Table of Contents
Advertisement
attackNormalization.csv Sample
Figure A-6
The Vulnerability tag has a column entry
key is in IsExploitWatchlist (
vulnerability tag are IP and NormalizedAttackId. When an incoming event with a DestinationIP
event tag that matches the IP column entry and an AttackId event tag that matches the
NormalizedAttackId column entry in the same row, the result is one (1). If no match is found in a
common row, the result is zero (0).
Vulnerability and Data Source
Figure A-7
A.3.3 Event Source Management
Sentinel 6.1 Rapid Deployment delivers a centralized event source management framework to
facilitate data source integration. This framework enables all aspects of configuring, deploying,
managing and monitoring data Collectors for a broad set of systems, which include databases,
operating systems, directories, firewalls, intrusion detection/prevention systems, antivirus
applications, mainframes, Web and application servers, and many more.
Using adaptable and flexible technology is central to Sentinel's event source management strategy,
which is achieved through interpretive Collectors that parse, normalize, filter and enrich the events
in the data stream.
These Collectors can be modified as needed and are not tied to a specific environment. An
integrated development environment allows for interactive creation of Collectors by using a "drag
and drop" paradigm from a graphical user interface. Non-programmers can create Collectors,
ensuring that both current and future requirements are met in an ever-changing IT environment. The
command and control operation of Collectors (for example, starting, stopping, and so on) is
performed centrally from the Sentinel Control Center. The event source management framework
, which means that the map result value is 1 if the
_EXIST_
exploitDetection.csv
file) or 0 if it is not. The key columns for the
Sentinel 6.1 Rapid Deployment Architecture 393
Advertisement
Table of Contents
