installation of programs viruses and so on You can Event Query to determine how often this possible attacker has attempted a telnet you can setup a filter to query for this particular attacker For example you know the following To Perform an Event Query 1 In the Sentinel Control Center click Event Query Magnifying Glass icon and click the Filter drop down menu 2 A window with a list of filter...

Page 310: ... Information about Attacks Another event of interest could be excessive FTP events This can also be a remote connection allowing for transferring copying and deleting of files Below is a short list of attacks of interest Types of attacks are an extensive list For more information about network host attacks there are many resources available that is books and the internet that explain different typ...

Page 311: ...nt Table select an event or a group of events and right click and select Create Incident Figure 14 2 Creating Incident 2 In the Incident Window are the following tabs Events Shows which events make up the incident Assets Show affected assets Vulnerability Show related asset vulnerabilities Advisor Shows the attack information iTRAC Under this tab you can assign an iTRAC Process History Incident hi...

Page 312: ...lowed in the order presented This discusses how to make a simple two tiered iTRAC Process The process is flow of steps that can be taken in the event there is a possible attack on your system The example process is Asks the question in the first step a manual step Decide if Hacked from a preliminary look has the network been attacked This leads to a Decision Step NOTE All Decision Steps provide di...

Page 313: ...ocess Builder displays with a Process Details window Provide the name iTRAC Tutorial Optionally add a description 5 From the Step Palette pane drag and drop three Manual Steps two Mail Steps and two Decision Steps Rename and the attributes to the steps as follows by right clicking and selecting Edit Step Manual Step 0 to Decide If Hacked set Role to Analyst click Associate click Add provide Hacked...

Page 314: ...314 Sentinel 6 1 User Guide novdocx en 7 January 2010 in the Process Variables window select the Variable Type as String provide Default Value as yes ...

Page 315: ...vents to determine if there has been an attack click OK the step should be renamed Manual Step 2 to Prevent Future Attacks set Role to Analyst under the Description tab optional specify Take measures to stop the attack firewall router or other intrusion protection method Also if possible determine how the attacked was done click OK the step should be renamed Mail Step 3 to Not Hacked in the To fie...

Page 316: ...316 Sentinel 6 1 User Guide novdocx en 7 January 2010 Under the Body tab optional specify This email is generated from a tutorial simulation iTRAC process ...

Page 317: ...specify a made up email address in the Subject field specify Proper Attack Measures Taken Under the Body tab optional specify This email is generated from a tutorial simulation iTRAC process Decision Step 5 to Hacked optional Under the Description tab optional provide a description such as Preliminary decision as to if there has been an attack or not ...

Page 318: ...entinel 6 1 User Guide novdocx en 7 January 2010 Decision Step 6 to Hacked or Not optional Under the Description tab you might provide a description such as Decision as to if there has been an attack or not ...

Page 319: ...ck Hacked and select Add Transition Select and specify the following Name provide Not Hacked Type select else Destination Not Hacked Click OK NOTE A decision step provides different execution paths depending on the value of the variable defined in the previous step A Decision Step can have more than two transitions 9 Right click Not Hacked and select End Transition 10 Right click Hacked and select...

Page 320: ...0 Sentinel 6 1 User Guide novdocx en 7 January 2010 Click Set EXP Select Variables and Values Select Attribute Hacked Select Condition equals Specify Value of yes Click OK until the transition is complete ...

Page 321: ...tion equals Specify Value of yes Click OK until the transition is complete 14 Right click Prevent Future Attacks and select Add Transition Select and specify the following Name Proper Measures Taken Type Unconditional Destination Measures Taken 15 Right click Measures Taken and select Add End Transition 16 Click Save Your new process should appear in the Template Manager Example Scenario Running a...

Page 322: ...fy the following Title iTRAC Tutorial Category Other Responsible assign this Incident to yourself 4 Click the iTRAC tab select iTRAC Process Tutorial 5 Click Create NOTE Because this is a tutorial Incident and not a true Incident it can be deleted without negatively affecting your Sentinel setup 6 From anywhere in the Sentinel GUI click the Analyst group yellow bar under View work items NOTE Your ...

Page 323: ...ustrated above it changes with an addition of a green bar 9 Click the green bar under View work items In the Work Items window click View Details The red highlighted step indicates what step this process is currently in 10 To start the steps within this process click the Process Details tab ...

Page 324: ...ollect Data is a step to further determine by analyzing the event s of interest if an attack has occurred Let s say that an attack has occurred Leave the default value of yes If this were a real attack it will be beneficial to add clear notes and or attachments as to the information about this attack Click Complete 14 In Work Items window highlight the process and click View Details The Prevent Fu...

Page 325: ...the navigator bar to see what reports are available NOTE Your reports might be different Sentinel Crystal Reports are living reports They are under constant updating For example if you are responsible for generating reports to upper management within your organization you can run Source Destination Reports These are Top 10 Source to Destination IP Pairs on hosts names ports IPs and users To run th...

Page 326: ...nalysis tab To run a query highlight Historical Events Historical Event Queries and click Create Reports magnifying glass For more information see section Event Query Sample Scenario 14 5 Administrators This section is about administrator actions 14 5 1 Simple Correlation Correlation is the process of analyzing security events to identify potential relationships between two or more events Correlat...

Page 327: ...ck the Correlation tab and highlight Correlation Rule Manager in the navigation bar 2 In the Correlation Rule Manager window click Add 3 Click Simple to create a simple rule 4 Select Fire if All in the drop down menu 5 Specify the following Click Next 6 To have this rule fire as many times as possible select Continue to perform actions every time this fires Click Next 7 In the General Description ...

Page 328: ...ous example Deploy Rule 3 optional In the Deploy Rule window you can add an action This allows you to Click Next The rule indicates deployed by the color green To view what events triggered your correlated event 1 Right click the correlated event and select View Trigger Events to see how many events could be more than 1 triggered this correlation rule Configure Correlated Event Add to Dynamic List...

Page 329: ...Quick Start 329 novdocx en 7 January 2010 ...

Page 330: ...330 Sentinel 6 1 User Guide novdocx en 7 January 2010 ...

Page 331: ...es Event enrichment including map definitions and event metatag configuration Other associated files added when the Solution Pack is created such as documentation example report PDFs or sample map files Although Solution Packs have many uses one is to package content related to governance and regulatory compliance into a comprehensible and easily enforceable framework that is easy to deploy Novell...

Page 332: ...l classification Each Category can contain one or multiple Control s Control Control is another level of classification which often corresponds to a particular control defined by a set of regulations Each Control can contain one or multiple Content Group N A Content Group Content Group is a set of related content There are several types of Content Groups such as Reports Correlation Rules and Event...

Page 333: ...used in a Workflow Correlation Rule Correlation Rule is a Content Group that contains a correlation rule the namespace in which it is stored and any associated correlation actions or dynamic lists This icon is also used for the correlation rule definition Namespace Indicates Namespace Instance in which the correlation rule is stored JavaScript Action Plugin Indicates a JavaScript Action plugin Jav...

Page 334: ...urce systems and Sentinel to use the content associated with the Control Novell Solution Packs include detailed documentation describing implementation steps The user should change the status of the Control to Implemented after following all of these steps Testing a Control is the process to verify the content associated with the Control Novell Solution Packs include detailed documentation describ...

Page 335: ...e for the control node This column contain a drop down box with the following values Not Implemented This is the default state when the control is first deployed Implemented This state indicates that the content is fully implemented using the associated documentation Tested This state indicate that you have fully tested the content for this control using the associated documentation NOTE Because o...

Page 336: ...rol including user comments on the testing or implementation process Figure 15 3 Documentation Frame 15 3 Managing Solution Packs This section states to manage solution packs 15 3 1 Importing Solution Packs Solution Packs are be available from several sources They can be downloaded from http support novell com products sentinel6 http support novell com products sentinel6 an additional license migh...

Page 337: ...ugin Type window displays Select Import Solution package plugin file zip Click Next The Choose Plugin Package File window displays 3 Use the Browse button to the locate Solution Pack to import to the plugin repository Select a zip file and Click Open If you have selected a solution pack which already exists then the Replace Existing Plugin window displays Click Next if you want to replace the exis...

Page 338: ...ck If you check the Launch Solution Manager check box the Solution Manager displays Click Finish 15 3 2 Opening Solution Packs To use the Solution Manager and view the contents of a Solution Pack a user must be assigned Solution Manager permissions For more information see Section 15 1 2 Permissions for Using Solution Packs on page 333 To open a Solution Pack in the Solution Manager 1 Click Tool m...

Page 339: ...tent from different Solution Packs or previous versions of the same Solution Pack Table 15 3 Content Status Installed Indicates that the content is already installed in the target Sentinel system The version is the same in the opened Solution Pack and the previously installed Solution Pack Out of Sync Indicates that a different version of the content is already installed in the target Sentinel sys...

Page 340: ...tent details A message displays with information about which Solution Pack is the source of the out of sync content 3 Compare the description of content item in the two Solution Packs to determine which version you want to keep 4 Uninstall the out of sync Control from all Solution Packs Ideally you should resolve the out of sync issue before installing the new Solution Pack 5 Reinstall the Control...

Page 341: ... Pack you need to proceed through several additional screens until you reach the Install Content window Click Install 5 After installation the Finish button displays Click Finish If the installation fails for any content item in the Control the Solution Manager rolls back all the contents in that control to uninstalled ...

Page 342: ...ng on the engines you can decide which correlation engine to which you will deploy the Correlation Rule Correlation rules will deploy in an Enabled or Disabled state depending on their status in the source Sentinel system when the Solution Pack was created If an Execute Script Correlation Action created in Sentinel 6 0 is associated with the Correlation Rule the Solution Manager attempts to instal...

Page 343: ...ec or ESEC_HOME config exec If a JavaScript Action is associated with the Correlation Rule the Solution Manager installs the Action configuration the Action Plugin and the associated Integrator configuration and Integrator Plugin if needed Reports There are two options for publishing Crystal Reports They can be installed to a local directory and then installed using the Crystal Publishing Wizard o...

Page 344: ...trator and Password is blank When you publish directly to the Crystal Reports Server all reports are installed in the SentinelReports folder so they will be visible from the Analysis tab of the Sentinel Control Center Any folder hierarchy below SentinelReports is also preserved NOTE The direct publishing method is only possible if you configure the Web Server as described in the Patching Crystal R...

Page 345: ...nessObjects Crystal Reports Server NET Administration Launchpad NOTE When launching NET Administration Launchpad if you find HTTP 404 File or Directory not found error see http support microsoft com kb 315122 http support microsoft com kb 315122 for resolution 2 Click Central Management Console The System Name should be your host computer name Authentication Type should be Enterprise If not select...

Page 346: ...iting Add the following two new properties to supply customized URL s for publishing and deleting reports com eSecurity Sentinel crystal publishURLs http HOST businessobjects Enterprise115 WebTools Sentinel publish_report aspx http HOST 8080 esec script publish_report jsp com eSecurity Sentinel crystal deleteURLs http HOST businessobjects Enterprise115 WebTools Sentinel delete_report aspx http HOS...

Page 347: ...The remaining child nodes in the second Control stay uninstalled Each content item is only installed once If the same content item for example an iTRAC workflow or a correlation rule is included in more than one Control it is only installed once Therefore if you install one of those Controls the content displays with an installed status in the other Control In this scenario the Solution Manager mi...

Page 348: ...nchanged NOTE To prevent confusion for end users Novell recommends that one of these rules be renamed 15 3 4 Implementing Controls After the content installation additional steps might be necessary to fully implement a control such as the following examples Populate a csv file that is used by the mapping service for event enrichment Schedule automatic report execution in the Crystal Reports Server...

Page 349: ...that it is working as expected Testing might require steps such as the following Run a report Generate a failed login in a critical server and verify that a correlated event is created and assigned to an iTRAC workflow These steps should be added when the Solution Pack is created in Solution Designer To test a control 1 Open a Solution Pack in Solution Manager 2 Select a Control 3 Click the Testin...

Page 350: ...er that still contains other content Reports rpt files copied to a local system cannot be removed if the uninstall is performed from a Sentinel Control Center on a different machine JavaScript files associated with Execute Script Correlation Actions remain on the correlation engine s Maps csv files and the data they contain are not deleted Roles associated with workflows are not deleted iTRAC work...

Page 351: ...k Viewing Status in Solution Manager You can view the status of Solution Pack contents in the Solution Manager None Blank No status indicator for a Control indicates that the associated content has not been installed yet Not Implemented When none or some of the contents of a control are installed the control is in the Not Implemented state If the same content is installed by another Control a Cont...

Page 352: ...able options Show status Select this option to show deployment status for each control Not Installed Not Implemented Implemented or Tested and whether it s Out of Sync Show individual content Check this option to include information about the child content for each Control in the documentation Figure 15 9 Status Document To generate Solution Pack documentation 1 Open a Solution Pack for which you ...

Page 353: ...e following events are visible in the Sentinel Control Center and are stored in the Sentinel database Solution Pack is imported Control is installed Control status is changed to Implemented Control status is changed to Tested Control status is changed to Not Implemented Control is uninstalled Notes are modified for a Control Solution Pack is deleted 15 3 8 Deleting Solution Packs Solution Packs ar...

Page 354: ...ou can use the Solution Designer to package and export different contents for example Correlation Rule with associated Actions and Dynamic lists and Crystal Reports Server These contents can be selected and packaged with their respective configuration to a zip file You can then view or select the content of the zip file using Solution Manager For more information on Solution Manager see Section 15...

Page 355: ...Solution Packs 355 novdocx en 7 January 2010 Table 15 4 Table 14 4 Solution Designer User Interface Content Palette Content Description Solution Pack ...

Page 356: ...erver Add attachments to any node of the Solution Pack In connected mode all content in the Sentinel system is available In addition to all of the actions that are available in offline mode you can also perform the following actions Add Sentinel content such as Correlation Rules Maps iTRAC workflows Replace placeholders with Sentinel content To open Sentinel Designer in offline mode 1 In Windows u...

Page 357: ... add a content object to a Solution Pack it must already exist in Sentinel Content objects cannot be created using Solution Designer To create a new Solution Pack 1 Open the Solution Designer in either connected or offline mode 2 Click File New An empty Solution Pack displays in the Solution Pack frame 3 Add Categories Controls Content Groups and content placeholders using the proper procedures fo...

Page 358: ...ight click and select Rename or click Rename in the Solution Pack frame Provide the new name and click OK Delete Delete a Category Control or Content Group object Select an existing node Right click and select Delete or click Delete option in the Solution Pack frame The Delete Selected Objects message displays Click OK View or Edit Properties View or edit the properties of a Solution Pack such as ...

Page 359: ... specific Content Group you want to add 5 Select the appropriate Control or placeholder and click Add Selected Content Alternatively drag and drop the selected Content Group to the appropriate Control or placeholder in the Solution Pack frame NOTE If you try to add pre existing content in Solution Designer by drag and drop the existing content is highlighted After you drop the content a message pr...

Page 360: ...m the SentinelReports folder and its subfolders are available The folder hierarchy is preserved when the reports are added to a target Sentinel system Reports must be in the SentinelReports folder to be viewed on the Analysis tab of the Sentinel Control Center To add a report from the local file system 1 Log into Solution Designer in connected or offline mode on the machine where the rpt files res...

Page 361: ...ame if desired To replace a placeholder with content 1 Click a button in the Content Palette to open the panel for the type of placeholder you want to replace Correlation Event Enrichment iTRAC workflow or Report 2 Drag and drop the appropriate Content Group from the Content Palette to the placeholder in the Solution Pack frame File Attachments You can attach a file or files to any node in the hie...

Page 362: ...can include instructions for the following types of testing activities Run a report and verify that data is returned Generate a failed login in a critical server and verify that a correlated event is created and assigned to an iTRAC workflow Add File Add an attachment to a node The system prompts for another file if you attempt to add one that is already attached Select a node Click Add a new atta...

Page 363: ...does not impact any previously imported Solution Packs To edit a Solution Pack 1 In Windows use the Sentinel Solution Designer shortcut on the desktop or start Solution Designer by executing one of the following commands solution_designer bat in ESEC_HOME bin on Windows solution_designer sh in ESEC_HOME bin on Solaris Linux The Sentinel Solution Designer login window displays 2 Provide your login ...

Page 364: ... on any installed content in the target Sentinel system After the Solution Pack is installed its behavior varies depending on the status of the original Solution Pack s content If the content from the original Solution Pack was not installed yet the content is simply replaced When a user installs content the new content is installed to the target Sentinel system If the content from the original So...

Page 365: ...Sentinel 6 0 The same Action framework is now used to execute actions in all of the following contexts When a deployed correlation rule fires automatic When a user chooses the Action from within an Incident When a user chooses a right click menu option using an Action in an Active View or other event table The plugin framework has several advantages over the method for using JavaScript actions in ...

Page 366: ...cept for JavaScript Actions the Actions above can only be used in the context of a correlation rule deployment For more information about correlation only actions see the Correlation section This section focuses exclusively on JavaScript Action plugins and Actions Using the Action Manager you can import create and manage Action plugins zip files and configure specific Action instances 16 2 1 Permi...

Page 367: ... can download Action plugins from the Sentinel Content Site http support novell com products sentinel sentinel61 html Action plugins are frequently included in Solution Packs Also JavaScript actions used in Execute Script actions in versions of Sentinel before Sentinel 6 1 can be converted to Action Plugins using the Action Manager 16 3 1 Importing JavaScript Action Plugins JavaScript plugins from...

Page 368: ...entinel 6 1 User Guide novdocx en 7 January 2010 2 Click Manage Plugins The Action Plugin Manager window displays 3 Click the icon on the top left corner to Import plugins Plugin Import Type window displays ...

Page 369: ...Actions and Integrator 369 novdocx en 7 January 2010 4 Select Import an Action plugin file zip Click Next 5 The Choose Plugin Package File window displays ...

Page 370: ... possible to create and manage your own JavaScript Action plugins Plugins can be created using JavaScript files that were used in the Execute Script command in versions prior to Sentinel 6 1 or they can be created using any JavaScript file written using the Sentinel JavaScript API NOTE For information about the API for developing JavaScript scripts for Sentinel correlation see Sentinel JavaScript ...

Page 371: ...d and where the Actions will be available if those options are checked Table 16 1 Required Objects To import JavaScript files 1 Click Tool menu and select Action Manager The Action Manager window displays 2 Click Manage Plugins The Action Plugin Manager window displays Required Object Actions Available for Selection in these Contexts Event Menu Configuration Deploy Correlation Rule Associate with ...

Page 372: ...372 Sentinel 6 1 User Guide novdocx en 7 January 2010 3 Click the icon on the top left corner to Import plugins Plugin Import Type window displays ...

Page 373: ...ion plugin from directory The Choose JavaScript Directory window displays 5 Browse to a location of the JavaScript Plug in directory and click OK Click Next 6 The Action Plugin Detail window displays Provide the required information Attach a Main JavaScript File and Help File ...

Page 374: ...format the Next button will not activate When updating an already imported JavaScript file you are provided with the option of updating the existing plug in going back and selecting a different plug in or canceling the import If you want to continue click Next 7 Click Next The Required Input window displays ...

Page 375: ... en 7 January 2010 8 Select the objects that the JavaScript action requires This affects where the Action is available in the interface For more information see the Table 16 1 on page 371 Click Next The Plugin Parameters window displays ...

Page 376: ...anuary 2010 9 Optional Click Add button to add parameters that can be set when an Action is configured This option should be used for any JavaScript files that expect to receive parameterized information The Parameter Definition window displays ...

Page 377: ...9b Select parameter name from Type drop down The various parameter types available are String Accepts the sting values for the parameters Boolean The parameter can take True or False value Integrator Select Integrator name for the parameters Event Tag Select Event Tag for the parameters Severity Select Severity for the parameters NOTE The Options area is only available for String type parameters O...

Page 378: ...ile will automatically be created An Action plugin is also created from the JavaScript file The package xml file is zipped as part of the JavaScript plugin along with other files in the specified directory NOTE When a plugin is created from a directory the original contents of the directory are stored in a backup zip file located on the same directory level as the directory being zipped The name o...

Page 379: ...ile the package xml file is updated with the list of files contained in the package hash codes current dates and so on 16 4 Actions There are many types of Actions many of which are intended only to be used with Correlation Rules For more information about the Correlation Rule actions see Chapter 3 Correlation Tab on page 65 This section focuses on JavaScript actions which can be used in Correlati...

Page 380: ...on about configuration and the available parameters are available in the help file for the Action 5 Specify the attribute values for the type of action selected 6 Click Save 16 4 2 Editing Actions If you edit an action that is associated with a deployed rule the changes will take effect the next time the correlation rule fires To edit an Action 1 Click Tools menu and select Action Manager 2 Select...

Page 381: ...in what contexts it can be used For more information see the Table 16 1 on page 371 For more information on using these actions see Chapter 3 Correlation Tab on page 65 Chapter 4 Incidents Tab on page 93 and Chapter 11 Administration on page 227 16 4 5 Developing JavaScript Actions The information below is very basic development information about developing JavaScript Actions For more information ...

Page 382: ...pt debugger The JavaScript Debugger is a local debugger that executes scripts with respect to the machine on which the Sentinel Control Center is running The JavaScript Debugger instantiates a debug session from the Data Access Service DAS machine A JavaScript Correlation Action can only be debugged after it is associated with a fired Correlation Rule Therefore a prerequisite to debugging is to cr...

Page 383: ...tion Rule Right click and select Debug The Debug JavaScript Correlation Action window displays The screen displays the following message Retrieved source file waiting for associated correlation rule to fire The correlation rule must fire and a correlated event or incident must be created before you can debug the script After the rule fires this text panel is replaced by a debug panel and the actua...

Page 384: ...el displays the source code and positions the cursor on the first line of the script You can debug the script as many times as needed without requiring a new correlation rule to fire After the debugger gets to the end of the script or after you click the Stop button click Run again ...

Page 385: ...tems for example an LDAP server SMTP server or SOAP server JavaScript actions can use Integrators to interact with other systems For example you can set the attribute in Novell eDirectory an LDAP server to enable or disable a user edit details and so on You could also start an Identity Manager workflow such as a provisioning request using SOAP calls The general process for using an Integrator to p...

Page 386: ...documentation sentinel61 http www novell com documentation sentinel61 Alternatively you can view the Integrators specific document by clicking Help button in Integrator Manager after configuring that Integrator 16 5 1 Permissions for Using Integrators To use the Integrator Manager a user must be assigned the necessary permissions in the User Manager By default these permissions are not assigned to...

Page 387: ...ut Integrator Plugins 16 6 1 Importing Integrator Plugins To import Integrator Plugin 1 Click Tools on the menu bar and select Integrator Manager The Integrator Manager window displays 2 Click Manage Plug Ins button The Integrator Plugin Manager window displays In Integrator Plugin Manager window you can add delete refresh view Integration plugin details configure Integrators and add auxiliary fil...

Page 388: ... confirmation message displays Click Yes NOTE You can delete an Integrator plugin only if there are no Integrators configured to use it 16 7 Integrators This section talks about Integrators 16 7 1 Creating an Integrator Instance An Integrator is a configured instance of an Integrator plugin There can be one or more Integrator instances with different parameters or settings using an Integrator plug...

Page 389: ...he left panel Click delete icon to delete an Integrator instance 16 7 4 Integrator Connection Status To check all Integrator connection status 1 Click Tools menu and select Integrator Manager The Integrator Manager window displays 2 Click Refresh health of all Integrators button The Integrator Connection Status window displays The server performs a test of the Integrators in the actual service whe...

Page 390: ...cess Count Displays the count for the number of times the connection was established successfully but the method s call failed Time of Last Occurrence displays the last time when the connection was successful and the method call failed Connection Failure Count Displays the count for the number of times the connection failed Time of Last Occurrence displays the last time when the connection and met...

Page 391: ...ent time among Time of Last Successful Call and Time of Last Error Call is reflected in the overall health status of the method 16 7 6 Integrator Events Query When an Integrator faces connection failures it generates internal audit events If you want to query these events you can use Integrator Events Query Using Integrator Events Query you can automatically create a filter for the selected Integr...

Page 392: ...e for the external system Because all the connection and other configuration information is already configured as part of the Integrator the code only needs to perform a task on the system with which it integrates When writing code that needs to access an Integrator you must determine how to locate a specific Integrator You can locate an Integrator in the following ways Lookup an Integrator by its...

Page 393: ...hical manner In this setup Sentinel Log Manager servers can manage a large volume of data retaining raw data and event data locally while forwarding important events to a central Sentinel Log Manager for consolidation One or more Sentinel Log Manager servers can forward important data to either a Sentinel server or a Sentinel Rapid Deployment server These systems provide real time visualization of...

Page 394: ...inel Link Connector and configure a Sentinel Link Event Source Server to receive the event data from the sender systems 17 5 1 Accessing Event Source Management Sentinel on page 394 Sentinel Rapid Deployment on page 394 Sentinel Log Manager on page 395 Sentinel 1 As the Sentinel Administrator User esecadm change the directory to ESEC_HOME bin 2 Run the following command control_center sh 3 Specify...

Page 395: ...by a Collector To set up the Sentinel Link connection you must at a minimum create and configure a Sentinel Link Event Source server The Sentinel Link Event Source server automatically creates and configures the Connector the Collector and the Event Source nodes as needed You can also manually create the Collector the Connector and the Event Source nodes However it is easier and simpler to allow t...

Page 396: ... the Collector Manager select Add Event Source Server then select Sentinel Link Connector and click Next The Networking window is displayed 2 Specify the following then click Next Options Description Interface s Specify any of the following All network interfaces Binds the port on all the IP addresses of the machine including local loopback Internal loopback interface Binds the port only to the lo...

Page 397: ...machine binding to port numbers less than 1024 requires root privileges Therefore Novell recommends that you run the server on a port greater than 1024 and change the source devices to send to this new port or use port forwarding Encrypted HTTPS or Not Encrypted HTTP Select either of the following Encrypted HTTPS Allows secure message transport to the Sentinel Link Event Source Server Not Encrypte...

Page 398: ... store and is a valid X 509 certificate For this option a truststore needs to be imported Use the Import button to do this The truststore should have the sender s certificate which is signed by a CA Click the Details button to display the list of certificates imported from the truststore Server Key Pair Settings Specify either of the following Internal The Internal default option directs the Senti...

Page 399: ...IP addresses in one of the following formats Specific IP address such as 10 0 0 1 IP address range such as 10 0 0 1 10 0 0 25 IP address with mask like 10 0 0 1 16 7 Select an action to associate with the IP address or range of IP addresses The Allow and Start action creates and starts Event Source node in the ESM view The Allow action auto creates the Event Source node in the ESM view but does no...

Page 400: ... the Sentinel Link Event Source Server Manually Setting Up the Sentinel Link Connection Although the Event Source server is capable of auto creating the required Collector Connector and Event Source nodes you might also want to manually create the Collector the Connector and the Event Source nodes Regardless of which way you choose you must configure an Event Source server For more information see...

Page 401: ...Sentinel Link Solution 401 novdocx en 7 January 2010 3 Select the Novell Sentinel Link Collector then click Next ...

Page 402: ...inue with Adding a Connector on page 402 Adding a Connector In addition to the typical Collector Manager Collector Connector Event Source hierarchy the Sentinel Link Connector also requires a Sentinel Link Event Source Server 1 In the Event Source Management Live View right click the Collector node that should process the data retrieved from the Sentinel Link Connector then select Add Connector 2 ...

Page 403: ...e list of configured Event Source Servers If no Event Source Servers are configured the following message displays There are no Event Source Servers configured on this Collector Manager that match the connection method selected Please add an Event Source Server with a matching connection method or choose a different connection method ...

Page 404: ...2010 4 Click Add then create an Event Source Server For more information on creating an Event Source server see Step 2 through Step 13 in the Configuring Sentinel Link Event Source Server on page 395 5 Click Next to open the Configure Connector window ...

Page 405: ...Sentinel Link Solution 405 novdocx en 7 January 2010 6 In the Configure Connector window specify the following ...

Page 406: ...or Manager is started Alert if no data received in specified time period Optional Select this option to send No Data Alert event to Sentinel if no data is received by the Connector in the specified time period You also have an option Send repeated alerts every time period to resend the alert if multiple time periods consecutively pass without receiving data from the Connector Specify the time in s...

Page 407: ...Sentinel Link Solution 407 novdocx en 7 January 2010 2 Specify the IP address of the sender machine which the Sentinel Link event source receives the messages from 3 Click Next ...

Page 408: ... the Collector Each connection mode sends the data in a different format For the Novell Collectors which support more than one connection mode for different data formats see the Collector specific documentation for information about which mode is appropriate for your particular Event Source 4 Select a Connection Mode 5 Click Next The General window displays ...

Page 409: ...default be started whenever the Collector Manager is started Alert if no data received in specified time period Optional Select this option to send No Data Alert event to Sentinel if no data is received by the event source in the specified time period Limit Data Rate Optional Set a limit for the rate of data this event source can send to Sentinel If the maximum rate limit is reached Sentinel begin...

Page 410: ...Error tabs 8a On the Data tab specify the maximum number of rows of data to be displayed in the Test Connection window at one time 8b Click Start to start the connection test The Data tab displays the events generated on successful connection with the Event Source Trust Event Source Time Optional Select this option to have the event time set to the time the event occurred rather than the time Sent...

Page 411: ...1 Configuring Sentinel Log Manager as a Sender In Sentinel Log Manager the plug ins and the event forwarding rule by default are installed You only need to configure the system for Sentinel link and activate the rule for sending the event data Follow the instructions below to configure a Sentinel Log Manager for sending the event data Configuring a Sentinel Link on page 411 Configuring the Rule to...

Page 412: ...412 Sentinel 6 1 User Guide novdocx en 7 January 2010 ...

Page 413: ...he server does this when a client certificate is imported into its trust store If you import a client key pair into the Integrator it is assumed that you intend to import the corresponding certificate which contains the public key from the client key pair to the trust store of the server NOTE If the receiver operates in a less restrictive Open mode where it does not validate the sender certificate...

Page 414: ...e password Specify the password for the client key pair file Click Import to import the client key pair Click Cancel to close the Import dialog box Maximum Event Queue Size MB Specify the maximum event queue size value in megabytes The value must be between 0 and 2147483647 Maximum Data Rate Kbps The following options are enabled only when you specify a value in the Maximum Event Queue Size MB fie...

Page 415: ...nterface as an administrator Event Forwarding mode Select one of the following options to specify the Event Forwarding Mode Forward Events Immediately Select this option to forward the events immediately to the receiver Scheduled Event Forwarding Select this option to schedule event forwarding You can specify Time Of Day and Duration in minutes for each day of the week The valid format for Time Of...

Page 416: ...o filter the events set a correlation rule by using the Correlation Manager After creating the rule associate the action to it and deploy the rule You can also use Global Filters to filter the events and forward them to the receiver system Follow the instructions given below to configure Sentinel or Sentinel Rapid Deployment server for sending the events Configuring the Integrator Plug In on page ...

Page 417: ...of Integrator plug in selected from the drop down 6 Specify a name for the integrator in the Name field 7 Specify a description for the integrator in the Description field 8 Select an Integrator Service category from the Service Category drop down list or type a name in the field to create a custom service type These services are used to group similar Integrator instances The following table list ...

Page 418: ...al Application FW Network Firewall HFW Host based Firewall HR HR Application IDM Identity Management IDS Intrusion Detection Prevention System INCM Incident Management NETD Network Router Switch OS Operating System PROX Proxy STO Storage VPN Virtual Private Network VULN Vulnerability Scanner WEB Web Server Integrator Service Category Description ...

Page 419: ...y the IP address or hostname of the Sentinel Link server where the Sentinel Link Connector is running 11 Specify the port number for the sentinel system The default port is 1290 12 Select either of the following Not Encrypted HTTP Establish an unsecured connection ...

Page 420: ...cate is considered to be valid if the user accepts it When a validated certificate is acquired it is stored in the Integrator s configuration Henceforth the Integrator allows communication only with a receiver that provides that certificate during the initial connection setup Integrator Key Pair Select either of the following None server does not validate integrator certificate The receiver system...

Page 421: ...m Event Queue Size MB field Drop OLDEST event when queue is full Select this option to drop the oldest events in the event queue when the value specified in the Maximum Event Queue Size MB field exceeds the limit Drop NEWEST event when queue is full Select this option to drop the newest event when the value specified in the Maximum Event Queue Size MB field exceeds the limit Maximum Data Rate Kbps...

Page 422: ...tistics for the Integrator Event Forwarding Mode Select one of the following options to specify the Event Forwarding Mode Send Immediately Select this option to forward the events immediately to the receiver Scheduled Select this option to schedule event forwarding You can specify Time Of Day and Duration in minutes for each day of the week The valid format for Time Of Day is hh mm am pm The durat...

Page 423: ...tering Events to Forward to the Receiver To select events that you want to forward to a receiver system you need some filtering mechanism Use Correlation Manager or Global Filters to filter the desired events for forwarding to the receiver system NOTE To forward events to another Sentinel or Sentinel Log Manager system based on simple filtering conditions use Sentinel Link with Global Filters Sent...

Page 424: ...orward Events to the Receiver Use Correlation Manager to set correlation rules that filter the desired events for forwarding to the receiver system After creating a rule add the Sentinel Link Action then deploy the rule In the following example a simple rule is created that forward events with severity greater than 3 1 In the Sentinel Control Center select Correlation Rule Manager 2 Click Add The ...

Page 425: ...ents for forwarding to the receiver system In the Global Filter Configuration window you can add the Sentinel Link Action then deploy the rule NOTE This feature is supported only on Sentinel 6 1 SP1 Hotfix 2 or later and Sentinel 6 1 Rapid Deployment 6 1 Hotfix 2 or later 1 In the Sentinel Control Center select the Admin Tab 2 In the left navigation bar select Global Filter Configuration ...

Page 426: ...p down to set a filter For more information on Filters see Filters http www novell com documentation sentinel61rd s61rd_user data filters html in the Sentinel 6 1 Rapid Deployment User Guide 5 Select the Active check box 6 Select a Route from the drop down Based on the selection the events are either dropped or sent to the selected option drop database only database and gui gui only 7 Click the bu...

Page 427: ...yed 8 Select the Sentinel Link Action then click OK If you have not created one click Action Manager button at the right side of the window then follow the instructions 9 Alternatively you can also add Sentinel Link Action as the default Action 9a Click the button below the Default Action ...

Page 428: ...as the receiver 1 Configure a Sentinel Rapid Deployment machine for sending events For detailed instructions see Section 17 6 2 Configuring Sentinel or Sentinel Rapid Deployment System as a Sender on page 416 2 Configure a Novell Log Manager machine for receiving the events For detailed instructions see Section 17 5 Configuring Sentinel Systems for Receiving Events on page 394 3 On the sender mach...

Page 429: ...Sentinel Link Solution 429 novdocx en 7 January 2010 4 To view that event go to the Novell Log Manager Web interface then search for events with sev 3 TO 5 ...

Page 430: ...430 Sentinel 6 1 User Guide novdocx en 7 January 2010 ...

Page 431: ... actual person who owns the accounts By displaying information about the people initiating a given action or people affected by an action incident response times are improved and behavior based analysis is enabled Novell provides an optional integration with Novell Identity Manager The screenshots and descriptions in this section are based on Novell Identity Manager Sentinel 6 1 synchronizes Ident...

Page 432: ... injected into the event can be used for correlation and for performing actions on the Identities that are associated with detected activity For example Sentinel is able to see multiple failed logins from a given person and not just an account A detected violation could trigger disabling activities for all accounts associated with an Identity Figure 18 2 Identity Details 18 1 1 Integration with No...

Page 433: ...ver for Identity Manager and Identity Vault Collector also keep the identity information synchronized as information is updated in the Identity Vault during normal Identity Manager operations After the identity information and account information are loaded in their respective tables with a link between them a map named IdentityAccount is generated automatically in the location ESEC_HOME DATA MAP_...

Page 434: ...dentity systems similar integration can be achieved by writing an identity synchronization collector that uses the Identity API 18 2 Identity Browser Identity Browser in Sentinel allows you to search and view user profiles of the identities in the Sentinel database that have been synchronized from the identity management system In addition to information from the identity management system the Ide...

Page 435: ... select Identity Browser The Identity Browser window displays 2 Enter the first name or last name or first character of either name for the profile in the Search box TIP You can input letter s and you can view all the identities whose first or last name starts with the letter s For example if the user enters the letter ab then the names Abraham Abdullah and so on will be matched If the search is b...

Page 436: ...ndow It is similar to the parent Identity Browser window and you view the full profile in a new window 5 Use the back arrow icon to navigate to the previous profile 18 2 2 Viewing Profile Details To view details of a profile 1 Click Tools menu and select Identity Browser The Identity Browser window displays 2 Enter the first name or first character of the profile in the Search box Click Search Ico...

Page 437: ...ng the view profile window you can view User Profile Accounts and Recent Activities performed by the user By default the User Profile displays when you click the view profile button as shown above 4 Select Accounts The details of the account are displayed ...

Page 438: ...ess Accounts in Active View by right clicking on an event generated by the Identity Collector and by selecting Show Identity Details option Select Initiator Target or Both option The account details of the associated Identity in that event displays in a pop up window ...

Page 439: ...o the respective option to the clipboard For example if you viewing the Recent Activity tab and click the clipboard the recent activity data is copied to the clipboard You can then choose to paste the information on the clipboard to a Notepad and save You can also copy the information to the clipboard after you have visited the tabs For example you can visit User Profile and Recent Activity tabs t...

Page 440: ...440 Sentinel 6 1 User Guide novdocx en 7 January 2010 Figure 18 3 Reports ...

Page 441: ... patterns in events and streams of events An intuitive and flexible rule based language for correlation Rules compiled for high performance Scalable multi threaded distributable and extensible architecture Sentinel processes communicate with each other through a message oriented middleware MOM A 2 Functional Architecture Sentinel is composed of the following component subsystems which form the cor...

Page 442: ...m these products The normalized data is then sent to the Sentinel processes and database Historical analysis and reporting can be done using the Sentinel integrated reporting engine The reporting engine extracts data from the database and integrates the report displays into the Sentinel Control Center using HTML documents over an HTTP connection Figure A 1 Sentinel Architecture Section A 3 1 iSCAL...

Page 443: ...iety of queuing services that improve the reliability of the communication beyond the security and performance aspects of the platform Using a variety of transient and durable queues the system offers unparalleled reliability and fault tolerance For instance important messages in transit are saved by being queued in case of a failure in the communication path The queued message is delivered to the...

Page 444: ...containing the asset mentioned as the destination IP of an event For example a tag can be computed by the mapping service using a customer defined map using the destination IP from the event Mapping Service Map Service allows a sophisticated mechanism to propagate business relevance data throughout the system This facility aids scalability and provides an extensibility advantage by enabling intell...

Page 445: ...s Advisor provides a cross reference between event data signatures and vulnerability scanner data Advisor feed has an alert and attack feed The alert feed contains information about vulnerabilities and threats The attack feed is a normalization of event signatures and vulnerability plug ins For more information on Advisor see Chapter 8 Advisor Usage and Maintenance on page 159 You require at least...

Page 446: ...ability AttackId Figure A 4 Event Columns When the Vulnerability field vul equals 1 the asset or destination device is exploited If the Vulnerability field equals 0 the asset or destination device is not exploited The map name for the exploitdetection csv file is IsExploitWatchlist There are two types of data sources External Retrieves information from the Collector Referenced from Map Retrieves i...

Page 447: ...phical user interface Non programmers can create Collectors ensuring both current and future requirements are met in an ever changing IT environment The command and control operation of Collectors for example start stop and so on is performed centrally from the Sentinel Control Center The event source management framework takes the data from the source system performs the transformations and prese...

Page 448: ...d auditing purposes as well as for real time processing The correlation engine processes time ordered streams of events and detects patterns within events as well as temporal patterns in the stream However the device generating the event might not know the real time when the event is generated In order to accommodate this Sentinel allows two options in processing alerts from security devices trust...

Page 449: ...t show in the Active Views but are inserted into the database Events that have timestamps more than 5 minutes and less than 24 hours in the past are still shown in the charts but are not shown in the event data for that chart A drill down operation is necessary to retrieve those events from the database 3 Correlation reorder buffer If the event time is more than 30 seconds older than the server ti...

Page 450: ...ng attributes ST Sensor Type field For internal events it is set to I and for performance events it is set to P Event ID A unique UUID for the event Event Time The time the event was generated Source The UUID of the process that generated the event Sensor Name The name of the process that generated the event for example DAS_Binary RV32 Device Category Set to ESEC Collector Performance for performa...

Page 451: ...the server side of the SSL proxy connection to Sentinel Server Correlation Engine Process correlation_engine page 452 Collector Manager page 452 iSCALE page 452 The following is the architecture for Sentinel Server Figure A 7 Sentinel Server Architecture Sentinel Service Watchdog Watchdog is a Sentinel Process that manages other Sentinel Processes If a process other than Watchdog stops Watchdog wi...

Page 452: ...ogging of all events being received from the Collector Manager and requests to retrieve and store configuration information Correlation Engine Process correlation_engine The Correlation Engine correlation_engine process receives events from the Collector Manager and publishes correlated events based on user defined correlation rules Collector Manager Collector Manager services processes and sends ...

Page 453: ...bove and subsequently discussed in detail in the following sections A 4 1 Collection and Enrichment Layer Event Source Management ESM provides tools to manage and monitor connections between Sentinel and third party event sources Events are aggregated using a set of flexible and configurable Collectors which collect data from a myriad of sensors and other devices and sources User can use pre built...

Page 454: ... as needed Main functions of the Collector Manager include transforming events adding business relevance to events through taxonomy performing global filtering on events routing events and sending health messages to the Sentinel server A Collector Engine is the interpreter component that parses the Collector code Collector Builder Collector Builder is a standalone application that is used to build...

Page 455: ...ll send Sentinel events to its parent Collector Manager node Connector This node represents a deployed instance of a Connector plug in It includes the specification of which Connector plug in to use as well as some configuration information such as auto discovery This node will send raw data to its parent Collector node Common Services All of the above described components in this Collection and E...

Page 456: ... IDS Collectors It uses the embedded knowledge of vulnerability status to efficiently and effectively prioritize responses to security threats in real time When an attack is launched against a vulnerable asset Exploit Detection alerts users with the corresponding severity level of the exploited vulnerability Users can then take immediate action on high priority events This takes the guesswork out ...

Page 457: ... as a facade for accessing data from any persistent data store such as databases directory services or files The operations of DAS include uniform data access through JDBC Query Manager Service The Query Manager Service orchestrates drill down and event history requests from the Sentinel Control Center This service is an integral component for implementing the paging algorithm used in the Event Hi...

Page 458: ...at can be used for storing elements and performing fast lookups on those elements These lists can store a set of strings such as IP addresses server names or usernames Examples of dynamic lists include Terminated user list Suspicious user watch list Privileged user watch list Authorized ports and services list Authorized server list In all cases correlation rules might reference named dynamic list...

Page 459: ...Views uses the iSCALE architecture analysts can quickly drill down for further analysis because Active Views provides direct access to the real time memory resident event data which easily handles thousands of events per second without any performance degradation Data is kept in memory and written to the database as needed Active Views can store up to 8 hours of data in memory with typical event l...

Page 460: ...esolution processes after an incident or violation has been detected Sentinel comes with out of the box process templates that use the SANS Institute s guidelines for incident handling Users can start with these pre defined processes and configure specific activities to reflect their organization s best practices iTRAC processes can be automatically triggered from incident creation or correlation ...

Page 461: ...work list The input rules are based on the XPDL XML Processing Description Language standard and provide a formal model for expressing executable processes in a business enterprise This standards based approach to the implementation of business specific rules and rule sets ensures future proofing of process definitions for customers The iTRAC system uses three Sentinel 6 objects that can be define...

Page 462: ...d steps activities and criteria for transition between them Workflow templates define how to respond to an incident when a process based on that template is instantiated A template can be associated with many incidents Processes A process is a specific instance of a workflow template that is actively being tracked by the workflow system It includes all the relevant information relating to the inst...

Page 463: ...act their assets Advisor also contains detailed information on the vulnerabilities that attacks intend to exploit the potential effects of the attacks if successful and necessary steps for remediation Recommended remediation steps are enforced and tracked using iTRAC incident response processes Health The Health service enables users to get a comprehensive view of the distributed Sentinel platform...

Page 464: ...llow for unparalleled processing and scaling over the message bus based transport for real time analytics and computation A 4 3 Presentation Layer The presentation layer renders the application interface to the end user The Sentinel Control Center is a comprehensive dashboard that presents information to the user The presentation of event is possible through Active Views which displays the events ...

Page 465: ...e Views Graphical format Ribbon Graph Active Browser Active Browser facility helps in viewing the selected events In Active Browser the events are grouped according to the metatags In these metatags various sub categories are defined The numbers in the parentheses against these sub categories display the total number of event counts corresponding to the value of the metatag ...

Page 466: ...eak them down into ranges of values for each desired attribute of the event Using single clicks through a Web browser interface you can select ranges to quickly drill down on a large set of events Then individual event details can be viewed or exported to an html or csv file Additional event attributes for analysis can be added dynamically at any time and the interface provides an interactive way ...

Page 467: ...ure For all types of failures the event would be similar except that the Message field will have the actual cause of error Table B 2 Advisor Update Failure Event Details Tag Value Severity 1 Event Name Advisor update succeeded Resource Advisor Processor SubResource Advisor Processor Message If the feed file is not available the message displayed is No new feed available to process If the feed file...

Page 468: ...oad Successful Table B 3 Download Successful Event Details B 2 2 Download Failed Table B 4 Download Failed Event Details SubResource Advisor Processor Message Advisor feed file advnxsfeed 1 zip could be corrupt Tag Value Severity 1 Event Name Download Success Resource DownloadFeedService SubResource DOWNLOAD Message Download successful for config Displays download configuration Tag Value Severity ...

Page 469: ...cation When a user is authentic the following event is generated Tag Value Severity 1 Event Name Update Download Config Resource DownloadFeedService SubResource DOWNLOAD Message Successfully updated Download Configuration Tag Value Severity 1 Event Name AddDownloadConfig Resource DownloadFeedService SubResource DOWNLOAD Message Successfully saved Download Configuration Tag Value Severity 1 Event N...

Page 470: ...ntication Events Duplicate User Objects B 3 4 Failed Authentication When a user authentication fails the following event is generated Tag Value Severity Event Name Authentication Resource UserAuthentication SubResource Authenticate Message User name has passed Authentication to Sentinel Wizard Tag Value Severity Event Name CreatingEntryForExternalUser Resource UserAuthentication SubResource Authen...

Page 471: ...er is not an Sentinel user the following event is generated Table B 13 Authentication Events No Such User Event Tag Value Severity 4 Event Name AuthenticationFailed Resource UserAuthentication SubResource Authenticate Message Authentication of user name with OS name domUser from IP failed Tag Value Severity 4 Event Name LockedUser Resource UserAuthentication SubResource Authentication Message Atte...

Page 472: ...al event is generated Table B 15 Table B 8 Authentication Events User Discovered B 3 9 User Logged In When a user logs in the following internal event is generated Table B 16 Authentication Events User Logged In Tag Value Severity Event Name Resource SubResource Message Tag Value Severity 1 Event Name UserLoggedIn Resource UserSessionManager SubResource User Message Discovered active user user wit...

Page 473: ... Table B 18 User Management Add Users To Role Message User user with OS name osName at IP logged in currently number active users Tag Value Severity 1 Event Name UserLoggedOut Resource UserSessionManager SubResource User Message Closing session for user OS name osName from IP was on since date currently number active users Tag Value Severity Event Name createRole Resource WorkflowServices SubResou...

Page 474: ...e createRole Resource WorkflowServices SubResource WorkflowAdminService Message Creating role with name name and description description Tag Value Severity Event Name createUser Resource WorkflowServices SubResource WorkflowAdminService Message Creating user 0 Name 1 2 belonging to roles roles Tag Value Severity Event Name createUser Resource Config SubResource UserManagementService Message Creati...

Page 475: ...e B 24 User Management Locking User Account Tag Value Severity Event Name deleteRole Resource WorkflowServices SubResource WorkflowAdminService Message Deleting role with name name Tag Value Severity Event Name deleteUser Resource Config SubResource UserManagementService Message Deleting User Account 0 Tag Value Severity Event Name lockUser Resource Config SubResource UserManagementService Message...

Page 476: ...ment Unlocking User Account Tag Value Severity Event Name removeUsersFromRole Resource WorkflowServices SubResource WorkflowAdminService Message Removing users name from role role Tag Value Severity Event Name setPassword Resource Config SubResource UserManagementService Message Resetting password for User Account 0 Tag Value Severity Event Name unlockUser Resource Config SubResource UserManagemen...

Page 477: ...Specified Time Threshold When event insertion is resumed after being blocked the following event is sent Table B 30 Database Event Management Database Space Reached Specified Time Threshold Tag Value Severity Event Name updateUser Resource Config SubResource UserManagementService Message Updating user 0 Last Name lastName First Name firstName State state Tag Value Severity 0 Event Name DbSpaceReac...

Page 478: ...ory If that move fails the following internal event is generated Resource Database SubResource Database Message Tablespace string has number MB left and growing number bytes per second and will run out space within the time threshold specified number seconds Tag Value Severity 5 Event Name DbSpaceVeryLow Resource Database SubResource Database Message Tablespace string has current size of number MB...

Page 479: ...abase When this happens DAS will send internal events every time it attempts to insert events into the database Tag Value Severity 3 Event Name MoveArchiveFileFailed Resource DAS name SubResource ArchiveFile Message Error moving completed archive file fileName to directory Tag Value Severity Event Name ErrorProcessingEventMessage Resource EventSubsystem SubResource EventStore Message Error process...

Page 480: ...ventInsertionIsBlocked Resource EventSubSystem SubResource Events Message Event insertion is blocked waiting number sec Tag Value Severity 2 Event Name EventInsertionResumed Resource EventSubSystem SubResource Events Message Event insertion has resumed after being blocked Tag Value Severity Event Name EventMessageQueueOverflow Resource EventSubsystem SubResource EventStore Message In the previous ...

Page 481: ...1 Database Event Management Opening Archive File failed Tag Value Severity Event Name EventProcessingFailed Resource EventSubsystem SubResource EventStore Message In the previous 0 ms failed to process 1 events Events were stored for later insertion Check the log files and the database for more information The error occurred 2 times in this time range 3 cause 4 Tag Value Severity Event Name DbNoSp...

Page 482: ...ition P_MAX When this occurs the administrator needs to use SDM and add more partitions otherwise performance will start degrading Table B 44 Database Event Management Writing to the overflow partition P_MAX Tag Value Severity Event Name New Update Remove Resource SubResource PartitionConfig Message ableName name PartTimeUnit 1 PartTimeFactor 2 NumberOfUnits 3 Tag Value Severity 3 Event Name Write...

Page 483: ...ase Aggregation Deleting Summary B 6 3 Disabling Summary Table B 47 Database Aggregation Disabling Summary Tag Value Severity Event Name createSummary Resource SubResource Message Creating summary summaryDescription Tag Value Severity Event Name deleteSummary Resource SubResource Message Deleting summary summaryDescription Tag Value Severity Event Name disableSummary Resource SubResource Message D...

Page 484: ...serting summary data into the database B 6 6 Saving Summary Table B 50 Database Aggregation Saving Summary B 7 Mapping Service Tag Value Severity Event Name enableSummary Resource SubResource EventAggregationAdminService Message Enabling summary summaryDescription Tag Value Severity 4 Event Name SummaryUpdateFailure Resource Aggregation SubResource Summary Message Error saving summary batch to the...

Page 485: ...r Manager This error is generated when the Collector Manager attempts to retrieve a map that does not exist This should not happen but can happen if maps are created and deleted Table B 53 Database Aggregation Error initializing map with ID Tag Value Severity Event Name error Resource SubResource Message Error while updating map data 0 Tag Value Severity 4 Event Name ErrorApplyingIncrementalUpdate...

Page 486: ...the initialization will proceed and this map will be ignored until it can be successfully loaded Table B 54 Database Aggregation Error Refreshing Map B 7 5 Error Saving Data File Table B 55 Database Aggregation Error Saving Data File B 7 6 Get File Size Table B 56 Database Aggregation Get File Size Message Error initializing map with id ID no such map Tag Value Severity 4 Event Name ErrorRefreshin...

Page 487: ...an one minute Table B 58 Database Aggregation Long time To load Map B 7 9 Out Of Sync Detected This event is sent when the mapping service detects that a map is out of date The mapping service will automatically schedule a refresh Resource SubResource Message Retrieving size for file fileName Tag Value Severity 0 Event Name LoadedLargeMap Resource MappingService SubResource ReferentialDataObjectMa...

Page 488: ...ager When the Collector Manager is told to refresh the map because it has been modified or its definition has changed it sends an internal event This means that the map was either not in the cache or the version in the cache was not up to date and the Collector Manager is retrieving the map from the server Table B 61 Database Aggregation Refreshing Map from Server Tag Value Severity 2 Event Name O...

Page 489: ...long for the response to arrive more than ten minutes the Collector Manager will submit a second request assuming the first was lost When this occurs the following internal event is generated Table B 64 Database Aggregation Timed Out Waiting For Callback Message Refreshing from server map name with id ID Tag Value Severity Event Name saveDataFile Resource SubResource MapService Message Saving data...

Page 490: ...ver acknowledged the request and timed out This error is considered transient and the Collector Manager will retry Table B 65 Database Aggregation Timeout Refreshing Map B 7 16 Update Table B 66 Database Aggregation Update Resource MappingService SubResource ReferentialDataObjectMap Message Map name timed out waiting for callback with new map data retrying Tag Value Severity 4 Event Name TimeoutRe...

Page 491: ...mponent of the Collector Manager the one that performs the maps applies global filters and publishes the events This internal event is sent when the event router is ready during initialization When the Collector Manager is restarted another event will be sent when it is ready This event is not sent until the event router successfully loaded all the global filters and map information Tag Value Seve...

Page 492: ... during shutdown Table B 71 Event Router Event Router is Terminating B 9 Correlation Engine Below listed are relevant to correlation engine Tag Value Severity 1 Event Name EventRouterIsRunning Resource CollectorManager Tag Value Severity 2 Event Name EventRouterStopping Resource CollectorManager SubResource EventRouter Message Event router is stopping reqId B408EC15 F4D2 1029 A795 000C296FC5D4 Tag...

Page 493: ...e idle stopped state and waits to retrieve its configuration from the database This event is sent when the engine changes state from stopped to running Table B 74 Correlation Engine Correlation Engine is Running Tag Value Severity Event Name New Update Remove Resource Correlation SubResource CorrelationActionDefinition Message Action Name name with Id ID Tag Value Severity Event Name New Update Re...

Page 494: ...ion Table B 77 Correlation Engine Correlation Rule Configuration Tag Value Severity 1 Event Name EngineStopped Resource CorrelationEngine SubResource CorrelationEngine Message Correlation Engine has stopped processing events Tag Value Severity Event Name New Update Remove Resource Correlation SubResource CorrRule Message Rule Name name Type type Rule Id ID Tag Value Severity Event Name New Update ...

Page 495: ...erity Event Name deployRulesWithActionsToEngine Resource CorrelationManagementService SubResource CorrelationManagementService Message Deploy Rules With Actions To Engine enginId Rules ruleID Actions actionID Tag Value Severity Event Name disableRule Resource CorrelationManagementService SubResource CorrelationManagementService Message Disable Rule ruleCfgId Tag Value Severity Event Name enableRul...

Page 496: ...is sent out when an engine successfully loads a rule deployment This message is sent out regardless of the engine running state Table B 83 Correlation Engine Rule Deployment is Started Tag Value Severity Event Name renameCorrEngine Resource CorrelationManagementService SubResource CorrelationManagementService Message Rename Engine to name with EngineId ID Tag Value Severity 1 Event Name Deployment...

Page 497: ...lation Engine Starting Engine B 9 15 Stopping Engine Table B 86 Correlation Engine Stopping Engine Tag Value Severity 1 Event Name DeploymentStopped Resource CorrelationEngine SubResource Deployment Message deployment name stopped Tag Value Severity Event Name startEngine Resource CorrelationManagementService SubResource CorrelationManagementService Message Start engine engineID Tag Value Severity...

Page 498: ...t to Event Source Management General Tag Value Severity Event Name undeployAllRulesFromEngine Resource CorrelationManagementService SubResource CorrelationManagementService Message Undeploy all rules from Engine Tag Value Severity Event Name undeployRule Resource CorrelationManagementService SubResource CorrelationManagementService Message Undeploy Rule ruleCfgId Tag Value Severity Event Name upda...

Page 499: ... Event Source Management General Collector Manager Started Tag Value Severity Event Name CollectorManagerInitialized Resource CollectorManager SubResource Internal Message Initialized Collector Manager Tag Value Severity Event Name CollectorManagerDown Resource HealthManager SubResource CollectorManagerHealth Message Collector manager name UUID 1 is down for 2 days 3 hrs 4 min Tag Value Severity E...

Page 500: ...of referential map assignments Check the event configuration in SDM and resolve the dependency Table B 95 Event Source Management General Cyclical Dependency Tag Value Severity Event Name CollectorManagerStopped Resource CollectorManager SubResource Internal Message Stopped Collector Manager Tag Value Severity Event Name restart Resource SubResource CollectorServiceCallback Message Restart Collect...

Page 501: ...Event Source Management General Lost Contact With Collector Manager Tag Value Severity Event Name restart Resource SubResource EventSourceManagerCallback Message Restart node with Id ID Tag Value Severity Event Name CollectorManagerInitializing Resource CollectorManager SubResource Internal Message Initializing Collector Manager Tag Value Severity Event Name LostContactWithCollectorManager Resourc...

Page 502: ...rocess connector is able to restart the controlled process that had died Table B 101 Event Source Management General Persistent Process Restarted Tag Value Severity Event Name NoDataAlert Resource CollectorManager SubResource objectName Message No data received for 7 0 ID 1 for last 2 days 3 hrs 4 min 5 sec threshold 6 ms Tag Value Severity 5 Event Name PersistentProcessDied Resource AgentManager ...

Page 503: ... Table B 104 Event Source Management General Reestablished Contact With Collector Manager Tag Value Severity 1 Event Name PortStart Resource AgentManager SubResource AgentManager Message Processing started for port_ port ID Tag Value Severity 1 Event Name PortStop Resource AgentManager SubResource AgentManager Message Processing stopped for port_ port ID Tag Value Severity Event Name Reestablished...

Page 504: ...ble B 107 Event Source Management General Restarting Collector Manager Warm Restart Tag Value Severity Event Name restartPluginDeployments Resource EventSourceManagement SubResource EventSourceManagerService Message Restart deployments of plugin 0 Tag Value Severity Event Name CollectorManagerRestart Resource CollectorManager SubResource Internal Message Restarting Collector Manager Cold restart T...

Page 505: ...ent Source Management General Starting Collector Manager Tag Value Severity Event Name startEventSourceGroup Resource EventSourceManagement SubResource EventSourceManagerService Message Start Connector 0 Tag Value Severity Event Name startEventSourceManager Resource EventSourceManagement SubResource EventSourceManagerService Message Start Collector Manager eventSourceManagerID Tag Value Severity E...

Page 506: ...B 11 Event Source Management Event Sources Below listed are relevant to Event Source Management Event Sources Tag Value Severity Event Name stopEventSourceGroup Resource EventSourceManagement SubResource EventSourceManagerService Message Stop Connector 0 Tag Value Severity Event Name StopEventSourceManager Resource EventSourceManagement SubResource EventSourceManagerService Message Stop Collector ...

Page 507: ...ment Collectors B 12 1 Start Collector Table B 116 Event Source Management Collectors Start Collector Tag Value Severity Event Name startEventSource Resource EventSourceManagement SubResource EventSourceManagerService Message Start EventSource 0 Tag Value Severity Event Name stopEventSource Resource EventSourceManagement SubResource EventSourceManagerService Message Stop EventSource 0 Tag Value Se...

Page 508: ...nt Source Server B 13 2 Stop Event Source Server Table B 119 Event Source Management Event Source Servers Stop Event Source Server Tag Value Severity Event Name stopCollector Resource EventSourceManagement SubResource EventSourceManagerService Message Stop Collector 0 Tag Value Severity Event Name startEventSourceServer Resource EventSourceManagement SubResource EventSourceManagerService Message S...

Page 509: ...e B 121 Event Source Management Connectors Data Received After Timeout B 14 2 Data Timeout When the File Connector is configured with a DataTimeout greater than 0 in the package xml file and no data is read from the file in the DataTimeout period the following internal event is generated Message Stop EventSourceServer eventSourceServerID Tag Value Severity Event Name stopEventSourceServer Resource...

Page 510: ...eTimeout Resource FileConnector SubResource FileConnector Message Event source File Event Source ID reached time out of Timeout Period when processing file File Location Tag Value Severity 4 Event Name RotatingFile Resource FileConnector SubResource FileConnector Message File rotated for event source File Event Source ID Rotating file from Previous File Location to New File Location Tag Value Seve...

Page 511: ...nagement Connectors WMI Connector Status Message B 15 Active Views Below listed is about Active views Tag Value Severity 1 Event Name ProcessStartError Resource ProcessConnector SubResource ProcessConnector Message Error starting command 0 Tag Value Severity 1 Event Name ProcessStop Resource ProcessConnector SubResource ProcessConnector Message Process 0 exited command 1 Tag Value Severity 4 Event...

Page 512: ...e View is removed from preferences before this event is generated Table B 130 Active View Active View No Longer Permanent Tag Value Severity 1 Event Name RtChartCreated Resource RealTimeSummaryService SubResource ChartManager Message Creating new Active View with filter filter and attribute attribute for users with security filter security filter Currently n Active View s Collecting Tag Value Seve...

Page 513: ...w is removed because of inactivity Permanent Active Views are ones saved in user preferences and timeout after several days of inactivity by default SubResource ChartManager Message Active View with filter filter and attribute attribute for users with security filter security filter is no longer permanent Tag Value Severity 1 Event Name RtChartIsNowPermanent Resource RealTimeSummaryService SubReso...

Page 514: ...anager Message Removed idle permanent Active View with filter filter and attribute attribute for users with security filter security filter Currently n Active View s Collecting Tag Value Severity Event Name New Update Remove Resource SubResource ActivityDefinition Message Activaty Name name Description description Tag Value Severity Event Name New Update Remove Resource Core SubResource FilterConf...

Page 515: ... 17 1 Creating an Activity Table B 138 Activities Creating an Activity Tag Value Severity Event Name New Update Remove Resource SubResource ViewConfigurationStore Message name name type type description description Tag Value Severity Event Name WriteData Resource ListService SubResource ListUpdater Message Could not write data for list Tag Value Severity Event Name createActivity Resource SubResou...

Page 516: ...vents To Incident Table B 141 Incidents and Workflow Add Events To Incident Tag Value Severity Event Name deleteActivity Resource SubResource ActivityNamespace Message Deleting iTRAC Activity name Tag Value Severity Event Name saveActivity Resource SubResource ActivityNamespace Message Saving changes for iTRAC Activity name Tag Value Severity Event Name addEventsToIncident Resource IncidentService...

Page 517: ... Severity Event Name addProcessDefinition Resource WorkflowServices SubResource WorkflowObjectMgrService Message reading iTRAC Template name Tag Value Severity Event Name createIncident Resource IncidentService SubResource IncidentService Message User name created incident with name incidentName state state severity severity resolution resolution Tag Value Severity Event Name createGroup Resource ...

Page 518: ...ag Value Severity Event Name createUser Resource WorkflowServices SubResource WorkflowObjectMgrService Message Creating User in WorkFlow 0 with firstname firstName lastname lastName Tag Value Severity Event Name deleteIncident Resource IncidentService SubResource IncidentService Message Delete incident with ID ID Tag Value Severity Event Name deleteGroup Resource WorkflowServices SubResource Workf...

Page 519: ...teProcessDefinition Resource WorkflowServices SubResource WorkflowObjectMgrService Message Deleting iTRAC Template ID Tag Value Severity Event Name deleteUser Resource WorkflowServices SubResource WorkflowObjectMgrService Message Deleting User in WorkFlow 0 with firstname firstName lastname lastName Tag Value Severity Event Name emailIncident Resource IncidentService SubResource IncidentService Me...

Page 520: ...ag Value Severity Event Name getIncident Resource IncidentService SubResource IncidentService Message Get incident with ID ID Tag Value Severity Event Name saveIncident Resource IncidentService SubResource IncidentService Message Save incident with name name state state severity severity resolution resolution Tag Value Severity Event Name saveGroup Resource WorkflowServices SubResource WorkflowObj...

Page 521: ...al B 19 1 Configuration Service Table B 156 General Configuration Service Tag Value Severity Event Name saveProcessDefinition Resource WorkflowServices SubResource WorkflowObjectMgrService Message Saving iTRAC Template name Tag Value Severity Event Name getProcessDefinition Resource WorkflowServices SubResource WorkflowObjectMgrService Message Viewing iTRAC Template ID Tag Value Severity Event Nam...

Page 522: ...ss was set to respawn that is it is not expected to die The severity is set to 1 if the process was set to run once Table B 158 General Controlled Process is stopped B 19 4 Importing Auxiliary Table B 159 General Importing Auxiliary Tag Value Severity 1 Event Name ProcessStart Resource Sentinel SubResource Process Message Process ProgramName spawned command pID Tag Value Severity 1 5 Event Name Pr...

Page 523: ...ce Table B 162 General Process Auto Restart Error Tag Value Severity Event Name importPlugin Resource SubResource PluginRepositoryService Message Import plugin name ID ID of type type Tag Value Severity Event Name loadEsecTaxonomyToXML Resource SubResource EsecTaxonomyNodeService Message Loading Esecurity taxonomy Info to an xml format Tag Value Severity 1 5 Event Name ProcessAutoRestartError Reso...

Page 524: ...65 General Restarting Process Tag Value Severity Event Name ProcessRestart Resource Sentinel SubResource Process Message Process ProgramName spawned command pID Tag Value Severity Event Name registerClient Resource SubResource ProxyClientRegistrationService medium Message Registering new client Tag Value Severity Event Name restartProcess Resource SentinelHealth SubResource SentinelHealthService M...

Page 525: ...tartProcesses Resource SentinelHealth SubResource SentinelHealthService Message Restarting number processes number name name server name server ID ID Tag Value Severity Event Name startProcess Resource SentinelHealth SubResource SentinelHealthService Message Starting process name on Sentinel server name UUID 2 Tag Value Severity Event Name startProcesses Resource SentinelHealth SubResource Sentine...

Page 526: ... starts the following internal event is generated Tag Value Severity Event Name stopProcess Resource SentinelHealth SubResource SentinelHealthService Message Stopping process name on Sentinel server name UUID 2 Tag Value Severity Event Name stopProcesses Resource SentinelHealth SubResource SentinelHealthService Message Stopping number processes number name name server name server ID ID Tag Value S...

Page 527: ... Watchdog service is stopped the following internal event is generated Table B 173 General Watchdog Process is stopped Tag Value Severity 1 Event Name ProcessStart Resource WatchDog SubResource WatchDog Message WatchDog Service Starting Tag Value Severity 5 Event Name ProcessStop Resource WatchDog SubResource WatchDog Message WatchDog Service Ended ...

Page 528: ...528 Sentinel 6 1 User Guide novdocx en 7 January 2010 ...

Reviews:

No comments