Table of Contents
Advertisement
map_updater.sh <uuid> <source path> [nobackup]
6 The data from the new map data source file is uploaded to the server, replacing the contents of
the existing map data source file. After the source data is completely uploaded, the map data is
regenerated and distributed to map clients (for example, Collector Manager).
Unless the optional -nobackup argument is added, the previous map data is saved in a backup file on
the server. Enabling this option results in a backup of the existing map data source file being put in
the
<Install_directory>/data/map_data
data source file is the name of the existing map data source file. The end of the filename contains a
set of random numbers followed by the
10.8 Event Configuration
Section 10.8.1, "Event Mapping," on page 249
Section 10.8.2, "Renaming Tags," on page 253
10.8.1 Event Mapping
Event Mapping is a mechanism that allows you to add data to an event by using data already in the
event to reference and pull in data from an outside source. The outside data source is a map, which is
defined by using
Map Data
reference into the map and the data to be pulled from the map into the event are specified by using
the Events tab.
Because virtually any data set can be made into a map, Event Mapping is useful for incorporating
data from elsewhere in your organization into the event stream. Some opportunities Event Mapping
provides are:
Regulatory compliance monitoring
Policy compliance
Response prioritization
Enabling security data to be analyzed related to business operations
Enhancing accountability
When an Event Mapping is defined, it is applied system-wide to all events from all Collectors.
Additionally, Sentinel automatically distributes map data to all processes that perform event
mappings as well as keeping the map data in these processes up-to-date. For these reasons, Event
Mapping provides significant capabilities to support enterprise deployments.
Event Mapping is made up of four main parts:
Controller: Stores all map information
Distributor: Automatically redistributes modified maps to those processes that registered for
the map
Monitor: A monitor to detect changes in map source data
Generator: Generates maps from source data
One application of Event Mapping is Sentinel's Asset Data functionality. For example, asset
information is collected and stored in the Sentinel Database asset schema and is represented by a
Physical Asset Entry. Soft assets, such as services and applications, are represented by an entry that
folder. The prefix of the name of the backup map
suffix. For example:
.bak
Configuration. The data already in the event that should be used as the
vuln_attacks10197.bak
.
Administration 249
Advertisement
Table of Contents
