Summary of Contents for Novell SENTINEL RAPID DEPLOYMENT 6.1 - 12-2009
Page 1
AUTHORIZED DOCUMENTATION User Guide Novell ® Sentinel Rapid Deployment December 2009 www.novell.com Sentinel 6.1 Rapid Deployment User Guide...
Page 2
Further, Novell, Inc., reserves the right to make changes to any and all parts of Novell software, at any time, without any obligation to notify any person or entity of such changes.
Page 3
Novell Trademarks For Novell trademarks, see the Novell Trademark and Service Mark list (http://www.novell.com/company/legal/ trademarks/tmlist.html). Third-Party Materials All third-party trademarks are the property of their respective owners.
Page 4
Sentinel 6.1 Rapid Deployment User Guide...
Please use the User Comments feature at the bottom of each page of the online documentation or go to Novell Documentation Feedback (http://www.novell.com/ documentation/feedback.html) and enter your comments there. Additional Documentation Sentinel technical documentation includes several different volumes: Novell Sentinel 6.1 Rapid Deployment Installation Guide (http://www.novell.com/ documentation/sentinel61rd/s61rd_install/data/index.html) About This Guide...
Page 18
In this documentation, a greater-than symbol (>) is used to separate actions within a step and items within a cross-reference path. A trademark symbol (®, ™, etc.) denotes a Novell trademark. An asterisk (*) denotes a third-party trademark. When a single path name can be written with a backslash for some platforms or a forward slash for other platforms, the path name is presented with forward slashes to reflect the Linux* convention.
Make sure to configure your browser's Languages setting to support the desired language. 5 Click Sign in. 1.2 Applications and Installers Click Applications in the left panel of the Novell Sentinel 6.1 Rapid Deployment Web interface to download the Sentinel components. Managing Sentinel 6.1 Rapid Deployment Through the Web Interface...
Page 20
WebStart Figure 1-1 Downloading Options Table 1-1 Options Description Action The Sentinel Control The Sentinel Control Center 1. Click Launch Control Center. Center (SCC) allows you monitor, configure, 2. Open SCC with the Java* Web Start and control most features of Launcher.
Options Description Action The Sentinel Data The Sentinel Data Manager 1. Click Launch Data Manager. Manager (SDM) allows you manage the 2. Open SDM with the Java Web Start Sentinel database. Launcher. You can monitor database 3. Specify the server, database, host, and port space utilization, view and number.
Page 22
IMPORTANT: If a report in progress is canceled by using the Cancel link, the query on the database is canceled. Manually Running a Report 1 Click Reports to display the available reports. 2 If desired, click a report definition to expand it. If you see a Sample Report link, you can click View to find out how the completed report looks with a set of sample data.
Page 23
Report Parameters Description Run Option Set the schedule for running the report. If you want the report to run later, you must also enter a start time. Now: This is the default. It runs the report immediately. Once: Runs the report once at the specified date and time. Daily: Runs the report once a day at the specified time.
Report Parameters Description MinSev Specify the minimum severity of events to be included in the report. The range is 0-5. MaxSev Specify the maximum severity of events to be included in the report. The range is 0-5. Email Report To If the report should be mailed to a user or users, specify their e- mail addresses, separated by commas.
Page 25
2 Click show parameters to see the exact values used to run the report. For Date Range, D=Current Day, PD=Previous Day, W=Week To Date, PW=Previous Week, M=Month To Date, PM=Previous Month, and DR=Custom Date Range. For Language, en=English, fr=French, de=German, it=Italian, ja=Japanese, pt=Brazilian Portuguese, es=Spanish, zh=Simplified Chinese, and zh_TW=Traditional Chinese.
TIP: Report results are organized from newest to oldest. 1.3.3 Scheduling a Report When you run a report, you can run the report immediately or schedule it to be run later, either once or on a recurring basis. For scheduled reports, you must choose a frequency and enter a time at which the report should run.
Any user can add or update reports in Sentinel 6.1 Rapid Deployment. “Downloading New or Updated Reports” on page 27 “Adding New Reports” on page 27 Downloading New or Updated Reports New or updated reports by Novell can be downloaded from the Novell Content Web site (http:// support.novell.com/products/sentinel/secure/identityaudit.html). Adding New Reports Sentinel Rapid Deployment comes preloaded with reports, but new report plug-ins (special .
Page 28
No Reports Loaded Figure 1-3 To add a report: 1 Click the Reports button on the left side of the screen. 2 Click the Upload Report button. 3 Browse and select the report plug-in . file on your local machine. 4 Click Open.
Page 29
Rapid Deployment Web interface. They must adhere to the file and format requirements of the report plug-ins. For more information about database fields and file and format requirements for report plug-ins, see the Sentinel SDK Web site (http://developer.novell.com/wiki/ index.php?title=Develop_to_Sentinel). Renaming Report Results Report results (but not report definitions) can be renamed in the interface.
Page 30
Deleting Report Results There are two ways to delete report results. Delete a single report by using the button at the right side of the report result. IMPORTANT: Users with the Run/View Reports or Manage Reports permission can delete the report results. For more information on permissions, see “Reporting” in the Sentinel 6.1 Rapid Deployment Reference Guide.
Reports” on page 1.4 Searching Events Novell Sentinel Rapid Deployment provides the ability to perform a search events. The search includes all online data currently in the database, but internal events generated by the Sentinel system are excluded unless you select Include System Events. By default, events are sorted based on the search engine’s relevancy algorithm.
Page 32
Basic Search A basic search runs against all of the event fields in Table 1-2 on page 37. Some sample basic searches include the following: root 127.0.0.1 Lock* driverset0 NOTE: If time is not synchronized between the end user machine and the Sentinel Rapid Deployment server (for example, one machine is 25 minutes behind), you might get unexpected results from your search.
Page 33
The event summaries are displayed. Advanced Search An advanced search can search for a value in a specific event field or fields. The advanced search criteria are based on the short names for each event field and the search logic for the index. To view the field names and descriptions, the short names that are used in advanced searches, and whether the fields are visible in the basic and detailed event views, see Table 1-2 on page...
Special characters must be escaped by using a \ symbol: + - && || ! ( ) { } [ ] ^ " ~ * ? : \ The advanced search criteria are modeled on the search criteria for the Apache* Lucene* open source package.
Page 35
Events Indexed but Not Yet in Database Figure 1-7 Event View with Details You can view additional details about any event or events by clicking the details link on the right side of the page.The details for all events on a page can be expanded or collapsed by using the all details ++ or details-- link.
Page 36
TIP: This adds the value to your filter with an AND operator. To add the value to your filter with an NOT operator, press the Alt key as you click the value. 3 Click Search. Some fields cannot be selected to refine a search this way: EventTime Message Any field related to the Reporter...
1.4.3 Event Fields Each event has fields that might or might not be populated, depending on the specific event. The values for these event fields can be viewed by using a search or running a report. Each field has a short name that is used in advanced searches.
Page 38
Visible in Short Visible in Field Description Detailed Name Basic View View TargetUserID tuid User ID of the user who was the target of Invisible the event, based on the raw data reported by the device. TargetUserDomain rv45 Domain of the user who was the target of Invisible the event.
Page 39
Visible in Short Visible in Field Description Detailed Name Basic View View ObserverHostName Hostname of the machine that forwarded Invisible Invisible the event to the security information event management system (for example, the hostname of a syslog server). Searchable but not displayed in either event view.
Page 40
Visible in Short Visible in Field Description Detailed Name Basic View View DataContext rv36 Container for the FileName data object (for example, a directory for a file or a database instance for a database table) TaxonomyLevel1 rv50 Target classification for event. Displayed under the event name in the format: TaxonomyLevel1>>...
Go to Start > Programs > Sentinel and select Sentinel Control Center. The Sentinel Login window displays. Click Applications in the left panel of the Novell Sentinel 6.1 Rapid Deployment Web interface, then click Launch Control Center: Sentinel Control Center...
2 Specify your username and password. 3 Click Login. On the first login, the following warning message displays. You must accept the certificate in order to securely log in to the Sentinel Control Center 4 Select Accept, if you want this message to display every time you start Sentinel on your system. To avoid this, you can select Accept Permanently.
Associate activities with workflow steps Initiate and execute processes 2.2.4 Analysis The Analysis tab is used to run and save an offline query for later quick retrieval of search results. 2.2.5 Admin The Admin tab provides you access to perform the administrative actions and configuration settings in Sentinel.
Add/edit connections to event sources through the configuration wizards View the real-time status of the connections to event sources Monitor data flowing through the Collectors and Connectors Sentinel Collectors The Collectors parse the data and deliver a richer event stream by injecting taxonomy, exploit detection, and business relevance into the data stream before events are correlated and analyzed and sent to the database.
Sentinel Control Center Figure 2-1 2.3.1 Menu Bar The menu bar has the menus required to navigate, perform activities, and change the appearance of the Sentinel Control Center. Menu Bar Figure 2-2 The File, Options, Event Source Management, Windows, and Help menus are always available. The availability of other menus depends on your location in the console and the permissions you have.
Page 47
System-Wide Toolbar The system-wide toolbar buttons are: Toolbar Buttons Figure 2-3 Tab-Specific Toolbar Buttons Tab-specific toolbar buttons allows you to perform the functions related to each tab. Tab-Specific Toolbar Buttons Table 2-1 Toolbar View Active Views Correlation Incidents iTRAC Analysis Admin For more information on tab-specific toolbar buttons, see the sections on each of the tabs listed in Section 2.3.3, “Tabs,”...
2.3.3 Tabs Depending on your access permissions, Sentinel Control Center displays the following tabs. Active Views tab. For more information, see Chapter 3, “Active Views Tab,” on page 53 Correlation tab. For more information, see Chapter 4, “Correlation Tab,” on page 83 Incidents tab.
NOTE: This procedure is generic for all the tabs in the Sentinel Control Center. Navigation procedures for tabs are discussed in the relevant sections. 2.3.6 Changing the Appearance of the Sentinel Control Center You can change the Sentinel Control Center’s look by: “Setting the Tab Position”...
2.3.7 Saving User Preferences If the user has permissions to save the workspace, they can save the following preferences: Permanent windows that are not dependent on data that was available at the time of their original creation. Active Views Summary displays Window positions Window sizes, including the application window Tab positions...
Page 51
2 Click Add. The Attachment Identification window displays. Specify the extension type (such as and so on) and click Browse or .doc .xls .txt .html type in the application program to launch the file type (such as for Notepad). notepad.exe 3 Click OK.
Page 52
Sentinel 6.1 Rapid Deployment User Guide...
Active Views Tab The Active Views tab presents events in near-real time. Section 3.1, “Understanding Active Views,” on page 53 Section 3.2, “Introduction to the User Interface,” on page 54 Section 3.3, “Reconfiguring Total Display Time,” on page 57 Section 3.4, “Viewing Real-Time Events,” on page 57 Section 3.5, “Showing and Hiding Event Details,”...
A successful login reported by an operating system A customer-defined situation such as a user accessing a file Internal events (an event generated by Sentinel), including: A correlation rule being disabled The database filling up Correlated events You can monitor the events in a tabular form or you can use several different types of charts to perform queries for recent events.
Page 55
User Interface Description The toolbar buttons Active Views provides two types of views that display the events in tables and graphs. The Table format displays the variables of the events as columns in a table. You can sort the information in the grid by clicking the column name. Active View Tabular Format Figure 3-1 The Graphical format displays events as graphs.
Page 56
Gray Line Smallest Possible Display Interval Figure 3-3 If there are more than 750 events per 30-second time period, a red separation line displays indicating that there are more events than are displayed. The other events can be viewed by using Historical Queries. Red Line More Events Displayed Figure 3-4 On saving user preferences, the system continues to collect data for four days.
You can change labels (column names) to user-friendly names and the new names are populated throughout the system. For more information, see Section 3.15, “Using Custom Menu Options with Events,” on page 3.3 Reconfiguring Total Display Time Active View Properties allows you to configure the cached time in each client. The default cache time value in an Active View is 24 hours.
Page 58
After making your selection, you can click Next or Finish. If you select Finish, the following default values are selected: Display Interval and Refresh rate of 30 seconds Total Display Time of 15 minutes Y-axis as Event Count Chart type of Stacked Bar 2D 4 If you click Next, click the down-arrows and fill in the fields: Display Interval and Refresh rate: Display Interval is the time interval to display events.
Page 59
The five buttons to the left of the chart perform the following functions: Functions of the Buttons Table 3-2 Buttons Description Lock/Unlock the Chart Used when performing a drill-down, zoom in, zoom out, and zoom to selection, and saving a chart as an HTML file. Increase Display Interval Increases the display time interval for the incoming events.
3.4.1 Resetting the Parameters and Chart Type of an Active View When viewing an Active View, you can reset your chart parameters and change your chart type. 1 Within an Active View displaying a chart, right-click and select Properties. 2 Under the Parameters tab, set the following options: Display Interval: Time between each interval.
3 Under the Chart Types tab, set your chart to Stacked Bar2D, Bar 3D, Line, or Ribbon. 3.4.2 Rotating a 3D Bar or Ribbon Chart 1 Click anywhere on the chart and hold the mouse button. 2 Reposition the chart as desired by moving the mouse and holding the button. 3.5 Showing and Hiding Event Details To show event details: 1 In a Real Time Event Table of the Navigator or in a Snapshot, double-click or right-click an...
To hide event details: 1 In a Real Time Event Table of the Navigator or in a Snapshot, with event details displayed in the left panel, right-click an event and click Show Details. The Event Details window closes. 3.6 Sending Mail Messages about Events and Incidents IMPORTANT: Before you send a mail by using the Sentinel Control Center, ensure that you have an SMTP Integrator configured with connection information and with the...
To e-mail an incident: 1 After you save your incident, click the Incidents tab, Incidents > Incidents View. 2 Click the All Incidents option in the Switch View drop-down list located at the bottom right corner. 3 Double-click an incident. 4 Click Email Incident icon.
Vulnerability: Show related asset vulnerabilities Advisor: Asset attack and alert information iTRAC: Under this tab, you can assign a WorkFlow (iTRAC History: Incident history Attachments: You can attach any document or text file with pertinent information to this incident Notes: You can specify any general notes regarding this incident. 3 In the Create Incident dialog box, specify: Title State...
3.9 Investigating an Event or Events The right-click option Investigate allows you to: Perform an event query for the last hour on a single event for: Other events with the same target IP address Other events with the same source (initiator) IP address Other targets with the same event name NOTE: You cannot perform a query on a null (empty) field.
3.9.1 Investigate: Event Query This function allows you to perform an event query within the last hour for events similar to the selected event. 1 In a Navigator or Snapshot window, right-click an event, click Investigate, and select one of three options given below: Option Function...
2 You must specify the From and To fields and click Finish. The Graph Mapper window displays. 3.9.3 Historical Event Query You can query the database for the past events through a historical event query. The events can be queried according to the filter and severity criteria in required batch size. You can export the results in HTML or CSV file format.
3 Click Severity icon. The Select Severity Values window displays. 4 Select one or more values for Severity and click OK. 5 Select a From and To date and time.The time you select corresponds your system time. 6 Select a batch size. The events queried display in the batch size you specify. If you select a batch size of 100, the first 100 events are displayed in the window.
Page 69
The events are grouped according to the meta tags. In these meta tags, various sub categories are defined. The numbers in the parentheses against these sub categories displays the total number of event counts corresponding to the value of the meta tag. To view events in Active Browser: 1 In the Active Views tab, select the event or events you want to view in Active Browser.
To add attributes in Active Browser: 1 Click the Add an attribute for categorization icon as shown below: 2 Select an attribute in the Add an Attribute for categorization window that displays. 3 Click OK. 3.10 Viewing Advisor Data The Advisor provides a cross-reference between real-time intrusion detection systems attack signatures and the Advisor's knowledge base of vulnerabilities.
If the DeviceAttackName field is properly populated, a report similar to the one below displays. This example is for a WEB-MISC amazon 1-click cookie theft. 3.11 Viewing Asset Data This function allows you to view and save your view as an HTML file of your Asset report. You must run your asset management Collector to view this data.
Vendor Product Version Contacts Order Name Role Email Phone Number Location Room Rack Address To view Asset Data: 1 In a Real Time Event Table of the Navigator or a Snapshot window, right-click an event or click events >Analyze >Asset Data. A window similar to the one below displays.
Page 73
Vulnerability Visualization requires that a vulnerability Collector is running and adding vulnerability scan information to the Sentinel database. The Novell Sentinel Content (http:// support.novell.com/products/sentinel/secure/sentinel61.html) provides Collectors for several industry-standard vulnerability scanners, and additional vulnerability Collectors can be written by using the Sentinel SDK (http://developer.novell.com/wiki/index.php?title=Develop_to_Sentinel).
Page 75
Circular View Figure 3-9 Orthogonal View Figure 3-10 The graphical display has four panels: Graph panel Tree panel Control panel Details/events panel The graph panel display associates vulnerabilities to a port/protocol combination of a resource (IP address). For example, if a resource has five unique port/protocol combinations that are vulnerable, there are five nodes attached to that resource.
Page 76
NOTE: Event mapping takes place only between the selected events and the vulnerability data returned. The tree panel organizes data in same hierarchy as the graph. The tree panel also allows users to hide/show nodes at any level in the hierarchy. The control panel exposes all the functionality available in the display.
Zoom in and out of selected areas 3.13 Ticketing System Integration Novell provides optional integration modules for BMC Remedy* that allow you to send events from any display screen to one of these external ticketing systems. You can also send incidents and their associated information (asset data, vulnerability data, or attached files) to Remedy.
tracert Whois? You can further assign user permissions to view vulnerability and to perform HP actions. You can add options by using the Event Menu Configuration option on the Admin tab. 3.16 Managing Columns in a Snapshot or Navigator Window To select and arrange columns in a Snapshot or Navigator: 1 With a Snapshot or Navigator window open, click Active View >...
Use the up-arrow and down-arrow buttons to arrange the order of the columns as you want them to display in the Real Time Event Table. The top-to-bottom order of column titles in the Manage Column dialog box determines the left-to-right order of the columns in the Real Time Event Table.
Page 80
The Select Incident window displays. 3 Click Search to view a list of incidents with the selected criteria. You can define your criteria to search for a particular incident or incidents in Select Incident window. 4 Select an incident and click Add. Sentinel 6.1 Rapid Deployment User Guide...
Page 81
5 Click OK. The event or events selected are added to the incident in the Incidents Navigator. If events are not initially displayed in a newly created incident, it is probably because of a lag in the time between displaying in the Real Time Events window and insertion into the database. If this occurs, it takes a few minutes for the original events to be inserted into the database and display in the incident.
Page 82
Sentinel 6.1 Rapid Deployment User Guide...
Correlation Tab Sometimes, an event viewed in the system might not necessarily draw your attention. However, when you correlate a set of similar or comparable events in a given period, it might lead you to a significant event. Sentinel helps you correlate such events with the rules you create and deploy in the Correlation engine so you can take appropriate action to mitigate any alarming situation.
Correlation relies on the data that is collected, parsed, and normalized by the Collectors, so a ® working understanding of the data is necessary to write rules. Many Novell Correlation rules rely on an event taxonomy that ensures that a “failed login” and an “unsuccessful logon” from two devices are classified the same.
In the Correlation tab, you can: Create/modify Correlation rules and rule folders Deploy Correlation rules on the Correlation engine Create and associate an action to a rule Configure dynamic lists NOTE: Access to the correlation functions can be enabled by the administrator on a user-by-user basis.
3 The Rule Wizard displays. Select one of the following rule types and follow the steps for that particular rule type: Simple Composite Aggregate Sequence Custom/Freeform 4 Define the update criteria for the rule. If you select Continue to perform actions every time this rule fires, the rule fires every time the criteria is met.
Page 88
Simple Rule A simple rule is defined by specifying the events that can trigger the rule to fire (For example, firewall events, firewall events of severity 3 or higher). The filter criteria can be intersected (using the “all”option in the GUI or the “AND” operator in RuleLG) or the filter criteria can be unioned (using the “any”...
Page 89
4 Click Add to add additional definitions for this rule. 5 Preview the rule in the RuleLG preview window. For example, filter(e.sev=3) 6 Click Next.The Update Criteria window displays. 7 Enable the update criteria for the rule to fire and click Next. The General Description window displays.
Page 90
8 Provide a name for this rule. You have an option to modify the rule folder. 9 Provide rule description and click Next. 10 You have an option to create another rule from this wizard. Select your option and click Next. Aggregate Rule An aggregate rule is defined by specifying a subrule and the number of times the subrule must fire within a specific time window in order to trigger the aggregate rule.
Page 91
3 In Aggregate Rule window, click the Add Rule button to select a sub rule to create an aggregate rule. The Add Rule window displays. You can select only one sub rule when creating an aggregate rule. 4 Select a rule and click OK. 5 Set parameters for the rule to fire.
Page 92
Composite Rule A composite rule is comprised of two or more subrules. A composite rule can be defined so that all or a specified number of the subrules must fire within the defined time frame. Composite rules have an optional group by field, which can be any populated field from the events. NOTE: When a subrule is used to create a composite rule, a copy of the subrule is added to the composite rule’s definition.
Page 93
11 Provide a rule description and click Next. 12 You have an option to create another rule from this wizard. Select your option and click Next. Sequence A sequence rule is comprised of two or more subrules that must be triggered in a specific order within the defined time frame.
Page 94
10 Provide rule description and click Next. 11 You have an option to create another rule from this wizard. Select your option and click Next. Custom or Freeform Correlation Rules The custom or freeform rule option is the most powerful option for creating a correlation rule. This allows the user to create any of the previous types of rules by typing the RuleLG correlation rule language directly into the Correlation Rule Wizard.
4.3.7 Deploying and Undeploying Correlation Rules Correlation rules can be deployed or undeployed from the Correlation Engine Manager or the Correlation Rule Manager. You can undeploy all rules or a single rule. The rules can be associated with one or more actions. If no action is selected, a default correlated event is generated with the following values: Default Correlated Event Details Table 4-2...
If nothing is selected, a Correlated event with default values is created. 5 Click Deploy. To undeploy a single rule: 1 In the Correlation Engine Manager, right-click the rule and select Undeploy Rule. In the Correlation Rule Manager, select the rule and click the Undeploy rule link. To undeploy all correlation rules: 1 Open the Correlation Engine Manager window.
4.3.11 Moving a Correlation Rule 1 Open the Correlation Rule Manager window and click Manage Folder. 2 Drag a correlation rule from one folder to another. 4.3.12 Importing a Correlation Rule 1 Open the Correlation Rule Manager window and click the Import/Export Correlation Rule icon.
IMPORTANT: If you import a correlation rule using the operator, the dynamic list inlist aligned to that rule must exist or you must create the dynamic list with the same name on the system to which it is imported. 4.3.13 Exporting a Correlation Rule 1 Open the Correlation Rule Manager window and click the Import/Export Correlation Rule icon.
Regardless of how the values were added, they can be persistent (active until manually removed or until the maximum list size is reached) or transient (active only for a specified time frame after being added to the list, also known as the Time to Live). The Time to Live can range from 60 seconds to 90 days.
To make an existing element persistent, select the check box next to the element name in the Dynamic Properties window. 6 Select Transient elements life span, then specify the time the persistent values are active in the list 7 Specify the maximum number of elements. The number defined here limits the number of elements in the list.
Page 101
Where, represents a meta tag in the incoming event, such as (Source Host e.<tagname> e.shn Name) or (Destination IP address) e.dip <Dynamic List Name> is the name of an existing Dynamic List, such as CriticalServerList The following instructions assume that a dynamic list already exists. To add a dynamic list to correlation rule: 1 Open the Correlation Rule Manager window and select a folder from the drop-down list to which this rule is added.
4.5 Correlation Engine Section 4.5.1, “Starting or Stopping a Correlation Engine,” on page 102 Section 4.5.2, “Renaming a Correlation Engine,” on page 102 4.5.1 Starting or Stopping a Correlation Engine 1 Open the Correlation Engine Manager window. 2 Right-click a correlation engine and select Start Engine or Stop Engine. 4.5.2 Renaming a Correlation Engine A Sentinel system can have one or more correlation engines.
Default Settings Table 4-4 Field Name Default Values Severity Event Name Final Event Name Message <message> Resource Correlation SubResource <Rule Name> 4.6.1 Configuring a Correlated Event Configure Correlated Event Figure 4-2 NOTE: This type of action can only be used in Correlation deployments. To override the default values for the correlated event created when a rule fires, an action can be created to populate the following fields in the correlated event: Severity...
4.6.2 Adding to a Dynamic List Adding to a Dynamic List Figure 4-3 NOTE: This type of action can only be used in Correlation deployments. This action type can be used to add a constant value or the value of an event attribute (such as Target IP or Initiator User Name) to an existing dynamic list.
4.6.3 Removing a Value from a Dynamic List Removing a Value from a Dynamic List Figure 4-4 NOTE: This type of action can only be used in Correlation deployments This action type can be used to add a constant value or the value of an event attribute (such as Target IP or Initiator User Name) from an existing dynamic list.
4.6.4 Executing a Command Executing a Command Figure 4-5 NOTE: This type of action can only be used in Correlation deployments This action type can be used to execute a command when a correlated event triggers. You can set the following parameters: Command: Arguments: This can include constants or references to an event attribute in the last event, the one that caused the rule to fire.
4.6.5 Creating an Incident Configure Action:Create Incident Figure 4-6 NOTE: This type of action can only be used in Correlation deployments. This action type create an incident whenever a correlated event fires. You can also initiate an iTRAC workflow process for remediation of that incident. For more information about the values of the following parameters, see Chapter 5, “Incidents Tab,”...
4.6.6 Sending an E-mail Configure Action: Send Email Figure 4-7 NOTE: This type of action can only be used in Correlation deployments This action type can be used to send an e-mail when a correlated event triggers. The various parameters available are: Parameters Table 4-7 Option...
Incidents Tab In Sentinel , a set of related events (for example, a possible attack) can be grouped together to form an incident. An incident in the Open state alerts you to investigate, resolve, and close the incident. For example, the resolution to an attack might be to close a port, block a source IP, or rebuild a machine.
User Interface Description The Navigation Tree in the Navigation pane The toolbar buttons 5.2.1 Incident View In the Incident View Manager, you can view the list of incidents and the parameters you specified when adding an incident. To open the Incident View Manager: 1 Click Incidents on the menu bar and select Display Incident Views or click the Display Incident View button in the toolbar 5.2.2 Incident...
Add/Edit Incident Figure 5-1 Events: Lists events attached to this incident. You can attach events to incidents in an Active View Assets: Lists assets affected by the events of this incident. Vulnerability: Lists asset vulnerabilities. Advisor: Displays asset attack and alert information. iTRAC: Allows you to add a workflow to an incident from the iTRAC tab.
Page 112
2 Open the view options by doing one of the following: Click the down-arrow on the Manage Views button located in bottom right corner of the window and select Add View. Click the down-arrow on the Manage Views button located in the bottom right corner of the window, select Manage Views and then click the Add View button.
Page 113
Sort By: Set rules to sort the incidents in the display view. Incidents Tab 113...
Filter: Set incident filters. Only the incidents that match your filter display in the view. Leaf Attribute: Select an attribute from the list that is displayed as the first column in the incident view. 4 Click Save. 5.3.2 Modifying a View 1 Click Incidents >...
5.3.3 Deleting a View 1 Click Incidents > Incident View Manager or click the Display Incident View button on the toolbar. 2 Click the down-arrow next to the Manage Views button located in bottom right corner of the screen and select Manage View from the list. The Manage View window displays. Select a view and click Delete.
2 Specify the following information: Title: Specify the title of the incident. State: To set state of the incident, select from the drop-down list. Severity: To indicate the severity of the incident, select from the drop-down list. Priority: To indicate the priority of the incident, select from the drop-down list. Category: Specify the category of the incident.
2 In the Incident window, click the iTRAC tab. 3 Select an iTRAC process from the drop-down list. 4 Click Save. NOTE: You can attach only one process to an incident. 5.4.4 Adding Notes to Incidents 1 In the Incident window, click the Notes tab. 2 Click Add.
5 Click OK, then click Save. Right-click the attachment to view or save. 5.4.6 Executing Incident Actions Any configured JavasScript action or iTRAC activity can be executed on an incident. 1 Open an incident. 2 Click Actions > Execute Incident Action or click Execute Incident Action icon.
To mail an incident by using the preinstalled Email Incident action, you must have an SMTP Integrator configured with valid connection information and with the SentinelDefaultEMailServer property set to “true”. For more information, see the SMTP Integrator documentation available at Novell Sentinel Content Web site (http://www.novell.com/documentation/sentinel61). 1 Open an incident.
3 Provide the following: Email Address Email Subject Email Message 4 Select which HTML attachments should be included in the mail message, such as the events included in the incident, assets, vulnerabilities, Advisor attacks, incident history, attachments, and notes. 5 Click OK. 5.4.8 Modifying Incidents 1 Click the Incident tab, then click Incidents >...
5.4.9 Deleting Incidents 1 Click the Incident tab, then.click Incidents > Display Incident View Manager, or click the Display Incident View button on the toolbar. The Incident View window displays. 2 Right-click the incident you want to delete and select Delete. 3 A confirmation Message displays.
Page 122
122 Sentinel 6.1 Rapid Deployment User Guide...
iTRAC Workflows The iTRAC workflows are designed to provide a simple, flexible solution for automating and tracking an enterprise’s incident response processes. iTRAC leverages the Sentinel internal incident system to track security or system problems from identification (through correlation rules or manual identification) through resolution.
Major Components of iTRAC Table 6-2 Step A step is an individual unit of work within a workflow; there are manual steps, decision steps, command steps, mail steps, and activity-based steps. Each step displays as an icon within a given workflow template. Transition A transition defines how the workflow moves from one state (activity) to another.
User Interface Description The Navigation Tree in the Navigation pane The toolbar buttons 6.3 Template Manager The Template Manager can be used to create, view, modify, copy, or delete a template. Within the Template Manager you can add, delete, copy, view, and edit templates. Templates can be sorted into folders for easy management In the Template Manager, you can: Create new workflow templates...
ConditionalTransitionExample CommandExample 6.4 Template Builder Interface Template Builder Interface Figure 6-2 The following panes display in the Template Builder window: Process Tree: This pane displays the steps, transitions and variables added to the template. Users can add steps or variables, and edit or remove steps, variables and transitions. To perform an action on a step, variable or transition: Expand the relevant group in the Tree.
Step Palette: There are four types of steps in the Step Palette. You can drag and drop the steps into the Process pane. Decision Step Mail Step Manual Step Command Step Activities: The activities added in the Activity Manager are shown in this pane and can be added to a workflow template.
4 In the Process Details window, provide a name and description (optional) of the template and click OK. 5 Do one of the following: Drag and drop a step from the Step Palette or an activity from the Activities pane into the Process window.
“Copying Templates” on page 129 “Deleting Templates” on page 129 Viewing/Editing Templates 1 In the Navigator, click iTRAC Administration > Template Manager. 2 Select a template and click View/Edit. The Template Builder displays. Copying Templates One way to create a new workflow template is to copy one of the default templates and modify it. 1 Click the iTRAC tab.
Section 6.5.3, “Decision Step,” on page 134 Section 6.5.4, “Mail Step,” on page 134 “Command Step” on page 134 Section 6.5.6, “Activity Step,” on page 135 Section 6.5.7, “End Step,” on page 136 Section 6.5.8, “Adding Steps to a Workflow,” on page 136 Section 6.5.9, “Managing Steps,”...
Page 131
NOTE: If the value is going to be used later as part of a decision step, it should be marked “Required.” For example, an integer variable can be set by the user to hold the event rate. Output transitions from the manual step can be defined so that if the event rate is greater than 500, one path is followed;...
6.5.3 Decision Step This type of step selects between exit transitions depending on the values of variables defined in prior steps. See Section 6.5.2, “Manual Step,” on page 130 for the available variable types. The decision step itself is very simple; you can edit only the step name and description. The workflow path is determined by the transitions.
Arguments (Can be explicit or variable-driven) Output Variable NOTE: The command must be stored in the directory on <Install_directory>/config/exec the iTRAC workflow server. Symbolic links are not supported Variables The command output can also be used to set a variable to the appropriate values. Command steps must use String variable types.
NOTE: If the first step of a workflow fails without an error transition, the iTRAC process cannot proceed. 6.5.7 End Step Every workflow template must have an End step to complete every branch of the workflow path. 6.5.8 Adding Steps to a Workflow Steps can be added to a workflow by using the Step Palette or by using a right-click in the Process Builder.
Page 137
“Modifying Steps” on page 137 “Deleting Steps” on page 140 Copying Steps 1 Click the iTRAC tab. 2 In the Navigator, click iTRAC Administration > Template Manager. 3 Select an existing template, then click View/Edit.The iTRAC Process Builder window displays. 4 Select an existing step, right-click, and select Copy Step.
Page 138
2 Provide a name for the step. 3 Attach a role to this step by selecting a role from the drop-down list. For more information on roles, see Chapter 10, “Administration,” on page 219. 4 Click Associate to associate a variable; select the variable from the list or create new variables to be associated.
Page 139
2 Provide a name. 3 Click the Description tab to provide a description for this step. 4 Click OK. To edit a mail step: 1 Right-click a mail step and select Edit Step. 2 Provide a name for the step. 3 Provide To and From mail addresses and a Subject in the General tab.
Page 140
2 Provide a name for this step. 3 Specify the path and name of the command or script to execute (relative to the <Install_directory>/config/exec) 4 If you want to run a command or script referenced in a variable that is populated during the workflow process, select the Use Variables check box.
6.6 Transitions Transitions are used to connect steps. There are several types of transitions: Unconditional Conditional Timeout Alert Else Error A transition can have the following attributes: Name Description Destination Expression Timeout Values Different steps have different properties and therefore they are associated with different transition types.
To add an unconditional transition: 1 Open the Process Builder. 2 Right-click an existing step and select Add Transition. 3 Specify a name for the transition. 4 Select Unconditional from the Transition Type list. 5 Click the down-arrow for the Destination field and select a step. 6 Provide a description for this transition and click OK.
Page 143
5 Specify the destination step. 6 Click Set to add an expression. The empty Expression window displays. 7 Click EXP to add the first expression. The evaluation expression is an expression that evaluates to TRUE or FALSE during the workflow process. Select the appropriate drop-down list under Relations to compare a variable to a constant value (Variables and Values) or to another variable (Variables and Variables).
Page 144
8 Select a variable from the Attribute drop-down list or add a new one if desired. 9 Select a condition from the Condition drop-down list. The condition list varies depending on the type of Attribute variable chosen. String Variable Conditions: Integer and Float Variable Conditions: 144 Sentinel 6.1 Rapid Deployment User Guide...
Page 145
Boolean Variable Conditions: 10 Set the value. 11 Click OK. 12 If a second expression is desired, select the root folder. 13 Repeat steps 7-12 as needed. 14 By default, all expressions at the root level are separated by AND operators. To nest expressions or to use the OR operator, click the appropriate operator button and drag and drop expressions onto that operator.
15 When the expression is complete, click You can edit/delete an existing expression using the Edit and Delete buttons in the Expression window. 16 Click OK. The expressions you provided displays in the Transition window under the Expression section. 17 Provide a description for your transition and click OK. 6.6.3 Else Transitions An Else transition leads to a path that is taken from a decision step when the criteria for the Conditional transitions are not met.
Step_accepted_time is the time when a user accepts (or takes ownership) of the worklist item for this step. If the timeout time period passes without the step being completed, control moves to the next step. Timeout transitions can be set for a manual step or a command step. Step_accepted_time is only relevant for manual steps and should not be selected for a command step.
6 Specify the Alert Time value, in minutes, hours, or days. Click OK. 7 Provide a description for your transition and click OK. 6.6.6 Error Transition An Error transition leads to a path that is taken if an automated step cannot successfully complete. Error transitions can be used for command, mail, and activity steps (for example, if a command step fails to execute).
7 Edit as needed. 8 Click OK until you exit the Transitions window. 9 Click Save. Deleting Transitions 1 Click iTRAC tab. 2 In the Navigator, click iTRAC Administration > Template Manager. 3 Select an existing template, then click View/Edit. The iTRAC Process Builder window displays.
Section 6.7.5, “Creating iTRAC Activities,” on page 151 Section 6.7.6, “Managing Activities,” on page 154 Activity Pane Figure 6-3 iTRAC activities can be used in iTRAC templates to define a workflow step, or they can be manually executed from within an incident. Sentinel provides three types of actions that can be used to build Activities: Section 6.7.1, “Incident Command Activity,”...
6.7.2 Incident Internal Activity An incident internal activity enables you to mail or attach information from the Sentinel database to the incident associated with the workflow process. Each of these options has a prerequisite. Vulnerability for the Initiator IP address (SIP) or the Target IP address (DIP): This requires that you run a vulnerability scanner and bring the results of the scan into Sentinel by using a Vulnerability (or “information”) Collector.
Page 152
6 (Conditional) If you selected an incident command activity, configure the settings: 6a In the Command Arguments Wizard, specify the command. 6b Provide the arguments for this command. You can select None, Incident Output (Values from the Drop-down list), or specify Custom values. 6c Click Next.
Page 153
6d (Optional) Configure an incident command activity to e-mail the output to a specific address or attach the output to the incident associated with the workflow process in this window. 6e Select Mail and specify the To and From e-mail address and subject. 6f Select Attach to Incident, if required.
7c Click Next. 7d Select your options (Mail and attach). 7e If you select Mail, you are prompted to provide To and From e-mail address and subject. Provide this information and click Next. View and confirm the details you chose in the Summary page and click Finish. 8 Conditional) If you selected an incident composite activity, configure the settings: 8a Select the activities from the list of available activities and click Next.
2 In the Navigator, click iTRAC Administration > Activity Manager. 3 Click the Import/Export Activity icon. The Import/Export Wizard window displays. 4 Select Export Activity and click Explore. 5 Navigate to where you want save your exported file. 6 Click Next. 7 Select one or more activities to be exported.
Process execution is the time period during which the process is operational, with process instances being created and managed. When an iTRAC process is executed or instantiated in the iTRAC server, a process instance is created, managed, and eventually terminated by the iTRAC server in accordance with the process definition.
6.8.3 Manual Step Execution On encountering a manual step, the iTRAC server sends out notifications in the form of work items to the assigned resource. If the step was assigned to a role, a work item is sent to all users within the role.
The current step is highlighted in red. 5 Close the window. 6.8.6 Changing Views in the Process Manager 1 Click the iTRAC tab. 2 Click the Display Process Manager icon. 3 Click the drop-down list in Manage View and select Edit Current View option. 158 Sentinel 6.1 Rapid Deployment User Guide...
4 In the View Option window, set the following options as necessary: Fields Group by Sort Filter Tree Display 5 Click Apply and Save. The following is view with Tree Display set to Status (running and not started). 6.8.7 Starting or Terminating a Process 1 Click the iTRAC tab.
Page 160
160 Sentinel 6.1 Rapid Deployment User Guide...
Work Items A work item is a workflow task assigned to a particular user or role in the iTRAC application. The individual activities to be performed to complete an iTRAC process are listed as work items in the Work Item Summary in the Sentinel Control Center.
Page 162
Work Item Summary Example Figure 7-2 To view a work item: 1 In the Work Item Summary, click the yellow or green bar. A work item list for the group or the current user displays and shows the name and ID of the incident, the workflow process name, and the step name and description 2 Double-click any work item and click View Details.
Page 163
4 Click Incident to view the details of the associated incident. 5 To take responsibility for this work item, click Acquire.Otherwise, click Cancel. NOTE: Any changes to the incident from this screen must be saved. There is a Save button on the toolbar and another Save button at bottom of the screen.
The information on the Process Details and Process Overview tabs is defined by the iTRAC workflow designer. For more information on creating workflow templates, see Chapter 6, “iTRAC Workflows,” on page 123. 7.2 Processing a Work Item A work item can be accessed from any part of the main tabbed Sentinel Control Center interface. You can process a work item in a group even if you have logged in as a different user.
Work item assigned to a group (role) Work item assigned to the user under the Analyst role. When you acquire (accept) a work item, it is removed from the queue of all other users in the same role. The work item can be returned to the group by clicking Release. 3 Click View Details.
Page 166
3 In the Work Items window, set the following: User: Name of the user that has acquired the process Group: Name of the group that the user belongs to. In the above example, the user belongs to the Analyst group. Owner Select either <All>...
The toolbar buttons 8.1.1 Top Ten Dashboard The following Top 10 dashboards are available in Sentinel 6.1 and can be downloaded from the Sentinel Content page (http://support.novell.com/products/sentinel/secure/sentinel61.html): Top 10 Target IP Addresses Top 10 Initiating IP Addresses Top 10 Target Host Names...
Page 168
Top 10 Initiating User Names Top 10 Target Port Names Top 10 Event Names The Top 10 dashboards are enabled by default, and the following summaries are turned on to enable the Top 10 dashboards: EventDestSummary EventSevSummary EventSrcSummary If Top 10 dashboards are not needed, you can disable these summaries, or you can enable additional summaries in order to use them for reporting.
5 Right-click DAS_Binary and select Restart. 8.2 Offline Query An offline query is most often used to run queries against large amounts of data. An offline query continues to run even after the user logs out of the Sentinel Control Center, if necessary. NOTE: You can view the result of your query only after it is completely processed.
3 Provide a query name, then select an existing filter to be used for generation of offline query. For more information on the selection and creation of filters see Chapter 3, “Active Views Tab,” on page 4 Select the start date and end date for which you want to generate an offline query. 5 Specify the description in the Description tab.
Event Source Management The Event Source Management (ESM) panel provides a set of tools to manage and monitor connections between Sentinel and the event sources that are providing data to Sentinel. The graphical interface shows at a glance the current event sources and the software components that are processing data from that event source.
Some plug-ins, such as database Connectors, require one or more auxiliary files in order to function. Auxiliary files are typically files that can not be shipped by Novell within the standard plug-in, such as user-specific configuration files or third-party libraries that require specific licenses. In all cases the documentation for the plug-in includes detailed instructions about which auxiliary files are necessary and where they can be obtained.
Event Source Management Live View Figure 9-1 9.2.1 Menu Bar The menu bar has File, View, Tools, and Help options. Event Source Management Menu Bar Figure 9-2 The following are the options available in the each of the menu bar options that are described in the document: File Export Configuration...
Help About Help 9.2.2 Toolbar Event Source Management User Interface Table 9-1 User Interface Description Launch the wizard for connecting to a new event source Import/Export, Reload Event Source Management configurations, and plug-ins. The toolbar contains several tools for displaying objects in ESM. You can zoom the entire graphical view in and out, or zoom directly to a selected region.
You can increase or decrease the magnification factor with the following key combinations: To increase the size of the size of the magnification glass cursor: Ctrl key + backward scrolling of the mouse wheel To decrease the size of the size of the magnification glass cursor: Ctrl key + forward scrolling of the mouse wheel To Zoom in: Forward movement of the mouse wheel To Zoom out: Backward movement of the mouse wheel...
Page 176
Hierarchy Filter The Hierarchy filter sets the display based on the hierarchy you select in this frame. It allows the user to filter the nodes that are displayed in the graphical and tabular view based on the node hierarchy. All children and parents of selected nodes are shown. Hierarchy Filter Frame Figure 9-4 To set Hierarchy filter for displaying components:...
Page 177
Connector Frame Icons Table 9-2 Icon Name Description Adds Connectors to the system. Delete Deletes Connectors. Refresh Refreshes the list. Add Auxiliary Files Adds auxiliary files. For more information, see Auxiliary Files. To add Connector plug-ins: 1 In Sentinel Control Center, click Event Source Management in the menu bar and select Live View or Scratch Pad.
Page 178
Icon Name Description Add Auxiliary Files Adds auxiliary files. For more information, see Section 9.1.3, “Auxiliary Files,” on page 172. To add Collector plug-ins: 1 In Sentinel Control Center, click Event Source Management in the menu bar and select Live View or Scratch Pad.
Page 179
Status Details This frame displays the status details of a selected component in the Health Monitor Display frame. Available status information includes the current state, the number bytes processed, the number of records sent, the number of Sentinel events sent, and various other status and statistical information. NOTE: The status information varies based on the type of component that is selected.
Overview Frame Figure 9-10 9.3 Live View The ESM panel provides the main user interface to Event Source Management. You can view configuration data in a graphical or tabular view. 9.3.1 Graphical ESM View The graphical view of ESM is the default view in Event Source Management. In the graphical view, you can view the status of a Collector and access the configuration settings of Collectors and Collector related objects as a graph of connected nodes.
Page 181
Collapsed/Expanded nodes: To improve the manageability and performance of the graphical display, Sentinel automatically contracts any node with 20 or more immediate children. This is especially useful for Connectors such as Syslog or Novell Audit that have the ability to automatically configure a large number of event sources.
If you choose not to show this message again, the preferences are saved on that machine and any user logging into Sentinel from that machine does not get an alert again. 9.3.2 Tabular ESM View The components visible in the graphical view of ESM can also be viewed in tabular format. In the tabular view, you can view the status of a Collector in a table and access the configuration settings of Collectors and Collector-related objects.
Page 183
Move: Moves the selected object from its current parent object to another parent object. You can move objects between the views; that is, move from the Live View to the Scratchpad and vice versa. Clone: Creates a new object that has its configuration information prepopulated with the settings of the currently selected object.
Remove selected objects: Removes the selected object along with its children TIP: Press Shift and click the object to select multiple objects. 9.4 Components of Event Source Hierarchy ESM displays the information on the Collectors and other components in a hierarchy specific to ESM.
Icon Name Description Event Source The event source represents the actual source of data for Sentinel. Server Unlike other components this is not a plug-in, but is a container for metadata, including runtime configuration, about the event source. In some cases a single event source could represent many real sources of event data, for example if multiple devices are writing to a single file.
4 Select the component type by which to limit the view. 9.4.2 Adding Components to the Event Source Hierarchy Although some Sentinel components are preinstalled with the Sentinel system, Novell recommends that you check the Sentinel Content Web site (http://support.novell.com/products/sentinel/ sentinel61.html)
Page 187
2 Select Import Collector Script or Connector plugin package file (.zip). Click Next. 3 Browse to the location of the Connector plugin package file and click OK, then click Next. If the file imported is not in the format specified for the Collector scripts or for the Connector plug-in package, the system displays an error message.
Page 188
To add a Collector plug-in: 1 Click Tools on the menu bar and select Import plugin. The Import Plugin Wizard window displays. You can select from the two options available in this window. 2 Click Next. 3 Do one of the following: If you chose the first option, browse to a location of the Collector script file and click OK., then click Next.
Page 189
Updating Connector/Collector Plug-Ins If a new version of a Connector or Collector is released, you can update the Sentinel system and any deployed instances of the Connector or Collector. NOTE: When you use the Sentinel Control Center to browse to locate a file on the desktop of the Collector Manager, clicking Desktop takes you to the desktop of the user running the Collector Manager, usually SYSTEM.
Page 190
The Plugin details window displays. 5 Select the Update Deployed Plugins option to update any currently deployed plug-ins that use this Connector or Collector. 6 Click View Deployed Plugins to view the plug-ins deployed in the ESM Live View. The number in parentheses represents the number of instances of this plug-in that are currently deployed and configured.
Page 191
Description User Interface Affected Collectors Affected Event Sources/ Connectors/ Event Source Servers: 7 Click Finish. NOTE: When you add a plug-in into Sentinel, it is placed in the Plugin Repository, which enables Sentinel components on other machines to start using the plug-in without adding the plug-in separately.
Page 192
3 Follow the prompts in the Add Connector Wizard. 4 Click Finish. Deploying an Event Source 1 In the main ESM display, locate the Connector to which the new event source will be associated. 2 Right-click the Connector and select the Add Event Source menu item. 3 Follow the prompts in the Add Event Source Wizard.
Page 193
(4.x or 5.x), or built by using the Collector Builder. Connector: A Connector can also be downloaded from the Sentinel Content Web site (http:// support.novell.com/products/sentinel/sentinel61.html). There are also some Connectors included in the installed Sentinel system, but there might be more recent versions on the Web site.
Page 194
Event source types for which you currently have compatible Collector parsing scripts are listed here. 2 Select an event source from the list to which you want to connect to and collect data from. You can click Add More to import an event source. 3 Click Next.
Page 195
5 Click Next. The Select Connection Method window displays. 6 Select a connection method from the list. You can also install additional Connectors by clicking on the Install More Connectors button. For more information, see “Adding Connectors/Collector Plug-Ins” on page 186 to install Connectors.
Page 196
Based on the existing Collectors and Connectors in your system that is compatible with your new event source, one or more of these options might be unavailable. “Creating a new Collector and Connector” on page 198 “Using an existing Collector:” on page 200 “Using an Existing Connector”...
Page 197
Options Description Trust Event Source Time Select Trust Event Source Time to display the Device Time (time when the event occurred) instead of the Event Source Time (time when the event was reported to the console). Set Filter Set the filter by using the Set Filter button. In the Filter window, add/ edit the filters and click OK.
Page 198
Creating a new Collector and Connector 1 In the Select Collector Manager window, select the Collector Manager you want to use and click Next.The Configure Collector Property window displays. 2 Configure the parameters available and click Next. The Configure Collector window displays. 3 Provide the name of the Collector and configure the options as desired: 198 Sentinel 6.1 Rapid Deployment User Guide...
Page 199
Options Descriptions Name Specify the name of the event source. Select the Run check box if you want to run your Collector automatically. Details Click the Details button to see plug-in details. Alert if no data is received in Set alerts (with repeated option) indicating what to do if no data is specified time period received in a specific period.
Page 200
5 Provide the name of the Connector and configure the options as desired: Options Descriptions Name Specify the name of the event source. Select the Run check box if you want to run your Collector automatically. Details Click the Details button to see plug-in details. Alert if no data is received in Set alerts (with repeated option) indicating what to do if no data is specified time period...
Page 201
After you select this option and click Next, the Select Collector window displays. 2 Select the Collector you want to use and click Next. The Configure Connector window displays. 3 Provide the name of the Connector and configure the options as desired: Options Descriptions Select the Run check box if you want to run your Collector...
Collector code running in place on the Collector Manager For more information on customizing or creating new Collectors, obtain the Novell Developer Kit for Sentinel (http://developer.novell.com/wiki/ index.php?title=Develop_to_Sentinel). Section 9.5.1, “Collector Workspace and Collector Directory,” on page 203 Section 9.5.2, “Debugging Proprietary Collectors,”...
9.5.2 Debugging Proprietary Collectors The Debugging Collector window allows you to debug Collectors written in the Novell proprietary language. The left column on the debugger displays the commands for the current script state. The highlighted command is being executed.
Page 204
Debug Collector Window Figure 9-16 The Events tab displays the events generated using this Collector, and the Upload/Download tab allows you to upload/download another Collector script file to make modifications. The debugger has the following four controls: Debugger Icons Table 9-6 Icon Action Description...
You can view events as well as upload and download the Collector’s script from the Events tab and the Upload/Download tab. Multiple Sentinel Control Center users might connect to the same debugging session. For this reason, a Collector remains in Debug mode until one of the users specifically clicks the debugger’s Stop button.
Page 206
Upload/Download: Upload/Download a JavaScript file here. You can download an existing JavaScript file, edit it, and upload it again into the system to continue debugging. Context: Displays the variable that the debugger is pointing to and its value. Expression: Displays the values of a selected parameter. You can use the following when debugging a Collector.
Page 207
You can choose to debug in Standalone or Live mode. “Standalone Mode” on page 207 “Live Mode” on page 208 Standalone Mode Standalone debug mode allows you to debug a Collector even if the associated Collector Manager is not running. For standalone mode, input to the script comes from an input file rather than a live event source.
Page 208
4 In the Debug Collector window, click Run In the Source text area, the source code of the Collector appears and stops at the first line of the text script. 5 Click the bar on the left and toggle a breakpoint in the script code, then click to go to the next breakpoint.
NOTE: If no event source is started during the debug session, then no data is available in the buffer for the Collector and you see the Collector script’s readData method blocking. In Live debug mode, Output from the script is via live Sentinel events. The events can be viewed on the Active Views displays.
IMPORTANT: The account running the Sentinel service on the Collector Manager machine must have permissions to write to the file location. 9.6 Exporting a Configuration You can export the configuration of ESM objects along with their Collector scripts and the Connector plug-ins.
Page 211
3 Select the Collector scripts from the list to export, then click Next. You can select or deselect all. The Select Connectors Plugin window displays. Event Source Management 211...
4 Select the Connector plug-ins from the list to export, then click Next. You can select or deselect all. The Specify Export File window displays. If you want to view the description and dependents of a particular plug-in in the above window, select that plug-in from the table.
9.7.1 Enabling or Disabling the Import Configuration The Import Configuration option is enabled under the following circumstances: In Live View when you select the Collector manager, Collector, or Connector In the Scratchpad when you select any node other then the event source Import Configuration in Live View and the Scratchpad is disabled if you do the following: Select Sentinel or event source nodes (only in Live View) Do not select any node in Live View...
Page 214
4 Select the Collector script from the list to import. A color indicator is displayed in the Select Collector Script and Select Connector Plugins window to indicate whether the plug-in is already present in the repository or not. If the plug-in is not present in the repository, the color is displayed as red and if the same version of plug-in exists, the color is green or orange.
6 Select the Connector plug-ins from the list to import. NOTE: To view the description and dependents of a particular plug-in in the above window, select that plug-in from the table. If there are any Collectors or Connectors in the ESM panel that are affected on importing the plug-in, the Affected Collectors or Affected Connectors window is displayed.
9.8 Event Source Management Scratchpad Scratchpad is the Design Mode of the Health Monitor. Through Scratchpad, you can design and configure various items: Collector Managers Collectors Event Sources Connectors Event Source Servers You can right-click the Sentinel icon and add the components. For more information, see Section 9.4.2, “Adding Components to the Event Source Hierarchy,”...
Page 217
Component Sentinel 5.x Sentinel 6.0 Collectors Scripts Collector scripts were managed from In Sentinel Control Center, Collector the Collector Builder in Sentinel 5.x. scripts are plug-ns in 6.0. A Collector script plug-in must be added to the plug-in repository before it can be deployed as a Collector.
Page 218
218 Sentinel 6.1 Rapid Deployment User Guide...
Administration You use the Admin tab to configure filters and reports. You use the User Manager option in the Admin tab to create users and you can assign rights to the users. Section 10.1, “Understanding the Admin Tab,” on page 219 Section 10.2, “Introduction to the User Interface,”...
Sentinel Control Center Figure 10-1 10.2 Introduction to the User Interface In the Admin tab, you can see server views, filter configuration, and user configuration in the Admin Navigator. You can navigate to these functions from: Admin Tab User Interface Table 10-1 User Interface Description...
User Interface Description The Navigation Tree in the Navigation pane The tool bar buttons 10.3 Servers View Through the Servers view you can start, stop, or restart processes that are installed on the product installation. Servers view also allows you to monitor the status of all Sentinel server processes across the system.
Servers View Window Figure 10-2 Start, Stop, or Restart processes: Take these actions on a process by right-clicking the process entry. You cannot either stop or restart the following processes by using the right-click options Action > Stop/Restart in the Servers view. DAS_Core Web Server Unix Communication Server...
To arrange which fields you want to be shown, click Fields. To group different attributes, click GroupBy. To sort by different attributes, click Sort. To filter, click Filter. To change the display values of the processes shown in the servers view, click Leaf Attribute.
Filter Manager Window Figure 10-3 10.4.2 Private Filters Private filters are user-owned. Private filters are display filters and are shareable if you have the View Private Filters permission. 10.4.3 Global Filters Global filters are classified as Public filters. Global filters are sequentially processed at the Collector Manager for each event.
Page 225
Global Filter Configuration Figure 10-4 NOTE: The Action column and the Action Manager button are available only on systems that have Sentinel 6.1 RD Hotfix 2 or later installed. Creating a Global Filter 1 Click the Admin tab. 2 Click Admin > Global Filter Configuration or select Global Filter Configuration in the navigation tree.
Page 226
The following are the options available in the Route drop-down list: drop: Events are dropped and are not sent to Sentinel Control Center or the Sentinel Server database. database: Events are sent directly to the Sentinel Server database and not sent to the Sentinel Control Center.
Rearranging Global Filters 1 In the Global Configuration window, select a filter and click Up or Down to move it to a different location on the list. 2 Click Save. Deleting a Global Filter NOTE: When you delete a global filter, the confirmation message is not displayed. 1 In the Global Configuration window, select a filter from the list and click Delete.
Page 228
3 Specify a filter name. The table editor is the default selection for editing the contents. Optionally, you can click Use free form editor to display a free form editor. The free form editor allows you to create complex expressions not possible with the table editor. However, after the expression is modified with the free form editor, the table editor cannot be used with the expression.
Cloning a Public or Private Filter Cloning is a convenient way to duplicate a filter to assure consistency of criteria among a group of filters or users. 1 Open the Filter Manager window. 2 Click Clone. 3 Provide a new filter name. 4 Change any original filter’s criteria.
Page 230
Color Filter Configuration Figure 10-6 The Color Filter Configuration GUI displays a list of all the color filters that are defined in the order in which they should be applied. If an event meets the criteria for more than one of the color filters, the first color filter configuration is applied.
Page 231
4 From the list, select a filter to which you want to apply the color filter configuration and click Select, or click Add to create a new filter. For more information on configuring filters, see Section 10.4.4, “Configuring Public and Private Filters,”...
8 In the Color Filter Configuration window, click Background Color. The Pick a Color window displays. 9 Select a color from the Swatches tab. Alternatively, click the HSB or RGB tab and specify the HSB or RGB color value in the respective tab. 10 Click OK.
Page 233
Event Menu Configuration Figure 10-7 Ping: Ping the destination (or target) IP of the selected event nslookup: Perform an nslookup on the Source (or initiator) IP of the selected event tracert: Perform a traceret from the Source (or initiator) IP of the selected event to the Sentinel Server Whois?: Perform an ARIN Whois? lookup on the Source (or initiator) IP of the selected event To view the configuration details for any of these options, select the item and click Details.The...
Section 10.5.4, “Viewing Event Menu Option Parameters,” on page 236 Section 10.5.5, “Activating or Deactivating an Event Menu Option,” on page 236 Section 10.5.6, “Rearranging Event Menu Options,” on page 236 Section 10.5.7, “Deleting an Event Menu Option,” on page 236 Section 10.5.8, “Editing Your Event Menu Browser Settings,”...
5 Select an action from the drop-down menu or click Add Action to configure a new JavaScript action. The available settings vary based on which action is chosen: Option Description Use browser Displays the output of your command by using the defaults configured for the Web browser, based on the file type.
Launch Web Browser. Any JavaScript action configured in the Action Manager For a list of available tags you can use when specifying parameters, click Help on the Event Menu Configuration dialog box or see “Sentinel 6.1 Rapid Deployment Event Fields” in the Sentinel 6.1 Rapid Deployment Reference Guide.
10.5.8 Editing Your Event Menu Browser Settings This option allows you to send your Event Menu output to an external browser. The external browser can be any application. It is not restricted to Internet browsers. By changing the file extension, you can launch whatever application is associated with that extension. For example, txt is often associated with Notepad.
4 After you set your configuration, click OK. 10.6 DAS Statistics This feature is for internal monitoring of your system. It is not intended for the average user. DAS Statistics monitors the following: DAS_Binary DAS_Core Unix Communication Server Collector_ Manager Correlation _Engine Web Server Statistics includes the following:...
For Services, the remote method calls from user-defined services (your XML services) are all under services.RemoteObjectService. Under that it puts the name of the service (such as EMap in the above example) and if asked, the name of the method (getMapPK in the above example). When a request such as a DAS query is received by a server, a task is created and scheduled.
Page 240
The Mapping tab allows you to: Add new map definitions Edit map definitions Delete map definitions Update map data Mapping works together with the Referenced from Map Data Source setting for individual fields under Section 10.8, “Event Configuration,” on page 249.
The main Mapping GUI displays a listing of all of the maps that have been defined for the system. NOTE: Default Sentinel maps cannot be edited or deleted. 10.7.1 Adding Map Definitions 1 Navigate to the Admin tab and select Map Data Configuration from the navigation pane or click the Map Data Configuration button.
Page 242
Column names: Specify the column name. Column types: The currently supported column types are: String: A group of characters used as a single object by a computer. A string might consist of a single letter, word, or number. The word FINANCE or IP address 192.168.2.40 might be a string.
11 If you selected Local File in Step 7, you are prompted to upload your file to the Remote Files virtual folder located at <Install_directory>\data\map_data 12 Specify a filename and click OK. 10.7.2 Adding a Number Range Map Definition To use the range map functionality, a map definition must have exactly one key column and the key column must be of type NumberRange.
Page 244
An example event configuration on the above map might look like: Event Configuration Figure 10-12 In this example, CustomerVar97 is expected to contain a numeric value or is of a type that can be converted to a numeric value, such as an IP or Date. When you look into the example range map, the value in CustomerVar97 takes the range map and searches for the range that the value belongs in (if any).
Page 245
Using the same setup as the previous example, if: The Event Tag is set to TargetIP and key column set to column 1 (range) Map Column is set to column 2 (value). The output values are for CustomerVar89. Number Range Map Definition Figure 10-13 Event Configuration Figure 10-14...
10.7.3 Editing Map Definitions 1 Navigate to the Admin tab and select Map Data Configuration from the navigation pane or click the Map Data Configuration button. 2 Expand the folder of interest. 3 Select a map definition and click Edit. The editing function is disabled for map definitions that are under the UNMANAGED ITEMS folder.
3 Select the map definition to be deleted. 4 Click Delete. NOTE: Default Sentinel maps cannot be edited or deleted. 10.7.5 Updating Map Data Updating allows you to replace the map source data file of a map on the server running DAS with another file.
Page 248
4 Select the new map data source file by clicking Browse and selecting the file with the new map data. After you select the file, the data from the new map data source file displays under the New tab. The map data you are replacing is under the Current tab. 5 Deselect or leave the default setting for Backup Existing Data On Server.
map_updater.sh <uuid> <source path> [nobackup] 6 The data from the new map data source file is uploaded to the server, replacing the contents of the existing map data source file. After the source data is completely uploaded, the map data is regenerated and distributed to map clients (for example, Collector Manager).
Page 250
is linked to a physical asset. The primary automated update mechanism for asset data is through an asset Collector reading data from a scanner such as Nmap. The asset Collector automates the retrieval of asset information by reading asset data from the scanner and populating the asset schema tables with this data.
Page 251
Event Mapping Configuration Figure 10-17 Device and Attack Signature Corresponds to the Asset Name Figure 10-18 To configure event tags (columns) to use mapping: 1 Navigate to the Admin tab and click Event Configuration in the navigation pane or click the Event Configuration button.
Page 252
Select one of the available default maps or select a map you have created. 5 Click the Map Column field down-arrow and select a Map Column name. Depending on your Map Name choice in the previous step, these values vary. _EXIST_ : This is a special map column that exists in every map.
Clicking Apply saves the changes you made for the currently selected event column in a temporary buffer. If you don't click Apply, the changes you made to the previously selected event column are lost when you select a different event column. Changes won’t be saved to the server until you click Save.
4 Click Apply. Clicking Apply saves the changes you made for the currently selected event tag in a temporary buffer. If you don't click Apply, the changes you made to the previously selected event tag are lost when you select a different event tag. Changes aren’t saved to the server until you click Save.
Report Data Configuration tab allows you to: Enable/disable any predefined summaries View attributes of each summary See the validity of a summary for a period of time Query which Event files need to be run so that the summary is complete The following are all summaries already defined in the system.
2 To disable a summary, click Active in the Status column until it changes to say Inactive. 3 To enable a summary, click InActive in the Status column until it changes to say Active. 10.9.2 Viewing Information for a Summary 1 Click Report Data Configuration in the navigation pane or click the Report Data Configuration button.
4 Select a time interval. 5 Click Show Graph. The green bars signify that the summary is complete for that time frame. The red sections signify that the summary is missing data during that time period. 10.9.4 Query the Event Files for a Summary 1 Click Report Data Configuration in the navigation pane or click the Report Data Configuration button.
4 Select a time interval. 5 Click Show Event. 6 The event files needed to complete the summary display in a list format. To complete summaries, see Section 10.9.5, “Running the Event Files for a Summary,” on page 258. 10.9.5 Running the Event Files for a Summary 1 Click Report Data Configuration in the navigation pane or click the Report Data Configuration button.
7 Click Process. 10.10 User Configurations You must have the user permission in order to work in the User Configuration window. User configuration allows you to: Section 10.10.1, “Opening the User Manager Window,” on page 259 Section 10.10.2, “Creating a User Account,” on page 259 Section 10.10.3, “Modifying a User Account,”...
Page 260
Click Add to create, then select a new filter. After assigning a security filter to a user, you cannot delete that filter. 5d Specify the LDAP User DN. For example, cn=sentinel_ldap_user,o=novell NOTE: This field is available only if you have selected “Anonymous searches on LDAP directory ”...
Page 261
5e (Optional) Under Details, specify the following: First Name Last Name Department Phone Email 5f Click the Permissions tab and assign user permissions. For more information about permissions, see “Sentinel Control Center User Permissions” in Sentinel 6.1 Reference Guide. 5g Click the Roles tab and select an iTRAC workflow role for the user. This affects what work items appear in the user’s work list.
Page 262
Creating a User Account Through Local Authentication 1 Select the Admin tab. 2 Open the User Configuration folder. 3 Open the User Manager window. 4 Click Add a new User Right-click any user and select Add User. 5 Under Authorization: Select Local for Authentication.
Page 263
Creating a User Account Through Domain Authentication NOTE: In Sentinel 6.1 Rapid Deployment Hotfix 2, LDAP users are also created by using this option. 1 Select the Admin tab. 2 Open the User Configuration folder. 3 Open the User Manager window. Click Add a new User.
8 Click the Roles tab and select an iTRAC workflow role for the user. This affects what work items appear in the user’s work list. 9 Click OK. NOTE: PostgreSQL does not allow the creation of users named the same as one of the PostgreSQL Reserved words.
You are prompted for a termination message. This option is provided so that you can inform the user why you are killing the session. 3 Provide a message, then click OK. Close the window to terminate the session without sending a message. NOTE: If the client machine has multiple network interfaces, the IP Address displayed in the Active User Sessions window might not be the desired IP address, as the non-loop back IP address of the first NetworkInterface returned by the system is displayed.
Page 266
266 Sentinel 6.1 Rapid Deployment User Guide...
Sentinel Data Manager The Sentinel Data Manager (SDM) is a tool by which users can manage the Sentinel database. Section 11.1, “Understanding the Sentinel Data Manager,” on page 267 Section 11.2, “Using the SDM GUI,” on page 267 Section 11.3, “Using the SDM Command Line,” on page 275 11.1 Understanding the Sentinel Data Manager The SDM allows users to perform the following operations: Monitor Database Space Utilization...
Using the Web Interface 1 Log in to the Sentinel 6.1 RD Web interface, then click Applications. 2 For more information, see Section 1.1, “Accessing the Novell Sentinel Web Interface,” on page 3 Click Launch Data Manager. 4 Open the SDM with the Java Web Start Launcher.
Database Interface PostgreSQL If you select to save your connection settings, the settings are saved to the local sdm.connect file. By default the file is located in . Next time sdm.connect <Install_directory>/bin you start the GUI, the connection settings are repopulated from the file.
Page 270
Status Description Online Archived Imported Partition with data that has been archived, dropped from the database, and then re-imported into the database NOTE: If you delete a partition without archiving it, it is deleted from the partition list in the GUI. Sentinel Data Manager Figure 11-1 At the bottom of the Partitions page, there are several smaller tabs that allow the user to perform the...
Page 271
Sentinel partitioned tables are organized into two groups. One is the EVENTS table group, which includes EVENTS and CORRELATED_EVENTS; the other is the summary table group, which includes all summary, or aggregate, tables. If any one of the tables in the group is selected, the changes apply to all the tables in the group.
You can specify the archive directory in the Archive Destination field in the Partition configuration tab in the SDM GUI. 3 Click Archive. 11.2.5 Tablespaces Tab The Tablespaces tab in the SDM allows users to view the current database space utilization, including: Total space allocated for each tablespace Space used by each tablespace...
Sentinel Data Manager Figure 11-2 Color-coded bar graphs help to visualize the total space allocated for each tablespace and the percent used of each tablespace. 11.2.6 Partition Configuration The Partition Configuration tab in the SDM allows you to set parameters to auto-archive partitions. It also allows you to auto-add partitions.
Page 274
Partition Job scheduling through the SDM is reflected only after the partition job refresh interval.The default partition job refresh interval is 5 minutes. To change the partition job refresh interval, edit the option partitionJobRefreshInterval specified in the file. The /opt/novell/sentinel6_rd_x86-64/config/das_core.xml option is provided as part of the component in partitionJobRefreshInterval Scheduler container. DAS_Core...
The SDM command line functions can be used instead of the GUI. The command line can be used to ® create a batch file or cron job for SDM operations, but Novell recommends using auto-archiving instead. Auto-archiving can be configured on the Partition Configuration tab of the SDM GUI.
Section 11.3.6, “Dropping Partitions,” on page 278 Section 11.3.7, “Viewing Partition Summaries,” on page 279 Section 11.3.8, “Archiving Data,” on page 280 Section 11.3.9, “Importing Data,” on page 281 Section 11.3.10, “Deleting Imported Data,” on page 282 Section 11.3.11, “Viewing Sentinel Database Space Usage,” on page 283 11.3.1 Prerequisite The first step to using the SDM command line is to create a file that stores the connection properties for the database.
Command Command Flags winAuth Used for Windows authentication. When using this option, -user and –password are not needed. connectFile <filenameToSaveConnection> The application saves all the above connection details along with the encrypted password to the file. All other SDM command line commands refer to the specified file. This step sdm.connect should be completed the first time you use the SDM command line on a machine and every time you want to change the connection details the application uses.
Dropping Partition Flags Table 11-4 Command Command Flags -action dropPartitions -keepDays <number of days to keep> -forceDelete (optional) <either “true” or “false”> This defaults to false if not specified, meaning that only the partitions that are older than keepDays and are already archived are dropped. If this is set to true, all partitions older than keepDays are dropped, even if they have not been archived.
EVT_SEV_SMRY_1 EVT_SRC_SMRY_1 NOTE: You need to have the SDM installed in order to view the partition summary. This command uses the following flags: Viewing Partition Summaries Flags Table 11-5 Command Command Flags -action viewPartitions -tableName <table name> -connectFile <filePath> To View Partition Summaries: 1 Execute this command as follows: -action viewPartitions -tableName <table name>...
NOTE: Sentinel partitioned tables are organized into two groups. One is the EVENTS table group, which includes EVENTS and CORRELATED_EVENTS; the other is the summary table group, which includes all summary, or aggregate, tables. If any one of the table in the group is specified by the –tableName parameter, the archiveData operation is applied to all tables in that table group.
If the data has already been imported or there is no archived data found between the specified dates, the command returns a notification. The application imports data from each file into a table and builds the historical view on all the historical tables.
EVT_DEST_SMRY_1 EVT_DEST_TXNMY_SMRY_1 EVT_PORT_SMRY_1 EVT_SEV_SMRY_1 EVT_SRC_SMRY_1 NOTE: The tables are imported in Oracle with the same name they are archived with. If there is no data imported between two specified dates, the command returns a notification. This command uses the following flags: Deleting Imported Data Flags Table 11-8 -action...
Page 284
Viewing Sentinel Database Space Usage Flags Table 11-9 Command Command Flags -action dbstats -connectFile <filePath> To view Sentinel Database Space Usage (Command Line): 1 Execute the following command: -action dbStats -connectFile <filePath> The following example displays the tablespaces of Sentinel database with their total space, used space and free space available.
Utilities This section helps you to understand the utilities provided by Sentinel Section 12.1, “Introduction to Sentinel Utilities,” on page 285 Section 12.2, “Starting and Stopping a Sentinel Server,” on page 285 Section 12.3, “Sentinel Scripts,” on page 286 Section 12.4, “Version Information,” on page 289 Section 12.5, “Database Cleanup,”...
Patches Hotfixes Section 12.2.1, “Starting a Sentinel Server,” on page 286 Section 12.2.2, “Stopping a Sentinel Server,” on page 286 12.2.1 Starting a Sentinel Server 1 Log in to the machine where the Sentinel server you want to start as the Sentinel Administrator operating system user.
Script File Description BackupIncidentData.sh Used to back up incident-related data before running the delete incident utilities. For more information, contact Novell Support (http://support.novell.com/ phone.html?sourceidint=suplnav4_phonesup). Clean_Database.sh Used to delete incidents or Identity information from the database. For more information, see Section 12.5, “Database Cleanup,” on page 289.
Page 288
Troubleshooting Scripts Table 12-2 Script File Description Removes Sonic lock files in the event of an abnormal shutdown. start_broker.sh Starts the message bus component of the communication server. This script is useful if you are having problems starting the message bus. This script is automatically run by the installer. For more information, see “Starting the Communication Server in Console Mode”...
12.4 Version Information The following processes provide information about versions: Section 12.4.1, “Executable Version Information,” on page 289 Section 12.4.2, “Sentinel .jar Version Information,” on page 289 12.4.1 Executable Version Information Sentinel has a command line option to display the version information of the agentengine executable: 1 Go to:...
Clean_Database The user running the script must be a user, and each script must have the permission set novell so that only the user is allowed to execute the cleanup script. novell The user running the PostgreSQL script must have permission to access/execute all of the database tools and utilities.
Page 291
NOTE: You can cancel the execution of the cleanup script at any time by entering at any prompt. 2 At the prompt, indicate which objects you want to remove from the database: Which objects would you like to cleanup? (1) Incidents (2) Identities (3) Both 3 At the prompts, enter the following information to connect to the PostgreSQL database:...
5c At the prompt, enter the novell user’s password. 12.6 Updating Your License Key If your Sentinel license key has expired and Novell has issued you a new one, run the software key program to update your license key. 1 Log into the Sentinel Server machine as the Sentinel Administrator operating system user.
Quick Start This section assumes that your security administrator has built the necessary filters and configured Collectors for your system. Section 13.1, “Security Analysts,” on page 293 Section 13.2, “Creating Incidents,” on page 297 Section 13.3, “iTRAC,” on page 298 Section 13.4, “Correlation,”...
4 Click Finish. If you have an active network, you might see something similar to: NOTE: To display a 3-D graph without real-time events, click the Display Events down-arrow and select No. 13.1.2 Exploit Detection To view any events indicating a possible exploitation, you must have the following: Advisor Feed Intrusion detection Vulnerability scanning...
Severity, Vulnerability, and AttackId Columns Figure 13-1 Within an event, the values in the Vulnerability field convey the following: When the Vulnerability field equals 1, the asset or destination device is possibly exploited. When the Vulnerability field equals 0, the asset or destination device is not being exploited. When the Vulnerability field is blank, the exploit detection feature of Sentinel is not enabled.
13.1.4 Event Query You can use an event query to find out if your system has been attacked. For example, during monitoring, you see numerous Telnet attempts from source IP 10.0.0.1 Telnet attempts could be an attack. Telnet potentially allows an attacker to remotely connect to a remote computer as if they were locally connected.
If you want to see how often in general this user is attempting a Telnet, remove DestinationIP, SensorType and, Severity from your filter or create a new filter. The results show all the destination IPs this user is attempting to Telnet to. If any of your events are correlated events, you can right-click View Trigger Events to find what events triggered that correlated event.
2 In the Create Incident dialog box, provide the following information: Title State Severity Priority Category Responsible Description Resolution 3 Click Create. The incident is added to the Incidents page of the Sentinel Control Center. To do this, you must have user permission to create incidents. 13.3 iTRAC This section gives and idea relevant to iTRAC.
Page 299
The example procedure does the following: Asks the user to decide if a preliminary look indicates that the network has been attacked. This leads to a decision step. NOTE: All decision steps provide different execution paths, depending on the value of the variable defined in the previous step.
Page 300
5a4 In the Process Variables window, select the Variable Type as String. 5a5 Set the Default Value to yes. 5a6 (Optional) Under the Description tab, specify Initial evaluation of events to determine if there has been an attack. 5a7 Click OK. 5a8 Select the newly created association, then click until the step is renamed.
Page 301
5b4 (Optional) Under the Description tab, specify To further evaluate after collecting of events to determine if there has been an attack. 5b5 Click OK to rename the step. 5c Manual Step-2 to Prevent Future Attacks: 5c1 Set Role to Analyst. 5c2 (Optional) Under the Description tab, specify Take measures to stop the attack.
Page 302
5d5 Click OK. 5e Mail Step-4 to Prevent Future Attacks: 5e1 In the To field, specify your e-mail address. 5e2 In the From field, specify a made up e-mail address. 5e3 In the Subject field, specify Proper Attack Measures Taken. 5e4 (Optional) Under the Body tab, specify This e-mail is generated from a tutorial (simulation) iTRAC process.
Page 303
Under the Description tab, provide a description such as Decision if there has been an attack or not. 6 Right-click Start and select Add Start Transition. Select Decide If Hacked as the destination. 7 Right-click Decide If Hacked and select Add Transition. Specify the following: Name: Specify Decision.
Page 304
13 Click Set > EXP. 13a Select Variables and Values. 13b Select Attribute Hacked. 13c Select Condition equals. 13d Specify a value of yes. 13e Click OK until the transition is complete. 304 Sentinel 6.1 Rapid Deployment User Guide...
Page 305
14 Right-click Collect Data and select Add Transition. Select and specify the following: Name: Hacked or Not? Type: Unconditional Destination: Hacked or Not 15 Right-click Hacked or Not and select Add Transition. Specify the following: Name: Not Hacked. Type: Else. Destination: Not Hacked.
Page 306
To run this process, this process must first be assigned to an incident. To start or terminate a process: 1 Click the Incident tab. 2 Click Incidents > Create Incidents. 3 Specify the following: Title: iTRAC Tutorial. Category: Other. Responsible: assign this incident to yourself. 4 Click the iTRAC tab, then select iTRAC Process Tutorial.
Page 307
The red highlighted step indicates what step this process is currently in. 9 To start the steps within this process, click the Process Details tab. For this manual step, the variable yes is specified. Providing another value such as no or else (no attack) results in an e-mail that completes the process.
10 In the Work Items window, select the process and click View Details. The Collect Data step should be highlighted in red. As before, this is a manual step. 11 Click the Process Details tab. 12 Again, the variable page displays. In the previous step of the iTRAC Process, Collect Data is a step to further determine by analyzing the events of interest if an attack has occurred.
13.4.1 Creating a Simple Correlation Rule 1 Click the Correlation tab and select Correlation Rule Manager in the navigation bar. 2 In the Correlation Rule Manager window, click Add. 3 Click Simple to create a simple rule. 4 Select All in the Fire if drop-down menu. 5 Specify the following SourcePort = 10025 DestinationPort = 25...
3 (Optional) In the Deploy Rule window, add an action. This allows you to: Configure Correlated Event Add to Dynamic List Remove from Dynamic List Execute a Command Send Email Create Incident 4 Click Next. The rule indicates deployed by the color green. 13.4.3 Viewing the Events that Triggered Your Correlated Event 1 Right-click the correlated event.
Although Solution Packs have many uses, one of the most important use is to package content related to governance and regulatory compliance into a comprehensible and easily enforceable framework that is easy to deploy. Novell and its partners offer and extend Solution Packs around such regulations or other customer needs.
14.1.1 Components of a Solution Pack Solution Packs consist of categories, controls, content, and content groups. These components are represented in a hierarchy. The following image depicts the hierarchy in a Solution Pack: Solution Pack Hierarchy Figure 14-1 The table below describes each level in a Solution Pack hierarchy. Solution Pack Hierarchy Levels Table 14-1 Icon...
Table 14-2: Types of Content Group Table 14-2 Event Configuration A content group that contains a map definition and the configuration of one or more related Sentinel meta tags. This icon is also used for the meta tag configuration definition. Indicates the map definition instance.
The user should change the status of the control to Implemented after following all of these steps. Testing a control is the process to verify the content associated with the control. Novell Solution Packs include detailed documentation describing testing steps. The user should change the status of the control to Tested after following all of these steps.
14.2.1 Solution Manager Interface The Solution Manager window is divided into two frames: Content and Documentation. “Content Frame” on page 315 “Documentation Frame” on page 316 Content Frame A content frame provides Solution Pack extracted information in ZIP format. The Content frame displays a hierarchical view of the category, control, content group, and various types of content.
Documentation Frame The Documentation frame provides a description of selected node.The information was provided when you created the Solution Pack by using the Solution Designer. For more information on the Solution Designer, see Section 14.4, “Solution Designer,” on page 331. The following informational tabs, which are populated and edited by using the Solution Designer, are available in Documentation frame: Description: Displays the description of selected node.
(http://support.novell.com/products/sentinel/sentinel61.html) (an additional license might be needed). Solution Pack can also be provided by one of Novell’s partners, or they can be created from content in your own Sentinel system. The first step in using a Solution Pack is to import the file into the system by using the Import .zip...
Page 318
3 Select Import Solution package plug-in file (.zip), then click Next. The Choose Plugin Package File window displays. 4 Use the Browse button to the locate Solution Pack to import to the plug-in repository. Select a ZIP file and click Open. If you have selected a Solution Pack that already exists, the Replace Existing Plugin window displays.
If you select the Launch Solution Manager check box, the Solution Manager displays. 8 Click Finish. 14.3.2 Opening Solution Packs To use the Solution Manager and view the contents of a Solution Pack, a user must be assigned Solution Manager permissions. For more information, see Section 14.1.2, “Permissions for Using Solution Packs,”...
Page 320
Content Comparison When the Solution Pack is opened, the Solution Manager compares the contents of the Solution Pack to other Solution Pack content from different Solution Packs or previous versions of the same Solution Pack. Content Status Table 14-3 Icon Name Description Installed...
14.3.3 Installing Content from Solution Packs To use the content of a Solution Pack in the Sentinel Control Center, you must install the Solution Pack or selected controls in a Sentinel system (also known as the “target” Sentinel system). “Installing the Contents of a Solution Pack” on page 321 “Correlation Rules and Actions”...
Page 322
5 Click Install. After installation the Finish button displays 6 Click Finish. If the installation fails for any content item in the control, the Solution Manager rolls back all the contents in that control to uninstalled. There are special considerations for installing certain types of content, including correlation rules and reports;...
Page 323
Unavailable Correlation Engines Figure 14-4 The Execute Script Correlation action (created in Sentinel 6.0) cannot run on a particular correlation engine if the installation of the JavaScript code fails for that correlation engine. The file can be manually copied to the proper directory on the correlation engine. In a default installation, the proper directory is <Install_directory>/config/exec If an Execute Command correlation action is associated with the correlation rule, the Solution...
Page 324
Sentinel Core Event Source List Sentinel Core Event Source Overview Sentinel Core Incident Management Dashboard Sentinel Core Incident Status Summary Sentinel Core Internal Events Sentinel Core Solution Pack Audit Trail Sentinel Core Solution Pack Status Dashboard Content Placeholders Only fully defined controls can be installed. For controls that contain placeholders, the Install option is disabled: The following warning displays in the Description frame: Duplicate Content within a Solution Pack...
For example, the rule from the Solution Pack might be named Unauthorized Firewall Change (1). The existing rule in the Sentinel system is unchanged. NOTE: To prevent confusion for end users, Novell recommends that one of these rules be renamed. 14.3.4 Implementing Controls...
5 Add notes to the Notes tab of the Documentation frame as necessary to document progress or necessary deviations from the recommended implementation steps. 6 When the implementation is complete, select the control and change the status drop-down to Implemented. An audit event is generated and sent to the Sentinel Control Center.
Page 327
When a control is uninstalled, the status for the control reverts to Not Implemented and child content is deleted from the Sentinel system. There are a few exceptions and special cases: Dependencies are checked to ensure that no content that is still in use is deleted. Some examples of this include a dynamic list that is used by a correlation rule created in the target Sentinel system, a report that is used in a control that is still installed, an iTRAC workflow template that is used in a Solution Pack that is still installed, or a folder that still contains other...
4 Click Uninstall. The selected contents are uninstalled. You cannot uninstall local reports from a different Sentinel Control Center machine than the one that they were installed on or if the files were copied to a new location after installation. If the Solution Manager cannot find the files in the expected location, a message is logged .rpt...
Page 329
Tested: This status indicates that a user has completed all of the testing steps and manually set the control status to Tested. Out of Sync: This status indicates that a different version of the content in the Solution Pack is deployed in the Sentinel target system by another Solution Pack or a previous version of the same Solution Pack.
5 To save the PDF, click Browse. Navigate the location where you want to save the PDF and specify a filename. Click Save. Audit Events in the Sentinel Control Center All major actions related to Solution Packs and controls are audited by the Sentinel system, with information about which user performed the action.
All deletions are audited by the Sentinel system and sent to both the Sentinel Control Center and the Sentinel database. 1 Click the Tool menu and select Solution Packs. The Solution Packs window displays. 2 Select the Solution Pack you want to delete and click the Open icon on the toolbar. 3 Select the Solution Pack node and click Uninstall.
Frames Image Solution Pack Documentation 14.4.2 Connection Modes Solution Packs can be created or edited in the Solution Designer in connected or offline modes. In offline mode, there is no connection to an active Sentinel server or its content (such as event enrichment or correlation rules).
To open the Solution Designer in offline mode: 1 Start the Solution Designer by executing the following command: <Install_directory>/bin/solution_designer.sh The Sentinel Solution Designer login window is displayed. 2 Provide your login credentials. Select the Work Offline check box if desired, then click Login. The Solution Designer is displayed.
2 Click File > New. An empty Solution Pack displays in the Solution Pack frame. 3 Add Categories, controls, content groups, and content placeholders, using the proper procedures for each. 4 Add file attachments to the hierarchy nodes as desired. 5 Click File >...
14.4.5 Adding Content to a Solution Pack A vital part of creating a Solution Pack is adding content to the controls. Each control can have one or more types of content associated with it. “Sentinel Content” on page 336 “JasperReports” on page 337 “Placeholders”...
Page 337
JasperReports You can add a JasperReport ( file) from a local file system. Adding a JasperReport is similar to .jpz adding other types of contents. 1 Log into Solution Designer in connected mode or offline mode, then open or create a Solution Pack.
Icon Name Description View Views an attachment. Select a node, right-click the attachment in the Attachment panel, then select View File. The file displays in the associated application. Rename Renames an attachment. Select a node, right-click the attachment in the Attachment panel, then select Rename.
14.4.7 Editing a Solution Pack A saved Solution Pack can be edited by using the Solution Designer. For information about deploying the changes into an existing system, see Section 14.5, “Deploying an Edited Solution Pack,” on page 340. When an existing Solution Pack is saved, the user has several options: Save: Saves an updated version of the original Solution Pack.
6 Click File > Save, Save As, or Save As New, and save the file to the location you want. If you selected Save or Save As and some of the content is out of sync, you are prompted to synchronize.
Action Manager and Integrator Actions are used to execute some type of action in Sentinel, either manually or automatically. An action plug-in framework was introduced in Sentinel 6.1. This framework consolidates several different ways of executing actions in Sentinel 6.0. The same Action framework is now used to execute actions in all of the following contexts: When a deployed correlation rule fires (automatic) When a user chooses the action from within an incident...
Page 342
Send an Email Create an Incident Execute JavaScript Action Plug-ins NOTE: Except for JavaScript actions, the actions above can only be used in the context of a correlation rule deployment. For more information about correlation-only actions, see the Correlation section. This section focuses exclusively on JavaScript action plug-ins and actions. Using the Action Manager you can import, create, and manage action plug-ins ( files) and .zip...
15.2 Action Plug-Ins You can download action plug-ins from the Sentinel Content Site (http://support.novell.com/ products/sentinel/sentinel61.html). Action plug-ins are frequently included in Solution Packs. Also, JavaScript actions used in Execute Script actions in versions of Sentinel before Sentinel 6.1 Rapid Deployment can be converted to action plug-ins by using the Action Manager.
Page 344
3 Click the Add icon on the top left corner to import plug-ins. The Plugin Import Type window displays. 4 Select Import an Action plugin file ( ). Click Next. .zip The Choose Plugin Package File window displays. 344 Sentinel 6.1 Rapid Deployment User Guide...
Page 345
5 Browse to a location of the plug-in package file and click OK, then click Next. If the file you have selected is not the proper format, the Next button does not activate. If you are updating an already-imported plug-in file, you are provided with the option of updating the existing plug-in, going back and selecting a different plug-in, or canceling the import.
15.2.2 Importing JavaScript Files Although JavaScript action plug-ins can be obtained from Novell, it is also possible to create and manage your own JavaScript action plug-ins. Plug-ins can be created by using JavaScript files that were used in the Execute Script command in versions prior to Sentinel 6.1 Rapid Deployment, or they can be created using any JavaScript file written by using the Sentinel JavaScript API.
Page 347
2 Click Manage Plugins. The Action Plugin Manager window displays. 3 Click the Add icon on the top left corner to Import plug-ins. The Plugin Import Type window displays. Action Manager and Integrator 347...
Page 348
4 Select Import an Action plugin from directory. The Choose JavaScript Directory window displays. 5 Browse to a location of the JavaScript Plug-in directory and click OK, then click Next. 348 Sentinel 6.1 Rapid Deployment User Guide...
Page 349
6 The Action Plugin Detail window displays. Provide the required information. Attach a main JavaScript file and a help file. If the file you have selected is not the correct format, the Next button does not activate. When you are updating an already-imported JavaScript file, you are provided with the option of updating the existing plug-in, going back and selecting a different plug-in, or canceling the import.
Page 350
8 Select the objects that the JavaScript action requires. This affects where the action is available in the interface. For more information, see the Table 15-1 on page 346. 9 Click Next. The Plugin Parameters window displays. 350 Sentinel 6.1 Rapid Deployment User Guide...
Page 351
10 [Optional] Click the Add button to add parameters that can be set when an action is configured. This option should be used for any JavaScript files that expect to receive parameterized information. The Parameter Definition window displays. Action Manager and Integrator 351...
Page 352
10a Specify the parameter name. The name used here should be identical to one used in the JavaScript API method in the script that is being imported. scriptEnv.getParameter 10b Select parameter name from Type drop-down list. The various parameter types available are: String: Accepts the sting values for the parameters.
Page 353
<Directory Name>_<Randomly Generated Number>_bak.zip where is the directory in which the plug-in is created. <Directory Name> The following is the example of file: package.xml <?xml version="1.0" encoding="UTF-8"?> <JavaScriptActionPackage> <ID>FA6944D0-DC43-102A-976F-001321B5C0B3</ID> <Name>Example JavaScript Plugin</Name> <Type>JAVASCRIPT_ACTION</Type> <DisplayName>Example JavaScript Plugin</DisplayName> <Author>Novell Engineering</Author> Action Manager and Integrator 353...
<Version>61r1</Version> <ReleaseDate>1206414663439</ReleaseDate> <MainScriptFile>example.js</MainScriptFile> <Description>An example JavaScript Action plugin.</Description> </JavaScriptActionPackage> NOTE: When a plug-in is created from a JavaScript file and an existing file, the package.xml file is updated with the list of files contained in the package, hash codes, current package.xml dates, and so on.
If you select an action plug-in that is configured to use an Integrator to connect to an external system, the Add Integrator button displays. The parameters for the selected plug-in display. For actions provided by Novell, more information about configuration and the available parameters are available in the help file for the action.
15.3.5 Developing JavaScript Actions The information below is very basic development information about developing JavaScript actions. For more information, see Novell Developer Community web site (http://developer.novell.com/ wiki/index.php?title=Develop_to_Sentinel). “Creating a JavaScript Action” on page 356 “Debugging JavaScript Actions” on page 357...
Page 357
Debugging JavaScript Actions You can debug JavaScript files from the Sentinel Control Center with the help of the JavaScript debugger. The JavaScript debugger is a local debugger that executes scripts with respect to the machine on which the Sentinel Control Center is running. The JavaScript debugger instantiates a debug session from the Data Access Service (DAS) machine.
Page 358
2 Right-click a JavaScript action associated with a correlation rule and select Debug. The Debug JavaScript Correlation Action window displays. The screen displays the following message: Retrieved source file, waiting for associated correlation rule to fire The correlation rule must fire (and a correlated event or incident must be created) before you can debug the script.
Page 359
3 Click Run. The debugger panel displays the source code and positions the cursor on the first line of the script. Action Manager and Integrator 359...
Integrators allow Sentinel to connect to other external systems, for example, an LDAP server, SMTP server, or SOAP server. JavaScript actions can use Integrators to interact with other systems. For example, you can set the attribute in Novell eDirectory (an LDAP server) to enable or disable a user, edit details and so on.
For more information on specific Integrators, see the documentation that is available with the Integrators. You can download the updated Integrators from the Sentinel documentation Web site (http://www.novell.com/documentation/sentinel61). Alternatively, you can view the Integrators documentation by clicking the Help button in Integrator Manager after configuring the Integrator. 15.4.1 Permissions for Using Integrators To use the Integrator Manager, a user must be assigned the necessary permissions in the User Manager.
6 Select View Integrators, Manage Integrators, Manage Integrator Plugins, or Integrators (which automatically selects all child permissions). The new permissions are applied the next time the user logs in. For more information, see “Sentinel 6.1 Rapid Deployment Control Center User Permissions”...
The server performs a test of the Integrators in the actual service where the Integrators are used when actions are executed. 3 Click OK. 15.6.5 Viewing Integrator Health Details 1 Click Tools > Integrator Manager. The Integrator Manager window displays. 2 Select an Integrator from the left pane.
The Health screen displays the Refresh Health State, Time of last occurrence, its method calls, and the related events of the selected Integrator configuration. Integrator API Calls: Indicates the status of count and time of both the connection and the method calls used from the API of the selected Integrator. For more information on JavaScript plug-ins, see Section 15.1, “Action Manager,”...
Page 366
3 Click the Integrator Events button. The Query window displays. All the events related to the configured Integrator automatically display in the Query window. You can filter the displayed events by using the filter criteria. For more information, see Section 3.9.3, “Historical Event Query,” on page 366 Sentinel 6.1 Rapid Deployment User Guide...
15.6.7 Using Integrators from Actions Some actions might require an Integrator in order to make a connection to an external system. You can write or customize JavaScript code that connects to an external system by using the Integrator and executes methods appropriate for the external system. Because all the connection and other configuration information is already configured as part of the Integrator, the code only needs to perform a task on the system with which it integrates.
Page 368
368 Sentinel 6.1 Rapid Deployment User Guide...
® Novell provides an optional integration with Novell Identity Manager. The screenshots and descriptions in this section are based on Novell Identity Manager. Sentinel 6.1 Rapid Deployment synchronizes identity information with major identity management systems and stores local copies of key information about each Identity.
Identity Details Figure 16-2 16.1 Integration with Novell Identity Manager Integration with Novell Identity Manager is available as part of the Novell Compliance Management Platform 1.0.1 and Novell Compliance Management extension for SAP environments 1.0.1, which includes the following components: Sentinel 6.1 Rapid Deployment...
Page 371
Identity Manager Driver for Sentinel 3.6 For more information, see Novell Compliance Management Platform (http://www.novell.com/ documentation/ncmp10/) Novell Compliance Management Platform extension for SAP environments 1.0 (http://www.novell.com/documentation/ncmp_sap10/). The Solution also requires identity-enabled Collectors, which are available for download at the Standard Sentinel Content download Web site (http://support.novell.com/products/sentinel/ sentinel61.html).
Page 372
Populated by which Column Label Map Key Field : Event Label from IdentityAccount Map InitUserDepartment Department Account Name : InitUserName Authority : InitUserDomain Customer Name : MSSPCustomerName InitUserFullName Full Name Account Name : InitUserName Authority : InitUserDomain Customer Name : MSSPCustomerName InitUserIdentity Identity GUID Account Name : InitUserName...
16.2 Identity Browser The Identity Browser in Sentinel allows you to search and view user profiles of the identities in the Sentinel database that have been synchronized from the identity management system. In addition to information from the identity management system, the Identity Browser also shows recent activity for the user that has been collected using the Sentinel Collectors.
TIP: You can input letters to view all the identities whose first or last name starts with the letters. For example, if the user enters the letters “a,b” the names Abraham, Abdullah and so on are matched. If the search is broad, the results show the first 100 names with a Load <x> More Records button, where <x>...
Page 375
2 Type the first name or first character of the profile in the Search box. Click the Search icon. The searched profile displays. 3 Click the View Full Profile button. The user profile displays: Using the view profile window, you can view User Profile, Accounts, and Recent Activities performed by the user.
Page 376
You can access Accounts in Active View by right-clicking an event generated by the Identity Collector and by selecting the Show Identity Details option. Select the Initiator, Target, or Both option. The account details of the associated Identity in that event displays in a pop-up window. 5 Select Recent Activity.
The contextual event information such as Authentication, Access, and Permission change events for that identity are displayed. The events displayed are limited to last 10 events in each category as shown below: 16.2.3 Using the Clipboard Functionality You can use the clipboard functionality to copy the data of User Profile, Recent Activity, or the Account tabs.
Advisor Usage and Maintenance Advisor is an optional data subscription service that provides device-level correlation between real- time events from intrusion detection and prevention systems and enterprise vulnerability scan results. By providing normalized attack information, Advisor acts as an early warning service to detect attacks against vulnerable systems.
Page 380
Supported Systems Device Type RV31 Value Symantec Intruder Alert Intruder McAfee* IntruShield* IntruShield eEYE* Retina* VULN Retina Foundstone* Foundscan* VULN Foundstone ISS Database Scanner VULN Database Scanner ISS Internet Scanner VULN Internet Scanner ISS System Scanner VULN System Scanner ISS Wireless Scanner VULN Wireless Scanner Nessus*...
Exploit Detection. The Advisor service is updated every 6 hours based on updates from the various security device vendors. ® All Collectors shipped by Novell meet the above requirements, as long as they are declared as being supported by Advisor. If you want to write your own vulnerability or intrusion detection...
Section 17.1, “Understanding Advisor,” on page 379. To update Advisor, new data files need to be downloaded from the Novell Advisor server and loaded into the Sentinel database on a regular basis. Advisor Updates NOTE: Novell recommends that you install the latest service pack for Sentinel.
3 Open in a text editor and make changes to the areas shown below: advisor_client.xml <property name="advisor.mail.from">fromNAME@domain.com</property> <property name="advisor.mailto.list">toNAME@domain.com</property> <property name="advisor.notify.success">false</property> NOTE: To send messages to more than one address, provide comma-separate e-mail addresses without spaces. 17.4.3 Changing the Scheduled Data Update Time When you are installing Advisor in Direct Download mode, you can select to update Advisor on a 6- hour or 12-hour schedule.
Page 384
384 Sentinel 6.1 Rapid Deployment User Guide...
® Sentinel 6.1 Rapid Deployment (RD) is a simplified version and an alternate platform for Novell Sentinel that provides security information and an event management (SIEM) solution that automates the collection, analysis, and reporting of system network, application, and security logs to help organizations manage IT risks.
Page 386
The data collection components are downloaded from the Novell Sentinel Content page and are installed to the Collector Managers via a central ESM interface.
Components Description Collector Builder The Collector Builder helps you develop new Collectors from scratch by using the proprietary language. It is similar to an IDE. Sentinel 6.1 Rapid Deployment provides the ability to develop Collectors in Java Script by using the third-party tools like Eclipse. PostgreSQL Server Sentinel requires a back-end database component to store the data.
A.3.1 Communication Server Sentinel 6.1 Rapid Deployment’s Apache ActiveMQ is an open source message broker. The architecture is built around the Java Message Oriented Middleware (JMOM), which supports asynchronous calls between the client and server applications. Message queues provide temporary storage when the destination program is busy or not connected.
An event is made up of more than 200 tags. Tags are of different types and have different purposes. There are some predefined tags such as severity, criticality, destination IP, and destination port. There are two sets of configurable tags: reserved tags are for Novell internal use to allow future expansion and customer tags are for customer extensions.
Page 390
Streaming Maps The Map Service employs a dynamic update model and streams the maps from one point to another, avoiding the buildup of large static maps in dynamic memory. The value of this streaming capability is particularly relevant in a mission-critical real-time system such as Sentinel where there must be a steady, predictive, and agile movement of data independent of any transient load on the system.
Page 391
ISS Wireless Scanner Nessus nCircle IP360 Qualys QualysGuard You need at least one vulnerability scanner and either an intrusion detection system, IPS, or firewall from each category above. The intrusion detection system and Firewall DeviceName (rv31) must appear in the event as shown above. Also, the intrusion detection system and the firewall must properly populate the DeviceAttackName (rt1) field (for example, WEB-PHP Mambo uploadimage.php access).
Page 392
By default, there are two configured event columns used for exploit detection and they are referenced from a map (all mapped tags have the Scroll icon). Vulnerability AttackId Event Columns Figure A-4 When the Vulnerability field (vul) equals 1, the asset or destination device is exploited. If the Vulnerability field equals 0, the asset or destination device is not exploited.
attackNormalization.csv Sample Figure A-6 The Vulnerability tag has a column entry , which means that the map result value is 1 if the _EXIST_ key is in IsExploitWatchlist ( file) or 0 if it is not. The key columns for the exploitDetection.csv vulnerability tag are IP and NormalizedAttackId.
takes the data from the source system, performs the transformations, and presents the events for later analysis, visualization, and reporting purposes. The framework delivers the following components and benefits: Collectors: Parse and normalize events from various systems. Connectors: Connect to the data source to get raw data. Taxonomy: Allows data from disparate sources to be categorized consistently.
Sentinel Time Figure A-8 1. By default, the event time is set to Collector Manager time. The ideal time is the device time. Therefore it is best to set the event time to the device time if the device time is available, accurate, and properly parsed by the Collector.
Audit Events Audit events are generated internally. Each time an audited method is called or an audited data object is modified, the audit framework generates audit events. There are two types of Audit events: one that monitors user actions such as user login/out, add/delete user and another that monitors system actions and health, such as process start/stop.
Page 397
Sentinel Server Architecture Figure A-9 Sentinel Service (Watchdog) Watchdog is a Sentinel process that manages other Sentinel processes. If a process other than Watchdog stops, Watchdog reports this and then restarts that process. If this service is stopped, it stops all Sentinel processes on that machine. It executes and reports the health of other Sentinel processes.
These processes are controlled by the following configuration files: das_binary.xml: Used for event and correlated event insertion operations das_core.xml: All other database operations DAS receives requests from the different Sentinel processes, converts them to a query against the database, processes the result from the database, and converts it back to a reply. It supports requests to retrieve events for Quick Query and Event Drill Down, in order to retrieve vulnerability information and advisor information and to manipulate configuration information.
Sentinel Logical Layers Figure A-10 The collection and enrichment layer aggregates the events from external data sources, transforms the device-specific formats into Sentinel format, enriches the native events source with business-relevant data, and dispatches the event packets to the message bus. The key component orchestrating this function is the Collector, aided by a taxonomy mapping and global filter service.
Page 400
Data aggregated by the Collectors in the form of events is subsequently normalized and transformed into XML format, enriched with a series of metadata (that is, data about data) using a set of business relevance services, and propagated to the server side for further computational analysis through the message bus platform.
Page 401
ESM Hierarchy Figure A-11 The event source, event source server, Collector, and Connector are configuration-related objects that can be added through the ESM user interface. Event Source: This node represents a connection to a specific source of data, such as a specific file, firewall, or Syslog relay, and contains the configuration information necessary to establish the connection.
Page 402
Common Services All of the components in this Collection and Enrichment layer are driven by a set of common services. These utility services form the fabric of the data collection and data enrichment and assist in filtering the noise from the information (through global filters), applying user-defined tags to enrich the events information (through business relevance and taxonomy mapping services), and governing the data Collectors’...
Exploit Detection Exploit Detection enables immediate, actionable notification of attacks on vulnerable systems. It provides a real-time link between intrusion detection system signatures and vulnerability scan results, notifying users automatically and immediately when an attack attempts to exploit a vulnerable system. This dramatically improves the efficiency and effectiveness of incident response. Exploit Detection provides users with updates of mappings between intrusion detection systems and vulnerability scanner product signatures.
Page 404
The Remoting Service provides the following capabilities: Locating remote objects: This is achieved through metadata that describes the object name or registration token, although the actual location is not required, because the iSCALE message bus allows for location transparency. Communicating with remote objects: Details of communication between remote objects are handled by the iSCALE message bus.
Page 405
Organizations can deploy multiple correlation engines, each on its own server, without the need to replicate configurations or add databases. Independent scaling of components provides cost- effective scalability and performance. The correlation engine can add events to incidents after an incident has been determined. Users are encouraged to use a metric called Event Rules per Second (ERPS).
Page 406
kept in memory and written to the database as needed (Active Views can store up to 8 hours of data in memory with typical event loads). This uninterrupted, performance-oriented real-time view is essential when under attack or in a steady state. Active Views Figure A-14 406 Sentinel 6.1 Rapid Deployment User Guide...
Page 407
Network Figure A-15 Incident Response Through iTRAC Sentinel iTRAC transforms traditional security information management from a passive alerting and viewing role to an actionable incident response role by enabling organizations to define and to document incident resolution processes and then guide, enforce and track resolution processes after an incident or violation has been detected.
Page 408
iTRAC’s automation framework works using two key components: s container: Automates the activity’s execution for the specified set of steps, based on input rules Workflow container: Automates the workflow execution based on activities through a worklist. The input rules are based on the XPDL (XML Processing Description Language) standard and provide a formal model for expressing executable processes in a business enterprise.
Reporting Service The Reporting service allows for reporting, including historical and vulnerability reports. Sentinel comes with out-of-the-box reports and enables users to configure their own reports using Jasper Reports. Some examples of reports included with Sentinel are: Trend analysis Security status of lines of business or critical assets Attack types Targeted assets Response times and resolution...
Page 410
“Active Browser” on page 411 Sentinel 6.1 Rapid Deployment Web Interface With the Novell Sentinel 6.1 Rapid Deployment Web interface, you can manage and search reports and launch the Sentinel Control Center (SCC), the Sentinel Data Manager (SDM), and the Solution Designer.
Page 411
Active Views Graphical Format Bar Graph Figure A-19 Active Views Graphical Format Line Graph Figure A-20 Active View Graphical Format Ribbon Graph Figure A-21 Active Browser The Active Browser facility helps in viewing the selected events. In the Active Browser, the events are grouped according to the meta tags.
Page 412
Active Browser Figure A-22 In the Active Browser, the query manager service retrieves a list of events taken from any part of the system and performs a statistical analysis of these events to break them down into ranges of values for each desired attribute of the event.
System Events for Sentinel In the tables below, words in italics surrounded by <…> are replaced by relevant values in the real messages. Section B.1, “Authentication Events,” on page 413 Section B.2, “User Management,” on page 417 Section B.3, “Database Event Management,” on page 421 Section B.4, “Database Aggregation,”...
Authentication Events Authentication Table B-1 Value Severity Event Name Authentication Resource UserAuthentication SubResource Authenticate Message User <name> has passed Authentication to Sentinel/Wizard B.1.2 Creating Entry For External User When creating an external user, the following event is generated: Authentication Events: Creating Entry For External User Table B-2 Value Severity...
Authentication Events:Failed Authentication Table B-4 Value Severity Event Name AuthenticationFailed Resource UserAuthentication SubResource Authenticate Message Authentication of user <name> with OS name <domUser> from <IP> failed B.1.5 Locked Account When a locked user account is attempting to log in, the following event is generated: Authentication Events: Locked Account Table B-5 Value...
B.1.7 Too Many Active Users Authentication Events: Too Many Active Users Table B-7 Value Severity Event Name Resource SubResource Message B.1.8 User Discovered If the server restarts, it loses the session information. It then reconstructsthe session when it receives messages from active users. When it discovers a connected user, the following internal event is generated: Table B-8: Authentication Events:User Discovered Table B-8...
Value Message User <user> with OS name <osName> at <IP> logged in; currently <number> active users B.1.10 User Logged Out When a user logs out, the following internal event is generated: Authentication Events : User Logged Out Table B-10 Value Severity Event Name UserLoggedOut...
Value Event Name createRole Resource WorkflowServices SubResource WorkflowAdminService Message Adding users <name> to role <role> B.2.2 Create Role User Management: Create Role Table B-12 Value Severity Event Name createRole Resource WorkflowServices SubResource WorkflowAdminService Message Creating role with name <name> and description <description> B.2.3 Create User User Management: Create User Table B-13...
Value SubResource UserManagementService Message Creating User Account: {0} with Last Name: <lastName>, First Name: <firstName>, State: <state> B.2.5 Delete Role User Management: Delete Role Table B-15 Value Severity Event Name deleteRole Resource WorkflowServices SubResource WorkflowAdminService Message Deleting role with name <name> B.2.6 Deleting User Account User Management: Deleting User Account Table B-16...
B.2.8 Remove Users From Role User Management:Remove Users From Role Table B-18 Value Severity Event Name removeUsersFromRole Resource WorkflowServices SubResource WorkflowAdminService Message Removing users <name> from role <role> B.2.9 Resetting Password Resetting Password Table B-19 Value Severity Event Name setPassword Resource Config SubResource...
B.3.4 Failing to Drop Online CurrentPartition Failing to Drop Online CurrentPartition Table B-25 Value Severity EventName DBNoSpace Resource DBSPace Message Diskspace usage reached upper threshold. Failing to drop online current partition {0}. B.3.5 Database Space Reached Specified Percent Threshold When event insertion is resumed after being blocked, the following event is sent.: Database Event Management: Database Space Reached Specified Percent Threshold Table B-26 Value...
B.3.7 Database Space Very Low When event insertion is resumed after being blocked, the following event is sent: Database Event Management: Database Space Very Low Table B-28 Value Severity Event Name DbSpaceVeryLow Resource Database SubResource Database Message Tablespace <string> has current size of <number> MB and has reached the physical threshold of <number>...
Value SubResource Events Message Event insertion is blocked, waiting <number> sec B.3.13 Event Insertion Is Resumed When event insertion is resumed after being blocked, the following event is sent: Database Event Management : Event InsertionIs Resumed Table B-34 Value Severity Event Name EventInsertionResumed Resource...
Value Resource EventSubsystem SubResource EventStore Message In the previous {0}ms, failed to process {1} events--Events were stored for later insertion. Check the log files and the database for more information. The error occurred {2} times in this time range: {3}, cause {4}"; B.3.16 No Space In The Database Database Event Management : No Space In The Database Table B-37...
Value Event Name New/Update/Remove Resource SubResource PartitionConfig Message ableName=<name> PartTimeUnit={1} PartTimeFactor={2} NumberOfUnits={3} B.3.19 Writing to Archive File failed When opening an archive file for storing the events for aggregation fails, the following internal event is generated. Database Event Management : Writing to Archive File failed Table B-40 Value Severity...
B.4.4 Enabling Summary Database Aggregation : Enabling Summary Table B-45 Value Severity Event Name enableSummary Resource SubResource EventAggregationAdminService Message Enabling summary: <summaryDescription> B.4.5 Error inserting Summary Data into the Database If an error is encountered while writing aggregation data into the database, the following internal event is generated: Database Aggregation : Error inserting Summary Data into the Database Table B-46...
Value SubResource ReferentialDataObjectMap Message The error <error> occurred while applying updates to map <mapName> (ID <mapId>) v.<version>. Rescheduling a refresh to complete map update. B.5.3 Error initializing map with ID This internal event is generated from the client side of the mapping service (the one that is part of the Collector Manager).
B.5.5 Error Saving Data File Database Aggregation : Error Saving Data File Table B-52 Value Severity Event Name ErrorSavingDataFile Resource MappingService SubResource MapService Message The error <error> occurred while saving data to file <fileName> (no) backup B.5.6 Get File Size Database Aggregation : Get File Size Table B-53 Value...
B.5.8 Long Time To Load Map This internal event is an information event sent by the mapping service informing that loading a map took an unusually long time (greater than one minute). Database Aggregation : Long time To load Map Table B-55 Value Severity...
Value Event Name LoadingMapFromCache Resource MappingService SubResource ReferentialDataObjectMap Message Loading from cache v<version> of map <mapName> (ID <id>) B.5.11 Refreshing Map from Server This internal event is generated from the client side of the mapping service (the one that is part of the Collector Manager).
B.5.13 Saved Data File Database Aggregation : Saved Data File Table B-60 Value Severity Event Name SavedDataFile Resource MappingService SubResource MapService Message Saved "+fileSize+" bytes to file <fileName> with original backed up to "+backupFile:"no backup of original B.5.14 Timed Out Waiting For Callback When the Collector Manager needs to refresh a map, it sends a request to the back end.
B.6.1 Event Router is Initializing This event is sent when an event router starts its initialization. The event router starts initializing when it has established a connection with the back end. Event Router : Event Router is Initializing Table B-65 Value Severity Event Name...
Value SubResource EventRouter Message Event router is stopping; reqId(B408EC15-F4D2-1029-A795- 000C296FC5D4) B.6.4 Event Router is Terminating This event is sent when a request is received by the event router to stop during shutdown. Event Router : Event Router is Terminating Table B-68 Value Severity Event Name...
B.7.4 Correlation Engine is Stopped This event is sent out when the engine changes state from running to stopped. Correlation Engine : Correlation Engine is Stopped Table B-72 Value Severity Event Name EngineStopped Resource CorrelationEngine SubResource CorrelationEngine Message Correlation Engine has stopped processing events. B.7.5 Correlation Rule Correlation Engine : Correlation Rule Table B-73...
B.7.10 Rename Correlation Engine Correlation Engine : Rename Correlation Engine Table B-78 Value Severity Event Name renameCorrEngine Resource CorrelationManagementService SubResource CorrelationManagementService Message Rename Engine to: <name> with EngineId: <ID> B.7.11 Rule Deployment is Modified This event is sent when an engine successfully reloads a rule deployment. This message is sent regardless of the engine‘s running state.
B.7.13 Rule Deployment is Stopped This event is sent when an engine successfully unloads a rule deployment. This message is sent regardless of the engine‘s running state. Correlation Engine : Rule Deployment is Stopped Table B-81 Value Severity Event Name DeploymentStopped Resource CorrelationEngine...
B.7.16 UnDeploy All Rules From Engine Correlation Engine : UnDeploy All Rules From Engine Table B-84 Value Severity Event Name undeployAllRulesFromEngine Resource CorrelationManagementService SubResource CorrelationManagementService Message Undeploy all rules from Engine: B.7.17 UnDeploy Rule Correlation Engine : UnDeploy Rule Table B-85 Value Severity Event Name...
B.8.2 Collector Manager Is Down Event Source Management (General) : Collector Manager Is Down Table B-88 Value Severity Event Name CollectorManagerDown Resource HealthManager SubResource CollectorManagerHealth Message B.8.3 Collector Manager Started Event Source Management (General) : Collector Manager Started Table B-89 Value Severity Event Name...
B.8.5 Collector Service Callback Event Source Management (General) : Collector Service Callback Table B-91 Value Severity Event Name Restart Resource SubResource CollectorServiceCallback Message Restart Collector with Id: <ID> B.8.6 Cyclical Dependency The Event Service sends this event when it detects a cycle in the Event Definition (in dependencies among tags because of referential map assignments).
Event Source Management (General) : Persistent Process Died Table B-97 Value Severity Event Name PersistentProcessDied Resource AgentManager SubResource AgentManager Message Persistent Process on port <port ID> has died. B.8.12 Persistent Process Restarted The Collector Engine sends this event when the persistent process Connector is able to restart the controlled process that had died.
Value SubResource FileConnector Message Event source <File Event Source ID> reached time out of <Timeout Period> when processing file <File Location>. B.12.3 File Rotation When the File Connector is configured to use file rotation and the Connector changes from one file to the next, the following internal event is generated: Event Source Management (Connectors): File Rotation Table B-120...
B.13.1 Active View Created DAS_Binary sends this event when an Active View is created. Active View : Active View Created Table B-125 Value Severity Event Name RtChartCreated Resource RealTimeSummaryService SubResource ChartManager Message Creating new Active View with filter <filter> and attribute <attribute> for users with security filter <security filter>.
Value SubResource ChartManager Message Active View with filter <filter> and attribute <attribute> for users with security filter <security filter> is no longer permanent. B.13.4 Active View Now Permanent DAS_Binary sends this event when it detects an Active View as newly permanent. This check happens periodically, so it can be several minutes after an Active View is saved to preferences before this event is generated.
Active View : Idle Permanent Active View Removed Table B-130 Value Severity Event Name RtPermanentChartRemoved Resource RealTimeSummaryService SubResource ChartManager Message Removed idle permanent Active View with filter <filter> and attribute <attribute> for users with security filter <security filter>. Currently <n> Active View(s) Collecting.
Value SubResource FilterConfig, GlobalFilterConfig, MenuConfig, OptionsConfig, IncidentActionConfig, AnalyzeDefaultConfig, AnalyzeReportConfig, AdvisorDefaultConfig and AdvisorReportConfig Message Updating Config Object: <name> by User: _SYSTEM B.14.3 Viewing Configuration Store Data Objects : Viewing Configuration Store Table B-133 Value Severity Event Name New/Update/Remove Resource SubResource ViewConfigurationStore Message name <name>...
B.16.6 Delete Incident Incidents and Workflow : Delete Incident Table B-143 Value Severity Event Name deleteIncident Resource IncidentService SubResource IncidentService Message Delete incident with ID: <ID> B.16.7 Deleting Group Incidents and Workflow : Deleting Group Table B-144 Value Severity Event Name deleteGroup Resource WorkflowServices...
B.16.9 Deleting User Incidents and Workflow : Deleting User Table B-146 Value Severity Event Name deleteUser Resource WorkflowServices SubResource WorkflowObjectMgrService Message Deleting User in WorkFlow: {0} with firstname: <firstName> lastname : <lastName> B.16.10 E-Mail Incident Incidents and Workflow : E-mail Incident Table B-147 Value Severity...
B.16.12 Save Incident Incidents and Workflow : Save Incident Table B-149 Value Severity Event Name saveIncident Resource IncidentService SubResource IncidentService Message Save incident with name: <name>, state: <state>, severity: <severity>, resolution: <resolution> B.16.13 Saving Group Incidents and Workflow : Saving Group Table B-150 Value Severity...
B.16.15 Send Incident to Hp Service Desk Incidents and Workflow : Send Incident To Hp Service Desk Table B-152 Value Severity Event Name sendIncidentToHpServiceDesk Resource IncidentService SubResource IncidentService Message User: <name> sent incident with name: <incidentName>, state: <state>, severity: <severity>, resolution: <resolution> to HP Service Desk B.16.16 Send Incident to HpOVO Incidents and Workflow : Send Incident To HpOVO Table B-153...
Section B.17.2, “Controlled Process is started,” on page 471 Section B.17.3, “Controlled Process Is Stopped,” on page 472 Section B.17.4, “Importing Auxiliary,” on page 472 Section B.17.5, “Importing Plug-In,” on page 472 Section B.17.6, “Load Esec Taxonomy to XML,” on page 473 Section B.17.7, “Process Auto Restart Error,”...
Value Resource Sentinel SubResource Process Message Process <ProgramName> spawned (command <pID>) B.17.3 Controlled Process Is Stopped This event is sent when a process is stopped. The severity is set to 5 if the process was set to respawn (that is, it is not expected to die). The severity is set to 1 if the process was set to run once. General : Controlled Process Is Stopped Table B-157 Value...
Value Resource SubResource PluginRepositoryService Message Import plugin <name> (ID <ID>) of type <type>. B.17.6 Load Esec Taxonomy to XML General : Load Esec Taxonomy to XML Table B-160 Value Severity Event Name loadEsecTaxonomyToXML Resource SubResource EsecTaxonomyNodeService Message Loading Esecurity taxonomy Info to an xml format: B.17.7 Process Auto Restart Error This event is sent when a process is stopped.
Value Event Name ProcessRestart Resource Sentinel SubResource Process Message Process <ProgramName> spawned (command <pID>) B.17.9 Proxy Client Registration Service (medium) General : Proxy Client Registration Service (medium) Table B-163 Value Severity Event Name registerClient Resource SubResource ProxyClientRegistrationService (medium) Message Registering new client B.17.10 Restarting Process General : Restarting Process Table B-164...
Value SubResource SentinelHealthService Message Restarting <number> processes: <number> name <name> server <name> server ID <ID>; B.17.12 Starting Process General : Starting Process Table B-166 Value Severity Event Name startProcess Resource SentinelHealth SubResource SentinelHealthService Message Starting process <name> on Sentinel server <name> UUID {2} B.17.13 Starting Processes General : Starting Processes Table B-167...
Value Message Stopping process <name> on Sentinel server <name> UUID {2} B.17.15 Stopping Processes General : Stopping Processes Table B-169 Value Severity Event Name stopProcesses Resource SentinelHealth SubResource SentinelHealthService Message Stopping <number> processes: <number> name <name> server <name> server ID <ID>; B.17.16 Store Esec Taxonomy From XML General : Store Esec Taxonomy From XML Table B-170...
Value Message WatchDog Service Starting B.17.18 Watchdog Process Is stopped When the Watchdog service is stopped, the following internal event is generated: General : Watchdog Process is stopped Table B-172 Value Severity Event Name ProcessStop Resource WatchDog SubResource WatchDog Message WatchDog Service Ended System Events for Sentinel 477...
Page 478
478 Sentinel 6.1 Rapid Deployment User Guide...
If you are a new user, simply read the guide in its current state. Refer to the publication date that appears on title page to determine the release date of this guide. For the most recent version of the Novell Sentinel 6.1 Rapid Deployment User Guide, see the Novell Sentinel 6.1 Rapid Deployment documentation Web site (http://www.novell.com/documentation/...
Page 480
480 Sentinel 6.1 Rapid Deployment User Guide...