Page 1 AUTHORIZED DOCUMENTATION Reference Guide Novell ® Sentinel 6.1 SP2 February 2010 www.novell.com Sentinel 6.1 Reference Guide...
Page 2 Further, Novell, Inc., reserves the right to make changes to any and all parts of Novell software, at any time, without any obligation to notify any person or entity of such changes.
Page 3 Novell Trademarks For Novell trademarks, see the Novell Trademark and Service Mark list (http://www.novell.com/company/legal/ trademarks/tmlist.html). Third-Party Materials All third-party trademarks are the property of their respective owners.
Page 4 Sentinel 6.1 Reference Guide...
Page 5: Table Of Contents
Contents Preface 1 Sentinel User Reference Introduction 2 Sentinel Event Fields Event Field Labels and Tags ..........17 2.1.1 Free-Form Filters and Correlation Rules .
Page 6 Operators ..............47 4.5.1 Flow Operator .
Page 7 7.1.31 ESEC_CONTENT_GRP_CONTENT_RPT_V ......82 7.1.32 ESEC_CONTENT_GRP_RPT_V ........83 7.1.33 ESEC_CONTENT_PACK_RPT_V .
Page 8 7.1.90 SENTINEL_HOST_RPT_V ......... . . 114 7.1.91 SENTINEL_PLUGIN_RPT_V .
Page 9 8.1.33 ESEC_CONTENT_GRP_RPT_V ........142 8.1.34 ESEC_CONTENT_PACK_RPT_V .
Page 10 8.1.92 RPT_LABELS_RPT_V ..........178 8.1.93 SENSITIVITY_RPT_V .
Page 11 D.2.2 esecadm ............208 D.2.3 esecapp .
Page 12 Sentinel 6.1 Reference Guide...
Page 13: Preface
The documentation for this product is available at http://www.novell.com/documentation/ sentinel61/index.html (http://www.novell.com/documentation/sentinel61/index.html)  Additional documentation on developing collectors (proprietary or JavaScript) and JavaScript correlation actions is available at the Novell Developer Community web site: http:// developer.novell.com/wiki/index.php?title=Develop_to_Sentinel (http://developer.novell.com/ wiki/index.php?title=Develop_to_Sentinel) Documentation Conventions The following are the conventions used in this manual: ...
Page 14 For more information, see “Section Name” in “Chapter Name”, Name of the Guide (if in a  different Guide). In Novell documentation, a greater-than symbol (>) is used to separate actions within a step and items in a cross-reference path. ®...
Page 15: Sentinel Tm User Reference Introduction
Sentinel User Reference Introduction The Sentinel User Reference Guide is your reference for: Collector administrator functions Sentinel correlation engine Collector and Sentinel meta tags Sentinel command line options Sentinel console user permissions Sentinel server database views This guide assumes that you are familiar with Network Security, Database Administration and UNIX operating systems.
Page 16 Sentinel 6.1 Reference Guide...
Page 17: Sentinel Event Fields
WARNING: Changing the default label for any variables other than Customer Variables may cause confusion when working with Novell Technical Services or other parties who are familiar with the default names. In addition, JavaScript Collectors built by Novell refer to the default labels described in this chapter and are not automatically updated to refer to new labels.
Page 18: Free-Form Filters And Correlation Rules
 date: Collector Variable must be set with date as number of milliseconds from January 1, 1970 00:00:00 GMT. When displayed in Sentinel Control Center, meta-tags of type date are displayed in a regular date format. IPv4: IP address in dotted decimal notation (that is – xxx.xxx.xxx.xxx) ...
Page 19: Actions
Filter Wizard displaying labels in drop-down and free-form language Figure 2-2 The representation of fields in the free-form RuleLG language is usually prefaced by “e.” for example, “e.InitUserName” or “e.sun” can refer to the Initiator User Name for the incoming or current event.
Page 20 Configuration Action - Select Event Attributes window Figure 2-3 When you type the label or short tag for a field to be used in an action, the name can be enclosed in percent signs (%tag%) or dollar signs ($tag$). For example: %sun% in a correlation action refers to the value of InitUser in the correlated event ...
Page 21: Proprietary Collectors
Figure 2-4 2.1.3 Proprietary Collectors Proprietary Collectors, written in Novell’s own language, always use variables based on the short tag to refer to event fields. The short tag name must be prefaced by a letter and underscore, where the letter indicates the data type for the field (i_ for integer, s_ for string).
Page 22 Labels and Meta-tags used in Sentinel Control Center and proprietary Collector language Table 2-1 Filters and Menu and Proprietary Data Default Label Correlation Correlation Collector Description Type Rules Actions Language DeviceEventTimeString e.et %et% s_ET string The normalized date and time of the event, as reported by the sensor.
Page 23 Filters and Menu and Proprietary Data Default Label Correlation Correlation Collector Description Type Rules Actions Language CollectorScript e.agent %agent% string The name of the Collector Script used by the Collector to generate this event. Resource e.res %res% s_Res string Compliance monitoring hierarchy level 1 SubResource e.sres...
Page 24 Device specific attack name that matches attack name known by Advisor. Used in Exploit Detection. e.rt2 %rt2% s_RT2 string Reserved by Novell for expansion. Ct1 thru Ct2 e.ct1 thru %ct1% s_CT1 string Reserved for use by e.ct2 thru...
Page 25 CustomerHierarchyId e.rv1 %rv1% s_RV1 integer Used for MSSPs. ReservedVar2 thru e.rv2 thru %rv2% s_RV2 integer Reserved by Novell for thru expansion. ReservedVar10 e.rv10 thru %rv10% s_RV10 ReservedVar11 thru e.rv11 thru %rv11% s_RV11 date Reserved by Novell for thru expansion.
Page 26 InitDomain e.rv42 %rv42% s_RV42 string Domain portion of the initiating system's fully- qualified hostname. ReservedVar43 e.rv43 %rv43% s_RV43 string Reserved by Novell for expansion. TargetThreatLevel e.rv44 %rv44% s_RV44 string Target threat level. TargetUserDomain e.rv45 %rv45% s_RV45 string Domain (namespace) in which the target account exists..
Page 27 %rv62% s_RV62 string Criticality of the initiating system (0-5). Variables reserved for future e.rv63 thru %rv63% s_RV63 string Variables not currently in use by Novell e.rv75 thru thru s_rv75 %rv75% InitAssetDepartment e.rv76 %rv76% s_RV76 string Department of the initiating system.
Page 28 Default Label Correlation Correlation Collector Description Type Rules Actions Language Variables reserved for future e.rv101 %rv101% s_rv101 various Variables not currently in use by Novell thru thru thru e.rv200 %rv200% s_rv200 CustomerVar1 e.cv1 thru %cv1% s_CV1 integer Number variable reserved e.cv10 thru for customer use.
Page 29 Filters and Menu and Proprietary Data Default Label Correlation Correlation Collector Description Type Rules Actions Language CustomerVar111 thru e.cv111 %cv111% s_CV111 string Date variable reserved for CustomerVar120 thru thru thru customer use. Stored in e.cv120 %cv120% s_CV120 database. CustomerVar121 thru e.cv121 %cv121% s_CV121...
Page 30 Sentinel 6.1 Reference Guide...
Page 31: Sentinel Control Center User Permissions
Sentinel Control Center User Permissions Sentinel allows administrators to set user permissions in the Sentinel Control Center at a granular level. The only user created by default is the esecadm, or Sentinel Administrator. All other users are created by the Sentinel Administrator, or someone with similar permissions. To change user permissions: 1 Log into the Sentinel Control Center as a user with “User Management”...
Page 32 6 Uncheck the checkboxes for which you want to restrict user. 7 Click OK. The permissions in the User Manager are grouped into several major categories: General (page 33)   Active Views (page 34) iTRAC (page 35)  Incidents (page 35) ...
Page 33: General
Solution Pack (page 39)  Identity (page 39)  Each of these groups of setting is described in more detail below. 3.1 General Permissions-General Table 3-1 Permission Name Description Save Workspace Allows user to save preferences. If this permission is unavailable, user will never be prompted to save changes to preferences when logging out or exiting the Sentinel Control Center.
Page 34: General – Integration Actions
3.1.3 General – Integration Actions Permissions-General-Integration Actions Table 3-4 Permission Name Description Send to Remedy Help Desk Allows user to send events, incident and associated objects to Remedy. (requires the optional Remedy integration component) 3.2 Active Views Permissions-Active Views Table 3-5 Permission Name Description View Active Views Tab...
Page 35: Itrac
3.3 iTRAC Permissions-iTRAC Table 3-8 Permission Name Description View iTRAC Tab Allows user to see and use the iTRAC tab, menu and other related functions associated with the iTRAC tab. Activity Management Allows user to access the Activity Manager. Manage Work Items Of Users Gives user administrative control over all workitems, including those assigned to other users 3.3.1 iTRAC - Template Management...
Page 36: Integrators
Permission Name Description Create Incident(s) Allows user to create Incidents in the in the Incident View window or by right clicking on the incident and select Modify option. Alternatively you can select Create Incident menu item in the Incidents menu bar and clicking Create Incident option in the tool bar.
Page 37: Event Source Management
3.7 Event Source Management Permissions-Event Source Management Table 3-14 Permission Name Description View Status Allows user to view the status of ESM components. View Scratchpad Allows user to design and configure ESM components. Configure ESM Components Allows you to configure ESM components. Control ESM Components Allows you to control and manage ESM components.
Page 38: Administration
3.10 Administration Permissions-Administration Table 3-17 Permission Name Description View Administration Tab Allows user to see and use the View Administration tab, menu and other related functions associated with the View Administration tab. DAS Statistics Allows user to view DAS activity (DAS binary and query). Event Configuration Allows user to rename columns, set mappings from mapping files.
Page 39: Correlation
Permission Name Description Control Servers Allows user to start, restart and stop processes. 3.11 Correlation Permissions-Correlation Table 3-20 Permission Name Description View Correlation Tab Allows user to use the Correlation functions. View/Use Correlation Rule Manager Allows user to start or stop the Correlation Rules. View/Use Correlation Engine Manager Allows user to deploy/undeploy the Correlation Rules.
Page 40 Sentinel 6.1 Reference Guide...
Page 41: Sentinel Correlation Engine Rulelg Language
Sentinel Correlation Engine RuleLG Language This section is about Sentinel correlation engine Rule LG language. 4.1 Correlation RuleLG Language Overview The Sentinel Correlation Engine runs rules that are written in the Correlation RuleLg language. Rules are created in the Sentinel Control Center. Users can create rules using a wizard for the following rule types: Simple Rule ...
Page 42: Event Operations
WARNING: If you rename the label of a metatag, do not use the original label name when creating a correlation rule. 4.3 Event Operations Event operations evaluate, compare, and count events. They include the following operations:  Filter: Evaluates the current to determine whether they could potentially trigger a rule to fire Window: Compares the current event to past events that have been stored in memory ...
Page 43 In addition to Boolean operators, filter supports the following operators. Standard Arithmetic Operators Standard arithmetic operators can be used to build a condition that compares the value of a Sentinel metatag and a user-specified value (either a numeric value or a string field). The standard arithmetic operators in Sentinel are =, <, >, !=, <=, and >=.
Page 44: Window Operation
filter(e.evt="File Access" and not(e.sun inlist AuthorizedUsers)) ISNULL Operator The isnull operator returns true if the metatag value is equal to NULL. Example: Filter(isnull(e.SIP)) Output Sets The output of a filter is either the empty set (if the Boolean expression evaluates to false) or a ...
Page 45: Trigger Operation
As another example, this rule is a domino type of rule. An attacker exploits a vulnerable system and uses it as an attack platform. window((e.sip = w.dip AND e.dp = w.dp AND e.evt = w.evt), 1h) This rule identifies a potential security breach after a denial of service attack. The rule fires if the destination of a denial of service attack has a service stopped within 60 seconds of the attack.
Page 46: Rule Operations
<number of events> is an integer value specifying the number of matching events that are necessary for the rule to fire <evaluation period> specifies the duration for which past events matching the filter expression are maintained, specified in seconds (s), minutes (m), or hours (h).
Page 47: Sequence Operation
Subrule Rulelgs are the rulelg definitions for 1 to n subrules mode = all | any | 1 | 2 | … | n, which is the number of subrules that must be triggered in order for the gate rule to trigger <evaluation period>...
Page 48: Union Operator
filter(e.sev = 5) flow trigger(3, 60) The output of the filter operation is the input of the trigger operation. The trigger only counts events with severity equal to 5. 4.5.2 Union Operator The union of the left side operation output set and the right side operation output set. The resulting output set contains events from either the left-hand side operation output set or the right-hand side operation output set without duplicates.
Page 49: Differences Between Correlation In 5.X And 6.X
Operator Precedence Table 4-2 Operator Meaning Operator Type Associativity flow Output set becomes input set binary left to right intersection Set intersection (remove duplicates) binary left to right union Set union (remove duplicates) binary left to right 4.7 Differences between Correlation in 5.x and There are several new functionalities updated / included in 6.0 to widen the usage of Correlation to meet user’s requirements and for the ease-of-use.
Page 50 Sentinel 6.1 Reference Guide...
Page 51: Sentinel Data Access Service
Sentinel Data Access Service The Data Access Service (DAS) process is Sentinel Server's persistence service and provides a message bus interface to the database. Some of the services it provides are event storage, Historical Query, event drill down, vulnerability and Advisor data retrieval, and configuration manipulation. 5.1 DAS Container Files DAS is a collection of services provided by five different processes.
Page 52: Das Logging Properties Configuration Files
To Reconfigure Database Connection Properties: 1 Login to the machine where DAS is installed as the esecadm user on UNIX or a user with administrative rights on Windows. 2 Go to: For Windows: %ESEC_HOME%\bin For UNIX: $ESEC_HOME/bin 3 Provide the following command: For Windows: dbconfig –a %ESEC_HOME%\config [[-u username] [-p password] | [-winAuth]] [-h hostname] [-t portnum] [-d database] [-s server] [-help] [-version]...
Page 53 For UNIX: $ESEC_HOME/config These files contain the configuration that determines how the DAS processes will log messages. The most important part of the configuration is the logging levels, which indicate how verbose the log messages should be. The section of the file to configure these settings is: ###### Configure the logging levels # Logging level rules are read from the top down.
Page 54: Certificate Management For Das_Proxy
Replacing the default certificate with a CA-signed certificate Novell provides a self-signed certificate for the DAS_Proxy SSL Server to use. To improve security, you can replace the default, self-signed certificate that gets installed with a certificate signed by a Certificate Authority (CA).
Page 55 The basic steps are to get a CA to sign your certificate and then import that certificate into the keystore for DAS_Proxy to use. To import the certificate, the CA that signed the certificate must be “known” to the keytool utility. Keytool usually recognizes the major certificate authorities, but for other CA’s you may need to import a certificate or chain of certificates for the certificate authority before you can successfully import the certificate that DAS_Proxy uses.
Page 56 $ESEC_HOME/config/.proxyServerKeystore -file <cer_filename.cer> This will replace the self-signed certificate installed with Sentinel. 9 Restart Sentinel Server. Novell also recommends that you change the keystore and keyEntry passwords after replacing the certificate. Changing default keystore and keyEntry passwords By default, the passwords used for keystore and the keyEntry are both set to star1111. It is a good practice to change these to something new.
Page 57 3 Verify the keyEntry alias using the following command: $ESEC_HOME/jre/bin/keytool -list -keystore $ESEC_HOME/config/ .proxyServerKeystore Provide the current keystore password. The contents of the keystore file display: Keystore type: jks Keystore provider: SUN Your keystore contains 1 entry 10.0.0.1, Jan 8, 2008, keyEntry, Certificate fingerprint (MD5): 22:B4:19:63:AC:2D:F9:C0:66:7F:7C:64:85:68:89:AB The keyEntry alias is the IP address in the example above.
Page 58 Using a new .proxyServerKeystore location By default the certificate and private key are stored in the file located at .proxyServerKeystore . To change the location of file, you can edit the $ESEC_HOME/config .proxyServerKeystore value of the property “keystore” in the file $/ESEC_HOME/config/das_proxy.xml.
Page 59: Sentinel Accounts And Password Changes
Sentinel Accounts and Password Changes This section discusses users that are created or used during Sentinel installation and normal Sentinel operations. Unless you create domain users in advance in order to use Windows Authentication, these users are created by the Sentinel installer. These user accounts are used for Sentinel’s normal operations, such as event inserts into the Sentinel database.
Page 60: Changing Password
6.2 Password Changes Corporate policy might require that passwords be changed on a regular schedule. Sentinel user passwords can be changed using database utilities. After changing a password, some Sentinel components need to be updated to use the new password. 6.2.1 Changing Password This section discusses about changing password SQL Server Accounts...
Page 61: Sentinel Updates After A Password Change
Request a password change from a Windows administrator. 2 Follow the procedures in Sentinel updates after a password change. Sentinel Control Center Accounts (Native DB Authentication) This procedure can be used to change the password for the Sentinel Administrator account or any other Sentinel Control Center user.
Page 62 For more information on usage of the dbconfig utility, see Chapter 5, “Sentinel Data Access Service,” on page dbconfig –a {$ESEC_HOME/config | %ESEC_HOME%\config} -p <password> To update the Sentinel Application User password (Windows Authentication): 1 Change the password for the Sentinel Application User domain account as described in Section 6.2.1, “Changing Password,”...
Page 63 5 Click Set password. Provide the new password twice and click OK. Click Apply and click OK. Updating Sentinel Database User Password These password change procedures are only necessary if extra Sentinel Data Manager jobs have been created and scheduled or the Sentinel Data Manager command line interface is being used. To change Sentinel DB Administrator password (Windows Authentication): 1 Use the Windows Operating System to change the password as described in Section 6.2.1,...
Page 64 2 In order for automated SDM command line tasks to continue to work (if applicable in your environment), update the dbPass in the sdm.connect file with the new esecdba password using the SDM GUI or command line. For more information, see “Sentinel Data Manager” in Sentinel 6.1 User Guide.
Page 65: Sentinel Database Views For Oracle
(Crystal Reports*). Sentinel defines an event schema that is used to hold the parsed data received from event sources. For more information on the Sentinel Event schema, see Event schema (http://developer.novell.com/wiki/index.php/Event_schema). 7.1 Views Listed below are the views available with Sentinel. 7.1.1 ACTVY_PARM_RPT_V This view contains information about iTRAC activities.
Page 66: Actvy_Ref_Rpt_V
Column Name Datatype Comment ACTVY_ID varchar2(36) Activity identifier ACTVY_PARM_ID varchar2(36) Activity parameter identifier CREATED_BY number(38,0) User who created the object DATE_CREATED Date Date the entry was created DATE_MODIFIED Date Date the entry was modified MODIFIED_BY number(38,0) User who last modified the object PARM_VAL varchar2(1000) Activity parameter value...
Page 67: Adv_Nxs_Feed_V
Column Name Datatype Comment OUTPUT_FORMATTER varchar2 (255) Output formatter APP_NAME varchar2 (25) Application name DATE_CREATED date Date the entry was created DATE_MODIFIED date Date the entry was modified CREATED_BY number (38,0) User who created object MODIFIED_BY number (38,0) User who last modified object 7.1.5 ADV_NXS_FEED_V This view contains information about the Advisor feed files that are processed on a regular schedule.
Page 68: Adv_Nxs_Products_V
7.1.6 ADV_NXS_PRODUCTS_V ® This view contains information about all the products that are supported by Novell for Advisor, which include the Intrusion Detection System (IDS), Vulnerablility Scanners, and Knowledge Base (OSVDB, CVE, and Bugtraq). Column Name Datatype Comment PRODUCT_ID number The unique ID of the product.
Page 69: Adv_Nxs_Signatures_V
Sentinel database. 7.1.8 ADV_NXS_MAPPINGS_V This view contains the mapping information for the products supported by Novell for Advisor. It provides information about the type of mapping between each product including the IDS product signatures, Vulnerability product signatures, and Knowledge Base product signatures.
Page 70: Adv_Osvdb_Details_V
Sentinel database. 7.1.9 ADV_OSVDB_DETAILS_V This view contains information about the known vulnerablities from the OSVDB for the products supported by Novell for Advisor. It also stores the classifications to which the vulnerability applies. Column Name Datatype Comment...
Page 71 Column Name Datatype Comment ATTACK_TYPE_CRYPT number (1, 0) This value is if the attack type is cryptographic. For example, weak encryption (implementation or algorithm), no encryption (plaintext), and sniffing. ATTACK_TYPE_DOS number (1, 0) This value is if the attack type is denial of service.
Page 72 Column Name Datatype Comment IMPACT_AVAILABLE number (1, 0) This value is if the impact of the attack is loss of availability of a service or information. IMPACT_UNKNOWN number (1, 0) This value is if the impact of the attack is unknown. EXPLOIT_AVAILABLE number (1, 0) This value is...
Page 73: Adv_Nxs_Kb_Patch_V
Column Name Datatype Comment PUBLISHED date Time stamp indicating when the vulnerability was published in the OSVDB. INSERTED date Time stamp indicating when the vulnerability was inserted in the vendor database. UPDATED date Time stamp indicating when the vulnerability was updated in the vendor database.
Page 74: Adv_Nxs_Kb_Productsref_V
7.1.11 ADV_NXS_KB_PRODUCTSREF_V This view contains the information about the products that are affected by the vulnerability. Column Name Datatype Comment number The unique ID for the row. OSVDB_ID number The ID of the vulnerability in the OSVDB. VENDOR_NAME varchar2 (128 char) Name of the vendor of the product that is affected by the vulnerability.
Page 75: Asset_Hostname_Rpt_V
7.1.13 ASSET_HOSTNAME_RPT_V This view references ASSET_HOSTNAME table that stores information about alternate host names for assets. Column Name Datatype Comment ASSET_HOSTNAME_ID varchar2(36) Asset alternate hostname identifier PHYSICAL_ASSET_ID varchar2(36) Physical asset identifier HOST_NAME varchar2(255) Host name CUST_ID number(38) Customer identifier DATE_CREATED date Date the entry was created DATE_MODIFIED...
Page 76: Asset_Rpt_V
Column Name Datatype Comment ADDRESS_LINE_2 varchar2(255) Address line 2 CITY varchar2(100) City STATE varchar2(100) State COUNTRY varchar2(100) Country ZIP_CODE varchar2(50) Zip code DATE_CREATED date Date the entry was created DATE_MODIFIED date Date the entry was modified CREATED_BY number(38) User who created object MODIFIED_BY number(38) User who last modified object...
Page 77: Asset_X_Entity_X_Role_Rpt_V
Column Name Datatype Comment ASSET_VALUE_ID number(38) Asset value code ASSET_VALUE_NAME varchar2(50) Asset value name DATE_CREATED date Date the entry was created DATE_MODIFIED date Date the entry was modified CREATED_BY number(38) User who created object MODIFIED_BY number(38) User who last modified object 7.1.18 ASSET_X_ENTITY_X_ROLE_RPT_V This view references ASSET_X_ENTITY_X_ROLE table that associates a person or an organization to an asset.
Page 78: Attachments_Rpt_V
Column Name Datatype Comment DATE_MODIFIED date Date the entry was modified CREATED_BY number User who created object MODIFIED_BY number User who last modified object 7.1.20 ATTACHMENTS_RPT_V This view references ATTACHMENTS table that stores attachment data. Column Name Datatype Comment ATTACHMENT_ID number Attachment identifier NAME...
Page 79: Configs_Rpt_V
Column Name Datatype Comment EVT_NAME varchar2(255) Event name varchar2(255) Event resource SRES varchar2(255) Event sub-resource varchar2(500) Event message CREATED_BY number(0) User who created object MODIFIED_BY number(0) User who last modified object DATE_CREATED date Date the entry was created DATE_MODIFIED date Date the entry was modified 7.1.22 CONFIGS_RPT_V This view references CONFIGS table that stores general configuration information of the...
Page 80: Correlated_Events_Rpt_V (Legacy View)
Column Name Datatype Comment EMAIL varchar2(255) Contact e-mail PAGER varchar2(64) Contact pager CELL varchar2(64) Contact cell phone DATE_CREATED date Date the entry was created DATE_MODIFIED date Date the entry was modified CREATED_BY number User who created object MODIFIED_BY number User who last modified object 7.1.24 CORRELATED_EVENTS_RPT_V (legacy view) This view is provided for backward compatibility.
Page 81: Cust_Hierarchy_V
Column Name Datatype Comment DATE_MODIFIED date Date the entry was modified CREATED_BY number(38) User who created object MODIFIED_BY number(38) User who last modified object 7.1.27 CUST_HIERARCHY_V This view references CUST_HIERARCHY table that stores information about MSSP customer hierarchy. Column Name Datatype Comment CUST_HIERARCHY_ID...
Page 82: Env_Identity_Rpt_V
Column Name Datatype Comment ENTITY_TYPE_CODE varchar2(5) Entity type code ENTITY_TYPE_NAME varchar2(50) Entity type name DATE_CREATED date Date the entry was created DATE_MODIFIED date Date the entry was modified CREATED_BY number(38) User who created object MODIFIED_BY number(38) User who last modified object 7.1.30 ENV_IDENTITY_RPT_V This view references ENV_IDENTITY_LKUP table that stores information about asset environment identity.
Page 83: Esec_Content_Grp_Rpt_V
7.1.32 ESEC_CONTENT_GRP_RPT_V This view contains information about Solution Packs. Column Name Datatype Comment CONTENT_GRP_ID varchar2(36) Content group identifier CONTENT_GRP_NAME varchar2(255) Content group name CONTENT_GRP_DESC Clob Content group description CTRL_ID varchar2(36) Control identifier CONTENT_EXTERNAL_ID varchar2(255) Content external identifier DATE_CREATED Date Date the entry was created DATE_MODIFIED Date Date the entry was modified...
Page 84: Esec_Ctrl_Ctgry_Rpt_V
Column Name Datatype Comment CONTENT_TYP varchar2(100) Content type CONTENT_DESC Clob Content description CONTENT_CONTEXT Clob Content context CONTENT_HASH varchar2(255) Content hash DATE_CREATED Date Date the entry was created DATE_MODIFIED Date Date the entry was modified MODIFIED_BY number(38,0) User who last modified object CREATED_BY number(38,0) User who created object...
Page 85: Esec_Display_Rpt_V
Column Name Datatype Comment CONTENT_EXTERNAL_ID varchar2(255) Content external identifier DATE_CREATED date Date the entry was created DATE_MODIFIED date Date the entry was modified CREATED_BY number(38,0) User who created object MODIFIED_BY number(38,0) User who last modified object 7.1.37 ESEC_DISPLAY_RPT_V This view references ESEC_DISPLAY table that stores displayable properties of objects. Currently used in renaming meta-tags.
Page 86: Esec_Port_Reference_Rpt_V
7.1.38 ESEC_PORT_REFERENCE_RPT_V This view references ESEC_PORT_REFERENCE table that stores industry standard assigned port numbers. Column Name Datatype Comment PORT_NUMBER number http://www.iana.org/assignments/port-numbers (http://www.iana.org/assignments/port-numbers), the numerical representation of the port. This port number is typically associated with the Transport Protocol level in the TCP/IP stack. PROTOCOL_NUMBER number http://www.iana.org/assignments/protocol-...
Page 87: Esec_Sequence_Rpt_V
Column Name Datatype Comment MODIFIED_BY number User who last modified object 7.1.40 ESEC_SEQUENCE_RPT_V This view references ESEC_SEQUENCE table that’s used to generate primary key sequence numbers for Sentinel tables. Column Name Datatype Comment TABLE_NAME varchar2(32) Name of the table. COLUMN_NAME varchar2(255) Name of the column SEED...
Page 88: Events_All_Rpt_V1 (Legacy View)
7.1.43 EVENTS_ALL_RPT_V1 (legacy view) This view is provided for backward compatibility. New reports should use EVENTS_RPT_V2. View contains current events. 7.1.44 EVENTS_RPT_V (legacy view) This view is provided for backward compatibility. New reports should use EVENTS_RPT_V2. View contains current and historical events. 7.1.45 EVENTS_RPT_V1 (legacy view) This view is provided for backward compatibility.
Page 89: Column Name
Reserved for future use by Novell. This field is used for Advisor information concerning attack descriptions. RESERVED_TAG_2 varchar2(255) Reserved for future use by Novell. Use of this field for any other purpose might result in data being overwritten by future functionality. RESERVED_TAG_3 integer Reserved for future use by Novell.
Page 90 User who last modified object RV01 - 10 integer Reserved Value 1 - 10 Reserved for future use by Novell. Use of this field for any other purpose might result in data being overwritten by future functionality. RV11 - 20...
Page 91 RV40 - 43 varchar2(255) Reserved Value 40 - 43 Reserved for future use by Novell. Use of this field for any other purpose might result in data being overwritten by future functionality. RV44...
Page 92: Event_Id
Use of this field for any other purpose might result in data being overwritten by future functionality. RV49 varchar2(255) Reserved Value 49 Reserved for future use by Novell. Use of this field for any other purpose might result in data being overwritten by future functionality. TAXONOMY_ID integer...
Page 93: Event_Datetime
Column Name Datatype Comment EVENT_DATETIME date EVENT_DEVICE_TIME date Event device time SENTINEL_PROCESS_TIME date Sentinel process time BEGIN_TIME date Events begin time END_TIME date Events end time REPEAT_COUNT number(38,0) TARGET_SERVICE_PORT number(38,0) Target service port INIT_SERVICE_PORT number(38,0) BASE_MESSAGE varchar2(4000) EVENT_NAME varchar2(255) EVENT_TIME varchar2(255) Event time CUST_ID...
Page 94 Column Name Datatype Comment RESERVED_TAG_1 varchar2(255) RESERVED_TAG_2 varchar2(255) RESERVED_TAG_3 number(38,0) VULNERABILITY_RATING number(38,0) CRITICALITY_RATING number(38,0) DATE_CREATED date Date the entry was created DATE_MODIFIED date Date the entry was modified CREATED_BY number(38,0) User who created object MODIFIED_BY number(38,0) User who last modified object RV01 number(38,0) EVENT_METRIC...
Page 95 Column Name Datatype Comment TARGET_OPERATIONAL_CONEXT varchar2(255) Target operational context RV49 varchar2(255) TAXONOMY_ID number(38,0) Taxonomy identifier REFERENCE_ID_01- number(38,0) REFERENCE_ID_20 CV01-CV10 number(38,0) CV11-CV20 date CV21- CV29 varchar2(255) CV30- CV34 varchar2(4000) CV35- CV100 varchar2(255) INIT_USER_ID varchar2(255) The initiating account's source-specific identifier as determined by the Collector based on raw device data.
Page 96: Evt_Agent_Rpt_V
Column Name Datatype Comment CUSTOMER_VAR_111- date CUSTOMER_VAR_120 CUSTOMER_VAR_121- varchar2(36) CUSTOMER_VAR_130 CUSTOMER_VAR_131- number(38,0) CUSTOMER_VAR_140 CUSTOMER_VAR_141- varchar2(255) CUSTOMER_VAR_150 7.1.48 EVT_AGENT_RPT_V View references EVT_AGENT table that stores information about Collectors. Column Name Datatype Comment AGENT_ID number(38) Collector identifier CUST_ID number(38) AGENT varchar2(64) Collector name PORT varchar2(64) Collector port...
Page 97: Evt_Agent_Rpt_V3
7.1.49 EVT_AGENT_RPT_V3 View references EVT_AGENT table that stores information about Collectors. The column names in this view reflects the name change of Sensor to Observer. This view is designed for use in Sentinel 6.1. Column Name Datatype Comment AGENT_ID number(38,0) Collector identifier CUST_ID number(38,0)
Page 98: Evt_Asset_Rpt_V3
Column Name Datatype Comment MAC_ADDRESS varchar2(100) MAC address RACK_NUMBER varchar2(50) Rack number ROOM_NAME varchar2(100) Room name BUILDING_NAME varchar2(255) Building name CITY varchar2(100) City STATE varchar2(100) State COUNTRY varchar2(100) Country ZIP_CODE varchar2(50) Zip code ASSET_CATEGORY_NAME varchar2(100) Asset category name NETWORK_IDENTITY_NAME varchar2(255) Asset network identity name ENVIRONMENT_IDENTITY_NAME varchar2(255)
Page 99: Evt_Dest_Evt_Name_Smry_1_Rpt_V
Column Name Datatype Comment ASSET_DEPARTMENT varchar2(100) Asset department DATE_CREATED Date Date the entry was created DATE_MODIFIED Date Date the entry was modified CREATED_BY number(38,0) User who created object MODIFIED_BY number(38,0) User who last modified object 7.1.52 EVT_DEST_EVT_NAME_SMRY_1_RPT_V View summarizes event count by destination, taxonomy, event name, severity and event time. Column Name Datatype Comment...
Page 100: Evt_Dest_Txnmy_Smry_1_Rpt_V
Column Name Datatype Comment EVENT_NAME_ID number(38) Event name identifier RESOURCE_ID number(38) Resource identifier AGENT_ID number(38) Collector identifier PROTOCOL_ID number(38) Protocol identifier SEVERITY number(38) Event severity CUST_ID number(38) Customer identifier EVENT_TIME date Event time EVENT_COUNT number(38) Event count DATE_CREATED date Date the entry was created DATE_MODIFIED date Date the entry was modified...
Page 101: Evt_Port_Smry_1_Rpt_V
Column Name Datatype Comment EVENT_NAME_ID number(38) Event name identifier EVENT_NAME varchar2(255) Event name DATE_CREATED date Date the entry was created DATE_MODIFIED date Date the entry was modified CREATED_BY number(38) User who created object MODIFIED_BY number(38) User who last modified object 7.1.56 EVT_PORT_SMRY_1_RPT_V View summarizes event count by destination port, severity and event time.
Page 102: Evt_Prtcl_Rpt_V3
7.1.58 EVT_PRTCL_RPT_V3 View references EVT_PRTCL table that stores event protocol information. Column Name Datatype Comment PROTOCOL_ID number(38,0) Protocol identifier PROTOCOL varchar2(255) Protocol name DATE_CREATED date Date the entry was created DATE_MODIFIED date Date the entry was modified CREATED_BY number(38,0) User who created object MODIFIED_BY number(38,0) User who last modified object...
Page 103: Evt_Src_Collector_Rpt_V
Column Name Datatype Comment MODIFIED_BY number(38) User who last modified object 7.1.61 EVT_SRC_COLLECTOR_RPT_V View contains information about the Event Source Management configuration. Column Name Datatype Comment EVT_SRC_COLLECTOR_ID varchar2(36) Event source collector identifier SENTINEL_PLUGIN_ID varchar2(36) Sentinel plug-in identifier EVT_SRC_MGR_ID varchar2(36) Event source manager identifier EVT_SRC_COLLECTOR_NAME varchar2(255) Event source collector name...
Page 104: Evt_Src_Mgr_Rpt_V
Column Name Datatype Comment DATE_MODIFIED date Date the entry was modified 7.1.63 EVT_SRC_MGR_RPT_V View contains information about the Event Source Management configuration. Column Name Datatype Comment EVT_SRC_MGR_ID varchar2(36) Event source manager identifier SENTINEL_ID varchar2(36) Sentinel identifier EVT_SRC_MGR_NAME varchar2(255) Event source manager name SENTINEL_HOST_ID varchar2(36) Sentinel host identifier...
Page 105: Evt_Src_Smry_1_Rpt_V
Column Name Datatype Comment EVT_SRC_NAME varchar2(255) Event source name EVT_SRC_GRP_ID varchar2(36) Event source group identifier STATE_IND number(1,0) State indicator MAP_FILTER clob Map filter EVT_SRC_CONFIG clob Event source configuration CREATED_BY number(38,0) User who created object MODIFIED_BY number(38,0) User who last modified object DATE_CREATED date Date the entry was created...
Page 106: Evt_Src_Srvr_Rpt_V
7.1.67 EVT_SRC_SRVR_RPT_V View contains information about the Event Source Management configuration. Column Name Datatype Comment EVT_SRC_SRVR_ID varchar2(36) Event source server identifier EVT_SRC_SRVR_NAME varchar2(255) Event source server name EVT_SRC_MGR_ID varchar2(36) Event source manager identifier SENTINEL_PLUGIN_ID varchar2(36) Sentinel plug-in identifier STATE_IND number(1,0) State indicator EVT_SRC_SRVR_CONFIG clob...
Page 107: Evt_Xdas_Txnmy_Rpt_V
Column Name Datatype Comment USER_NAME varchar2(255) User name USER_DOMAIN varchar2(255) CUST_ID number(38) Customer identifier DATE_CREATED date Date the entry was created DATE_MODIFIED date Date the entry was modified CREATED_BY number(38) User who created object MODIFIED_BY number(38) User who last modified object 7.1.70 EVT_XDAS_TXNMY_RPT_V Column Name Datatype...
Page 108: Hist_Correlated_Events_Rpt_V (Legacy View)
Column Name Datatype Comment EXTERNAL_DATA_TYPE varchar2(10) External data type DATE_CREATED date Date the entry was created DATE_MODIFIED date Date the entry was modified CREATED_BY number User who created object MODIFIED_BY number User who last modified object 7.1.72 HIST_CORRELATED_EVENTS_RPT_V (legacy view) This view is provided for backward compatibility.
Page 109: Incidents_Events_Rpt_V
Average of all the event severities that comprise an incident. VULNERABILITY_RATING varchar2(32) Reserved for future use by Novell. Use of this field for any other purpose might result in data being overwritten by future functionality. CRITICALITY_RATING varchar2(32) Reserved for future use by Novell. Use of this field for any other purpose might result in data being overwritten by future functionality.
Page 110: Incidents_Vuln_Rpt_V
Column Name Datatype Comment MODIFIED_BY number User who last modified object INC_DESC varchar2(4000) Incident description INC_CAT varchar2(255) Incident category INC_PRIORITY number Incident priority INC_RES varchar2(4000) Incident resolution 7.1.78 INCIDENTS_VULN_RPT_V View references INCIDENTS_VULN table that stores information about the vulnerabilities that makeup incidents created in the Sentinel Console.
Page 111: Mssp_Associations_V
Column Name Datatype Comment TEXT varchar2(4000) Log text 7.1.81 MSSP_ASSOCIATIONS_V View references MSSP_ASSOCIATIONS table that associates an number key in one table to a UUID in another table. Column Name Datatype Comment TABLE1 varchar2(64) Table name 1 number(38) TABLE2 varchar2(64) Table name 2 varchar2(36) DATE_CREATED...
Page 112: Person_Rpt_V
Column Name Datatype Comment CUST_ID number(38) Customer identifier DATE_CREATED date Date the entry was created DATE_MODIFIED date Date the entry was modified CREATED_BY number(38) User who created object MODIFIED_BY number(38) User who last modified object 7.1.84 PERSON_RPT_V View references PERSION table that stores personal (asset) information. Column Name Datatype Comment...
Page 113: Product_Rpt_V
Column Name Datatype Comment ROOM_NAME varchar2(100) Room name DATE_CREATED date Date the entry was created DATE_MODIFIED date Date the entry was modified CREATED_BY number(38) User who created object MODIFIED_BY number(38) User who last modified object 7.1.86 PRODUCT_RPT_V View references PRDT table that stores asset product information. Column Name Datatype Comment...
Page 114: Sensitivity_Rpt_V
Column Name Datatype Comment RPT_NAME varchar2(100) Report name LABEL_1 - 35 varchar2(2000) Translated report labels 7.1.89 SENSITIVITY_RPT_V View references SENSITIVITY_LKUP table that stores asset sensitivity information. Column Name Datatype Comment SENSITIVITY_ID number(38) Asset sensitivity code SENSITIVITY_NAME varchar2(50) Asset sensitivity name DATE_CREATED date Date the entry was created...
Page 115: Sentinel_Rpt_V
Column Name Datatype Comment SENTINEL_HOST_ID varchar2(36) Sentinel host identifier SENTINEL_ID varchar2(36) Sentinel identifier SENTINEL_HOST_NAME varchar2(255) Sentinel host name HOST_NAME varchar2(255) Host name IP_ADDR varchar2(255) Host IP address HOST_OS varchar2(255) Host operating system HOST_OS_VERSION varchar2(255) Host operating system version MODIFIED_BY number(38,0) User who last modified object CREATED_BY number(38,0)
Page 116: Unassigned_Incidents_Rpt_V
Column Name Datatype Comment TERMINAL_FLAG varchar2(1) Indicates if state of incident is resolved. DATE_CREATED date Date the entry was created DATE_MODIFIED date Date the entry was modified MODIFIED_BY number User who last modified object CREATED_BY number User who created object 7.1.94 UNASSIGNED_INCIDENTS_RPT_V View references CASES and INCIDENTS tables to report on unassigned cases.
Page 117: Usr_Account_Rpt_V
Column Name Datatype Comment STT_ID number State ID. Status is either active or inactive. DESCRIPTION varchar2(512) Comments DATE_CREATED date Date the entry was created DATE_MODIFIED date Date the entry was modified CREATED_BY number User who created object MODIFIED_BY number User who last modified object PERMISSIONS varchar2(4000) Permissions currently assigned to the Sentinel user...
Page 118: Usr_Identity_Rpt_V
Column Name Datatype Comment IDENTITY_GUID varchar2(36) Identity identifier ATTRIBUTE_NAME varchar2(255) Attribute name ATTRIBUTE_VALUE varchar2(1024) Attribute value 7.1.98 USR_IDENTITY_RPT_V View contains user identity information from an identity management system. Column Name Datatype Comment IDENTITY_GUID varchar2(36) Identity identifier varchar2(255) Distinguished name CUST_ID number(38,0) Customer identifier SRC_IDENTITY_ID...
Page 119: Vuln_Calc_Severity_Rpt_V
Column Name Datatype Comment VENDOR_ID number(38) Vendor identifier VENDOR_NAME varchar2(255) Vendor name DATE_CREATED date Date the entry was created DATE_MODIFIED date Date the entry was modified CREATED_BY number(38) User who created object MODIFIED_BY number(38) User who last modified object 7.1.100 VULN_CALC_SEVERITY_RPT_V View references VULN_RSRC and VULN to calculate eSecurity vulnerability severity rating base on current vulnerabilities.
Page 120: Vuln_Info_Rpt_V
Column Name Datatype Comment MODIFIED_BY number User who last modified object 7.1.102 VULN_INFO_RPT_V View references VULN_INFO table that stores additional information reported during a scan. Column Name Datatype Comment VULN_INFO_ID varchar2(36) Vulnerability info identifier VULN_ID varchar2(36) Vulnerability identifier VULN_INFO_TYPE varchar2(36) Vulnerability info type VULN_INFO_VALUE varchar2(2000)
Page 121: Vuln_Rsrc_Rpt_V
Column Name Datatype Comment DETECTED_OS_VERSION varchar2(64) Operating system version of scanned machine SCANNED_APP varchar2(64) SCANNED_APP_VERSION varchar2(64) VULN_USER_NAME varchar2(64) Username used by scanner VULN_USER_DOMAIN varchar2(64) Domain of user used by scanned VULN_TAXONOMY varchar2(1000) SCANNER_CLASSIFICATION varchar2(255) VULN_NAME varchar2(300) VULN_MODULE varchar2(64) DATE_CREATED date Date the entry was created DATE_MODIFIED date...
Page 122: Vuln_Rsrc_Scan_Rpt_V
Column Name Datatype Comment MODIFIED_BY number User who last modified object 7.1.105 VULN_RSRC_SCAN_RPT_V View references VULN_RSRC_SCAN table that stores each resource scanned for a particular scan. Column Name Datatype Comment RSRC_ID varchar2(36) Resource identifier SCAN_ID varchar2(36) Vulnerability scan identifier DATE_CREATED date Date the entry was created DATE_MODIFIED...
Page 123: Vuln_Scanner_Rpt_V
Column Name Datatype Comment VULN_ID varchar2(36) Vulnerability identifier DATE_CREATED date Date the entry was created DATE_MODIFIED date Date the entry was modified CREATED_BY number User who created object MODIFIED_BY number User who last modified object 7.1.108 VULN_SCANNER_RPT_V View references VULN_SCANNER table that stores information about vulnerability scanners. Column Name Datatype Comment...
Page 124: Workflow_Info_Rpt_V
7.1.110 WORKFLOW_INFO_RPT_V Column Name Datatype Comment INFO_ID number(38,0) Info identifier PROCESS_DEF_ID varchar2(100) Process definition identifier PROCESS_INSTANCE_ID varchar2(150) Process instance identifier DATE_CREATED date Date the entry was created DATE_MODIFIED date Date the entry was modified CREATED_BY number(38,0) User who created object MODIFIED_BY number(38,0) User who last modified object...
Page 125: Sentinel Database Views For Microsoft Sql Server
(Crystal Reports). Sentinel defines an event schema that is used to hold the parsed data received from event sources. For more information on Sentinel Event schema, see Event schema (http://developer.novell.com/wiki/index.php/Event_schema). 8.1 Views Listed below are the views available with Sentinel. 8.1.1 ACTVY_PARM_RPT_V...
Page 126: Actvy_Rpt_V
Column Name Datatype Comment ACTVY_PARM_ID uniqueidentifier Activity parameter identifier PARM_VAL varchar/nvarchar(1000) Activity parameter value DATE_CREATED datetime Date the entry was created DATE_MODIFIED datetime Date the entry was modified CREATED_BY User who created object MODIFIED_BY User who last modified object 8.1.3 ACTVY_REF_RPT_V Column Name Datatype Comment...
Page 127: Adv_Nxs_Feed_V
ID of the user who modified the feed file information in the Sentinel database. 8.1.6 ADV_NXS_PRODUCTS_V This view contains information about all the products that are supported by Novell® for Advisor, which include the Intrusion Detection System (IDS), Vulnerablility Scanners, and Knowledge Base (OSVDB, CVE, and Bugtraq).
Page 128: Adv_Nxs_Signatures_V
ID of the user who modified the product information in the Sentinel database. 8.1.7 ADV_NXS_SIGNATURES_V This view contains the information about the list of signatures for each product that is supported by Novell for Advisor. Column Name Datatype Comment PRODUCT_ID numeric The unique ID of the product.
Page 129: Adv_Nxs_Mappings_V
Sentinel database. 8.1.8 ADV_NXS_MAPPINGS_V This view contains the mapping information for the products supported by Novell for Advisor. It provides information about the type of mapping between each product including the IDS product signatures, Vulnerability product signatures, and Knowledge Base product signatures.
Page 130: Adv_Osvdb_Details_V
ID of the user who modified the mapping information in the Sentinel database. 8.1.9 ADV_OSVDB_DETAILS_V This view contains information about the known vulnerablities from the OSVDB for the products supported by Novell for Advisor. It also stores the classifications to which the vulnerability applies. Column Name Datatype Comment OSVDB_ID The unique ID of the vulnerability in the OSVDB.
Page 131 Column Name Datatype Comment ATTACK_TYPE_MISS_CONFIG This value is 1 if the attack type is misconfiguration. For example, default files, debugging enabled, and directory indexing. ATTACK_TYPE_RACE This value is 1 if the attack type is race condition. For example, symlink. ATTACK_TYPE_OTHER This value is 1 if the attack type does not fall under any of the above attack types.
Page 132: Adv_Nxs_Kb_Patch_V
Column Name Datatype Comment ATTACK_SCENARIO text Description of how a vulnerability can be exploited. SOLUTION_DESCRIPTION text Description of the solution that is used to fix the vulnerability. FULL_DESCRIPTION text The complete description of the vulnerability. LOCATION_PHYSICAL This value is 1 if the vulnerability can be exploited with only physical system access.
Page 133: Annotations_Rpt_V
Column Name Datatype Comment REF_VALUE text The URL that has the patch information. DATE_CREATED datetime Time stamp indicating when the patch information was entered in the Sentinel database. DATE_MODIFIED datetime Time stamp indicating when the patch information was modified in the Sentinel database.
Page 134: Asset_Category_Rpt_V
Column Name Datatype Comment ACTION varchar/nvarchar(255) Action DATE_CREATED datetime Date the entry was created DATE_MODIFIED datetime Date the entry was modified MODIFIED_BY User who last modified object CREATED_BY User who created object 8.1.13 ASSET_CATEGORY_RPT_V View references ASSET_CTGRY table that stores information about asset categories. Column Name Datatype Comment...
Page 135: Asset_Location_Rpt_V
Column Name Datatype Comment ASSET_IP_ID uniqueidentifier Asset alternate IP identifier PHYSICAL_ASSET_ID uniqueidentifier Physical asset identifier IP_ADDRESS Asset IP address CUST_ID bigint Customer identifier DATE_CREATED datetime Date the entry was created DATE_MODIFIED datetime Date the entry was modified CREATED_BY User who created object MODIFIED_BY User who last modified object 8.1.16 ASSET_LOCATION_RPT_V...
Page 136: Asset_Value_Rpt_V
Column Name Datatype Comment ASSET_NAME varchar/nvarchar(255) Asset name PHYSICAL_ASSET_ID uniqueidentifier Physical asset identifier PRODUCT_ID bigint Product identifier ASSET_CATEGORY_ID bigint Asset category identifier ENVIRONMENT_IDENTITY_CD bigint Environment identify code PHYSICAL_ASSET_IND Physical asset indicator ASSET_VALUE_CODE bigint Asset value code CRITICALITY_ID bigint Asset criticality code SENSITIVITY_ID bigint Asset sensitivity code...
Page 137: Associations_Rpt_V
Column Name Datatype Comment ENTITY_TYPE_CODE varchar/nvarchar(5) Entity type code PERSON_ROLE_SEQUENCE Order of persons under a particular role DATE_CREATED datetime Date the entry was created DATE_MODIFIED datetime Date the entry was modified CREATED_BY User who created object MODIFIED_BY User who last modified object 8.1.20 ASSOCIATIONS_RPT_V View references ASSOCIATIONS table that associates users to incidents, incidents to annotations and so on.
Page 138: Audit_Record_Rpt_V
Column Name Datatype Comment DATE_MODIFIED datetime Date the entry was modified CREATED_BY User who created object MODIFIED_BY User who last modified object 8.1.22 AUDIT_RECORD_RPT_V View reference AUDIT_RECORD table that stores Sentinel internal audit data. Column Name Datatype Comment AUDIT_ID uniqueidentifier Audit record identifier AUDIT_TYPE varchar/nvarchar(255)
Page 139: Contacts_Rpt_V
Column Name Datatype Comment VALUE varchar/nvarchar(255) Text value if any DATA ntext XML data DATE_CREATED datetime Date the entry was created DATE_MODIFIED datetime Date the entry was modified CREATED_BY User who created object MODIFIED_BY User who last modified object 8.1.24 CONTACTS_RPT_V View references CONTACTS table that stores contact information.
Page 140: Criticality_Rpt_V
Column Name Datatype Comment PARENT_EVT_ID uniqueidentifier Event Universal Unique Identifier (UUID) of parent event CHILD_EVT_ID uniqueidentifier Event Universal Unique Identifier (UUID) of child event PARENT_EVT_TIME datetime Parent event time CHILD_EVT_TIME datetime Child event time DATE_CREATED datetime Date the entry was created DATE_MODIFIED datetime Date the entry was modified...
Page 141: Cust_Rpt_V
Column Name Datatype Comment CUST_HIERARCHY_LVL2 varchar/nvarchar (255) Customer hierarchy level 2 CUST_HIERARCHY_LVL3 varchar/nvarchar (255) Customer hierarchy level 3 CUST_HIERARCHY_LVL4 varchar/nvarchar (255) Customer hierarchy level 4 DATE_CREATED datetime Date the entry was created DATE_MODIFIED datetime Date the entry was modified CREATED_BY User who created object MODIFIED_BY User who last modified object...
Page 142: Esec_Content_Grp_Content_Rpt_V
Column Name Datatype Comment ENVIRONMENT_IDENTITY_ID bigint Environment identity code ENV_IDENTITY_NAME varchar/nvarchar(255) Environment identity name DATE_CREATED datetime Date the entry was created DATE_MODIFIED datetime Date the entry was modified CREATED_BY User who created object MODIFIED_BY User who last modified object 8.1.32 ESEC_CONTENT_GRP_CONTENT_RPT_V Column Name Datatype Comment...
Page 143: Esec_Content_Pack_Rpt_V
8.1.34 ESEC_CONTENT_PACK_RPT_V Column Name Datatype Comment CONTENT_PACK_ID uniqueidentifier Content pack identifier CONTENT_PACK_DESC text Content pack description CONTENT_PACK_NAME varchar/nvarchar(255) Content pack name CONTENT_EXTERNAL_ID varchar/nvarchar(255) Content external identifier DATE_MODIFIED datetime Date the entry was modified DATE_CREATED datetime Date the entry was created CREATED_BY User who created object MODIFIED_BY...
Page 144: Esec_Ctrl_Rpt_V
Column Name Datatype Comment CONTENT_EXTERNAL_ID varchar/nvarchar(255) Content external identifier DATE_CREATED datetime Date the entry was created DATE_MODIFIED datetime Date the entry was modified CREATED_BY User who created object MODIFIED_BY User who last modified object 8.1.37 ESEC_CTRL_RPT_V Column Name Datatype Comment CTRL_ID uniqueidentifier Control identifier...
Page 145: Esec_Port_Reference_Rpt_V
Column Name Datatype Comment ENABLED Indicates if the tag is shown. TYPE Indicates datatype of tag. 1 = string 2 = ulong 3 = date 4 = uuid 5 = ipv4 DESCRIPTION varchar/nvarchar(255) Textual description of the tag DATE_CREATED datetime Date the entry was created DATE_MODIFIED datetime...
Page 146: Esec_Protocol_Reference_Rpt_V
Column Name Datatype Comment CREATED_BY User who created object MODIFIED_BY User who last modified object 8.1.40 ESEC_PROTOCOL_REFERENCE_RPT_V View references ESEC_PROTOCOL_REFERENCE table that stores industry standard assigned protocol numbers. Column Name Datatype Comment PROTOCOL_NUMBER http://www.iana.org/assignments/ protocol-numbers (http://www.iana.org/ assignments/protocol-numbers), the numerical identifiers used to represent protocols that are encapsulated in an IP packet.
Page 147: Esec_Uuid_Uuid_Assoc_Rpt_V
8.1.42 ESEC_UUID_UUID_ASSOC_RPT_V Column Name Datatype Comment OBJECT1 varchar/nvarchar(64) Object 1 uniqueidentifier UUID for object 1 OBJECT2 varchar/nvarchar(64) Object 2 uniqueidentifier UUID for object 2 DATE_CREATED datetime Date the entry was created DATE_MODIFIED datetime Date the entry was modified CREATED_BY User who created object MODIFIED_BY User who last modified object 8.1.43 EVENTS_ALL_RPT_V (legacy view)
Page 148 Column Name Datatype Comment RESOURCE_NAME varchar/nvarchar(255) Resource name SUB_RESOURCE varchar/nvarchar(255) Subresource name SEVERITY The normalized Sentinel event severity (0- EVENT_PARSE_TIME datetime The absolute time, according to Sentinel, that this event occurred EVENT_DATETIME datetime Event time EVENT_DEVICE_TIME datetime A timestamp representation of the time the event occurred, according to the event source SENTINEL_PROCESS_TIME...
Page 149 Column Name Datatype Comment DESTINATION_USER_NAME varchar/nvarchar(255) Destination user name FILE_NAME varchar/nvarchar(1000) The name of the data object (file, database table, directory object, etc) that was affected by this event. EXTENDED_INFO varchar/nvarchar(1000) A name-value pair field that holds extra information about the event, which does not fit into the existing event schema CUSTOM_TAG_1 varchar/nvarchar(255)
Page 150 Column Name Datatype Comment RV26 - 31 varchar/nvarchar(255) Reserved Value 26 - 31 Reserved for future use by Sentinel. Use of this field for any other purpose might result in data being overwritten by future functionality. RV33 varchar/nvarchar(255) Reserved Value 33 Reserved for EventContex Use of this field for any other purpose might result in data being overwritten by...
Page 151 Column Name Datatype Comment RV40 - 43 varchar/nvarchar(255) Reserved Value 40 - 43 The ID or code used by the vendor to reference that specific event type. Reserved for future use by Sentinel. Use of this field for any other purpose might result in data being overwritten by future functionality.
Page 152: Events_Rpt_V3
Column Name Datatype Comment REFERENCE_ID 01 - 20 bigint Reserved for future use by Sentinel. Use of this field for any other purpose might result in data being overwritten by future functionality. CV01 - 10 Custom Value 1 - 10 Reserved for use by Customer, typically for association of Business relevant data CV11 - 20...
Page 153 Column Name Datatype Comment End_Time datetime The time the event completed, if the event represents a lengthy transaction Target_Service_Port The numeric network port accessed on the target Event_Time varchar/nvarchar(255) A string representation of the time the event occurred, according to the event source Init_Asset_id bigint...
Page 154 Column Name Datatype Comment Target_Trust_Sys_Id varchar/nvarchar(255) Target trust ID Target_Trust_Domain varchar/nvarchar(255) The domain (namepsace) within which the target trust exists Observer_Ip The IP address of the observer (sensor) that detected the event Reporter_Ip The IP address of the reporter (the system that delivered the event to Sentinel) Observer_Host_Domain...
Page 155 Column Name Datatype Comment RV21-RV28 varchar/nvarchar(255) Init_IP_Country varchar/nvarchar(255) The country where the IPv4 address of the initiating system is located Target_IP_Country varchar/nvarchar(255) The country where the IPv4 address of the target system is located RV31 varchar/nvarchar(255) RV33 RV36 RV40 RV43 RV46 RV49 Init_Threat_Level...
Page 156: Evt_Agent_Rpt_V
Column Name Datatype Comment Customer_Var_101- Customer_Var_110 Customer_Var_111- datetime Customer_Var_120 Customer_Var_121- uniqueidentifier Customer_Var_130 Customer_Var_131- Customer_Var_140 Customer_Var_141- varchar/nvarchar(255) Customer_Var_150 8.1.50 EVT_AGENT_RPT_V View references EVT_AGENT table that stores information about Collectors. Column Name Datatype Comment Agent_ID bigint Collector identifier CUST_ID bigint Customer identifier Agent varchar/nvarchar(64) Collector name...
Page 157: Evt_Asset_Rpt_V
Column Name Datatype Comment CREATED_BY User who created object MODIFIED_BY User who last modified object 8.1.51 EVT_AGENT_RPT_V3 Column Name Datatype Comment Agent_ID bigint Collector identifier Cust_ID bigint Customer identifier Agent varchar/nvarchar(64) Collector Port varchar/nvarchar(64) Port Reporter_Host_Name varchar/nvarchar(255) The unqualified hostname of the reporter of the event (ReporterName) Sensor_Type varchar/nvarchar(5)
Page 158: Evt_Asset_Rpt_V3
Column Name Datatype Comment Reference_Asset_IDvarchar/ Reference asset identifier, links to Reference_Asset_IDvarchar/ nvarchar(100) source asset management nvarchar(100) system. Mac_Address varchar/nvarchar(100) MAC address Rack_Number varchar/nvarchar(50) Rack number Room_Name varchar/nvarchar(100) Room name Building_Name varchar/nvarchar(255) Building name City varchar/nvarchar(100) City State varchar/nvarchar(100) State Country varchar/nvarchar(100) Country Zip_Code...
Page 159: Evt_Dest_Smry_1_Rpt_V
Asset_Department varchar/nvarchar(100) Asset department DATE_MODIFIED datetime Date the entry was modified CREATED_BY User who created object MODIFIED_BY User who last modified object 8.1.54 EVT_DEST_EVT_NAME_SMRY_1_RPT_V View summarizes event count by destination, taxonomy, event name, severity and event time. Column Name Datatype Comment Destination_IP Destination IP address...
Page 160: Evt_Dest_Txnmy_Smry_1_Rpt_V
Column Name Datatype Comment Taxonomy_ID bigint Used to link to XDAS and legacy taxonomy tables Event_Name_ID bigint Event name identifier Resource_ID bigint Resource identifier Agent_ID bigint Collector identifier Protocol_ID bigint Protocol identifier Severity The normalized Sentinel event severity (0-5) CUST_ID bigint Customer identifier Event_Time...
Page 161: Evt_Name_Rpt_V
Column Name Datatype Comment Event_Count Event count Date_Created datetime Date the entry was created Date_Modified datetime Date the entry was modified Created_By User who created object Modified_By User who last modified object Destination_Host_Name varchar/nvarchar(255) Destination host name 8.1.57 EVT_NAME_RPT_V View references EVT_NAME table that stores event name information. Column Name Datatype Comment...
Page 162: Evt_Prtcl_Rpt_V
8.1.59 EVT_PORT_SMRY_1_RPT_V View summarizes event count by destination port, severity and event time. Column Name Datatype Comment Destination_Port varchar/nvarchar(32) Destination port Severity The normalized Sentinel event severity (0-5) Cust_ID bigint Customer identifier Event_Time datetime A string representation of the time the event occurred, according to the event source Event_Count...
Page 163: Evt_Sev_Smry_1_Rpt_V
Column Name Datatype Comment DATE_CREATED datetime Date the entry was created DATE_MODIFIED datetime Date the entry was modified CREATED_BY User who created object MODIFIED_BY User who last modified object 8.1.62 EVT_SEV_SMRY_1_RPT_V View summarizes event count by severity and event time. Column Name Datatype Comment...
Page 164: Evt_Src_Grp_Rpt_V
8.1.64 EVT_SRC_GRP_RPT_V Column Name Datatype Comment EVT_SRC_GRP_ID uniqueidentifier Event source group identifier EVT_SRC_COLLECTOR_ID uniqueidentifier Event source collector identifier SENTINEL_PLUGIN_ID uniqueidentifier Sentinel plug-in identifier EVT_SRC_SRVR_ID uniqueidentifier Event source server identifier EVT_SRC_GRP_NAME varchar/nvarchar(255) Event source group name STATE_IND State indicator MAP_FILTER ntext Map filter EVT_SRC_DEFAULT_CONFIG ntext...
Page 165: Evt_Src_Rpt_V
Column Name Datatype Comment OFFSET_VAL ntext Offset value OFFSET_TIMESTAMP datetime Offset timestamp CREATED_BY User who created object MODIFIED_BY User who last modified object DATE_CREATED datetime Date the entry was created DATE_MODIFIED datetime Date the entry was modified 8.1.67 EVT_SRC_RPT_V Column Name Datatype Comment EVT_SRC_ID...
Page 166: Evt_Txnmy_Rpt_V
Column Name Datatype Comment Agent_ID bigint Collector identifier Protocol _ID bigint Protocol identifier Severity The normalized Sentinel event severity (0- CUST_ID bigint Customer identifier Event_Time datetime A string representation of the time the event occurred, according to the event source XDAS_Taxonomy_id bigint XDAS taxonomy id...
Page 167: Evt_Usr_Rpt_V
Column Name Datatype Comment Taxonomy _ID bigint Used to link to XDAS and legacy taxonomy tables Taxonomy _ Level _1 varchar/nvarchar(100) Deprecated Taxonomy _ Level _2 varchar/nvarchar(100) Deprecated Taxonomy _ Level _3 varchar/nvarchar(100) Deprecated Taxonomy _ Level _4 varchar/nvarchar(100) Deprecated Device_Category varchar/nvarchar(255) DATE_CREATED...
Page 168: External_Data_Rpt_V
Column Name Datatype Comment Xdas_Provider The XDAS Provider ID; refer to XDAS specifications Xdas_Class The XDAS Event Class ID; refer to XDAS specifications Xdas_Identifier The XDAS Event Identifier; refer to XDAS specifications Xdas_Outcome The XDAS major outcome; success, failure, or denial Xdas_Detail The XDAS outcome detail;...
Page 169: Hist_Events
Column Name Datatype Comment CHILD_EVT_ID uniqueidentifier Event Universal Unique Identifier (UUID) of child event PARENT_EVT_TIME datetime Parent event created time CHILD_EVT_TIME datetime Child event created time DATE_CREATED datetime Date the entry was created DATE_MODIFIED datetime Date the entry was modified CREATED_BY User who created object MODIFIED_BY...
Page 170 Column Name Datatype Comment END_TIME datetime The time the event completed, if the event represents a lengthy transaction REPEAT_CNT The number of times the identical event occurred DP_INT SP_INT varchar/nvarchar(255) Resolution SRES varchar/nvarchar(255) Severity varchar/nvarchar(255) Events varchar/nvarchar(255) varchar/nvarchar(255) varchar/nvarchar(32) varchar/nvarchar(255) varchar/nvarchar(32) varchar/nvarchar(255) varchar/nvarchar(255)
Page 171 Column Name Datatype Comment TRGT_USR_SYS_ID varchar/nvarchar(255) TRGT_USR_IDENTITY_GUID uniqueidentifier EFFECTIVE_USR_NAME varchar/nvarchar(255) EFFECTIVE_USR_SYS_ID varchar/nvarchar(255) EFFECTIVE_USR_DOMAIN varchar/nvarchar(255) TRGT_TRUST_NAME varchar/nvarchar(255) TRGT_TRUST_SYS_ID varchar/nvarchar(255) TRGT_TRUST_DOMAIN varchar/nvarchar(255) OBSRVR_IP RPTR_IP OBSRVR_HOST_DOMAIN varchar/nvarchar(255) RPTR_HOST_DOMAIN varchar/nvarchar(255) OBSRVR_ASSET_ID varchar/nvarchar(255) RPTR_ASSET_ID varchar/nvarchar(255) INIT_SRVC_COMP varchar/nvarchar(255) TARGET_SRVC_COMP varchar/nvarchar(255) EVT_GRP_ID varchar/nvarchar(255) DATE_CREATED datetime Date the entry was created DATE_MODIFIED datetime Date the entry was modified...
Page 172: Hist_Events_Rpt_V (Legacy View)
Column Name Datatype Comment CV11-CV20 datetime CV21-CV29 varchar/nvarchar(255) CV35-CV100 CV30-CV34 varchar/nvarchar(4000) CV101-CV110 CV131-CV140 CV111-CV120 datetime CV121-CV130 uniqueidentifier CV141-CV147 varchar/nvarchar(255) 8.1.77 HIST_EVENTS_RPT_V (legacy view) This view is provided for backward compatibility. New reports should use EVENTS_RPT_V2. 8.1.78 IMAGES_RPT_V View references IMAGES table that stores system overview image information. Column Name Datatype Comment...
Page 173: Incidents_Rpt_V
Column Name Datatype Comment CREATED_BY User who created object MODIFIED_BY User who last modified object 8.1.80 INCIDENTS_EVENTS_RPT_V View references INCIDENTS_EVENTS table that stores information about the events that makeup incidents created in the Sentinel Console. Column Name Datatype Comment INC_ID Incident identifier –...
Page 174: L_Stat_Rpt_V
Column Name Datatype Comment VULNERABILITY_RATING varchar/nvarchar(32) Reserved for future use by Sentinel. Use of this field for any other purpose might result in data being overwritten by future functionality. CRITICALITY_RATING varchar/nvarchar(32) Reserved for future use by Sentinel. Use of this field for any other purpose might result in data being overwritten by future functionality.
Page 175: Logs_Rpt_V
8.1.84 LOGS_RPT_V View references LOGS_RPT table that stores logging information. Column Name Datatype Comment LOG_ID Sequence number TIME datetime Date of Log MODULE varchar/nvarchar(64) Module log is for TEXT varchar/nvarchar(4000) Log ntext 8.1.85 MSSP_ASSOCIATIONS_V View references MSSP_ASSOCIATIONS table that associates an integer key in one table to a uuid in another table.
Page 176: Organization_Rpt_V
8.1.87 ORGANIZATION_RPT_V View references ORGANIZATION table that stores organization (asset) information. Column Name Datatype Comment ORGANIZATION_ID uniqueidentifier Organization identifier ORGANIZATION_NAME varchar/nvarchar(100) Organization name CUST_ID bigint Customer identifier DATE_CREATED datetime Date the entry was created DATE_MODIFIED datetime Date the entry was modified CREATED_BY User who created object MODIFIED_BY...
Page 177: Role_Rpt_V
Column Name Datatype Comment IP_ADDRESS IP address NETWORK_IDENTITY_ID bigint Network identity code MAC_ADDRESS varchar/nvarchar(100) MAC address RACK_NUMBER varchar/nvarchar(50) Rack number ROOM_NAME varchar/nvarchar(100) Room name DATE_CREATED datetime Date the entry was created DATE_MODIFIED datetime Date the entry was modified CREATED_BY User who created object MODIFIED_BY User who last modified object 8.1.90 PRODUCT_RPT_V...
Page 178: Rpt_Labels_Rpt_V
8.1.92 RPT_LABELS_RPT_V This view contains localized report labels for reports in non-English languages. Column Name Datatype Comment RPT_NAME varchar/nvarchar(100) Report name LABEL_1 – LABEL_35 varchar/nvarchar(2000) Translated report labels 8.1.93 SENSITIVITY_RPT_V View references SENSITIVITY_LKUP table that stores asset sensitivity information. Column Name Datatype Comment SENSITIVITY_ID...
Page 179: Sentinel_Plugin_Rpt_V
8.1.95 SENTINEL_PLUGIN_RPT_V Column Name Datatype Comment SENTINEL_PLUGIN_ID uniqueidentifier Sentinel plugin identifier SENTINEL_PLUGIN_NAME varchar/nvarchar(255) Sentinel plugin name SENTINEL_PLUGIN_TYPE varchar/nvarchar(255) Sentinel plugin type FILE_NAME varchar/nvarchar(512) The name of the data object (file, database table, directory object, etc) that was affected by this event. CONTENT_PKG ntext Content package...
Page 180: Users_Rpt_V
Column Name Datatype Comment CONTEXT varchar/nvarchar(64) Context of the state. That is case, incident, user. NAME varchar/nvarchar(64) Name of the state. TERMINAL_FLAG varchar/nvarchar(1) Indicates if state of incident is resolved. DATE_CREATED datetime Date the entry was created DATE_MODIFIED datetime Date the entry was modified MODIFIED_BY User who last modified object CREATED_BY...
Page 181: Usr_Account_Rpt_V
Column Name Datatype Comment USR_ID User identifier – Sequence number NAME varchar/nvarchar(64) Short, unique user name used as a login CNT_ID Contact ID – Sequence number STT_ID State ID. Status is either active or inactive. DESCRIPTION varchar/nvarchar(512) Comments PERMISSIONS varchar/nvarchar(4000) Permissions currently assigned to the Sentinel user FILTER...
Page 182: Usr_Identity_Ext_Attr_Rpt_V
8.1.101 USR_IDENTITY_EXT_ATTR_RPT_V Column Name Datatype Comment IDENTITY_GUID uniqueidentifier Identity identifier ATTRIBUTE_NAME varchar/nvarchar(255) Attribute name ATTRIBUTE_VALUE varchar/nvarchar(1024) Attribute value 8.1.102 USR_IDENTITY_RPT_V Column Name Datatype Comment IDENTITY_GUID uniqueidentifier Identity identifier varchar/nvarchar(255) Distinguished name CUST_ID bigint Customer identifier SRC_IDENTITY_ID varchar/nvarchar(100) Source identity identifier WFID varchar/nvarchar(100) Workforce identifier...
Page 183: Vuln_Code_Rpt_V
Column Name Datatype Comment VENDOR_ID bigint Vendor identifier VENDOR_NAME varchar/nvarchar(255) Vendor name DATE_CREATED datetime Date the entry was created DATE_MODIFIED datetime Date the entry was modified CREATED_BY User who created object MODIFIED_BY User who last modified object 8.1.104 VULN_CALC_SEVERITY_RPT_V View references VULN_RSRC and VULN to calculate eSecurity vulnerability severity rating base on current vulnerabilities.
Page 184: Vuln_Rpt_V
Column Name Datatype Comment MODIFIED_BY User who last modified object 8.1.106 VULN_INFO_RPT_V View references VULN_INFO table that stores additional information reported during a scan. Column Name Datatype Comment VULN_INFO_ID uniqueidentifier VULN_ID uniqueidentifier Vulnerability identifier VULN_INFO_TYPE varchar/nvarchar(36) VULN_INFO_VALUE varchar/nvarchar(2000) DATE_CREATED datetime Date the entry was created DATE_MODIFIED datetime...
Page 185: Vuln_Rsrc_Rpt_V
Column Name Datatype Comment DETECTED_OS_VERSION varchar/nvarchar(64) SCANNED_APP varchar/nvarchar(64) SCANNED_APP_VERSION varchar/nvarchar(64) VULN_USER_NAME varchar/nvarchar(64) VULN_USER_DOMAIN varchar/nvarchar(64) VULN_TAXONOMY varchar/nvarchar(1000) SCANNER_CLASSIFICATION varchar/nvarchar(255) VULN_NAME varchar/nvarchar(300) VULN_MODULE varchar/nvarchar(64) DATE_CREATED datetime Date the entry was created DATE_MODIFIED datetime Date the entry was modified CREATED_BY User who created object MODIFIED_BY User who last modified object 8.1.108 VULN_RSRC_RPT_V...
Page 186: Vuln_Scan_Rpt_V
8.1.109 VULN_RSRC_SCAN_RPT_V View references VULN_RSRC_SCAN table that stores each resource scanned for a particular scan. Column Name Datatype Comment RSRC_ID uniqueidentifier SCAN_ID uniqueidentifier DATE_CREATED datetime Date the entry was created DATE_MODIFIED datetime Date the entry was modified CREATED_BY User who created object MODIFIED_BY User who last modified object 8.1.110 VULN_SCAN_RPT_V...
Page 187: Workflow_Def_Rpt_V
Column Name Datatype Comment MODIFIED_BY User who last modified object 8.1.112 VULN_SCANNER_RPT_V View references VULN_SCANNER table that stores information about vulnerability scanners. Column Name Datatype Comment SCANNER_ID uniqueidentifier PRODUCT_NAME varchar/nvarchar(100) The basic name of the product that the Collector processing this event is designed to handle PRODUCT_VERSION varchar/nvarchar(64)
Page 188: Deprecated Views
Column Name Datatype Comment PROCESS_INSTANCE_ID varchar/nvarchar(150) Process instance identifier DATE_CREATED datetime Date the entry was created DATE_MODIFIED datetime Date the entry was modified CREATED_BY User who created object MODIFIED_BY User who last modified object 8.2 Deprecated Views The following legacy views are no longer created in the Sentinel 6 database: ADV_ALERT_CVE_RPT_V ...
Page 189 Checklist Table A-1 Checklist Item Information Example Novell Version: V6.0 Novell Platform and OS Version: SuSE Linux Enterprise Server 10 Database Platform and OS Oracle 10.2.0.3 with critical patch Version: #5881721 Sentinel Server Hardware 4 CPU @ 3 GHz...
Page 190 Make sure the Sonic broker is running. Connectivity can be verified using the Sonic  management console. Check that the various connections are active from Novell processes. Make sure that a lock file is not preventing Sonic from starting. Optionally telnet to that server on the sonic port (that is telnet sentinel.company.com 10012)
Page 191  Does the database allow a sqlplus login using the Novell dba account into the ESEC schema? Does querying on one of the table succeed?   Does a select statement on a database table succeed? Check the JDBC drivers, their locations and class path settings.
Page 192 192 Sentinel 6.1 Reference Guide...
Page 193: B.1 Sentinel Services
Sentinel Service Logon Account The purpose of this document is to describe in detail of how to set up Sentinel service logon account as NT AUTHORITY\NetworkService instead of Domain user account. This has been tested on the Windows 2003 platform only. B.1 Sentinel Services Sentinel Services should be set to run in order to use Sentinel application.
Page 194: B.2.1 Disadvantages Of Running A Service In The Context Of A User Logon
3 If a service account is renamed, locked out, disabled, or deleted, the service cannot start on that computer until the account is reset. Because of the above disadvantages, Novell has tested out running Sentinel service under NT AUTHORITY\NetworkService account. NT AUTHORITY\LocalService account does not have enough privilege for this purpose, because DAS processes need to communicate to database server on the network.
Page 195: B.3 To Setup Nt Authority\Networkservice As The Logon Account For Sentinel Service
B.3 To Setup NT AUTHORITY\NetworkService as the Logon Account for Sentinel Service To setup NT AUTHORITY\NetworkService as the logon account for Sentinel service, you need to perform the following: Add the machine that runs Sentinel Service as a login account to ESEC and ESEC_WF ...
Page 196 4 In the Login-New window, provide the Login name. Alternatively, you can click the Search button next to the Login name field. The following screen displays: 196 Sentinel 6.1 Reference Guide...
Page 197 5 In the Enter the object name to select field, provide a domain name and user name (secnet\case1$ is provided as an example). This is the machine <domain name>\<name of machine>$ you are adding as a login to the database server. Click OK. 6 Click Server Roles in the Select a page navigation pane.
Page 198: B.3.2 Changing Logon Account
Click OK. B.3.2 Changing logon account To change the logon for Sentinel Service to NT AUTHORITY\NetworkService: 1 On your remote machine you are connecting to the database, click Start > Programs > Administrative Tools > Services. 2 Stop the Sentinel service, right-click > Properties > Log On tab. 3 Click This account and in the field provide .
Page 199: B.3.3 Setting The Sentinel Service To Start Successfully
4 Click OK. The Services window for the Sentinel Service should indicate Network Service under the Log On As column. B.3.3 Setting the Sentinel Service to Start Successfully In order for the Sentinel Service to start successfully, NT AUTHORITY\NetworkService account should have write permission to %ESEC_HOME%.
Page 200 You must grant write access to %ESEC_HOME% to the Users group. To set the Sentinel Service to start successfully: 1 Open Window’s Explorer and navigate to %ESEC_HOME%. 2 Right-click the Sentinel parent folder (Typically named sentinel6) > Properties > Security tab. 3 Highlight Users group.
Page 201: C.1 Advisor
Sentinel Service Permission Tables The purpose of this document is to describe in detail various Sentinel Services and the Permissions they require for their functioning. C.1 Advisor Table C-1: Advisor Table C-1 Sentinel Sentinel Function Permission's Permission Sentinel Service Component Process summary required...
Page 202: C.2 Collector Manager
C.2 Collector Manager Collector Manager Table C-2 Sentinel Sentinel Function Permissions Permission Sentinel Service Component Process summary required Explanation Collector Sentinel java Manages Network access Manager Connectors and communicates (both outgoing agentengine Collectors. It access and with iSCALE for (child process) spawns off an local access to configuration,...
Page 203: C.3 Correlation Engine
C.3 Correlation Engine Correlation Engine Table C-3 Sentinel Sentinel Function Permission's Permission Sentinel Service Component Process summary required Explanation Correlation Sentinel java Receives Network access Engine events from the communicates File read Collector over the access to: Manager and network with publishes iSCALE for ...
Page 204: C.4 Data Access Server (Das)
C.4 Data Access Server (DAS) DATA Access Server (DAS) Table C-4 Sentinel Sentinel Function Permission's Permission Sentinel Service Component Process summary required Explanation Sentinel java Responsible for Network access It connects to (das_binary) event insertion. the database to Database read and insert java Provides Access...
Page 205: C.5 Sentinel Communication Server
C.5 Sentinel Communication Server Sentinel Communication Server Table C-5 Sentinel Sentinel Sentinel Permission's Permission Function summary Component Service Process required Explanation Communication Sentine java (Sonic) iSCALE: A Network access It binds to local Server (iSCALE / Message Oriented (binds to port ports to accept MOM) Middleware...
Page 206: C.6 Sentinel Service
C.6 Sentinel Service Sentinel Service Table C-6 Sentinel Sentinel Function Permission's Permission Sentinel Service Component Process summary required Explanation Sentinel Sentinel wrapper Registers as a Network access Service service with the communicates File read operating over the access to: system and, network with when executed, iSCALE for...
Page 207: D.1 Sentinel Database Instance
Sentinel Database Users, Roles, and Access Permissions The purpose of this document is to provide a detailed breakdown of Sentinel database users, roles and their access permissions. D.1 Sentinel Database Instance Below listed are the Sentinel database instances D.1.1 ESEC This instance have: Users: ...
Page 208: D.2.1 Summary
D.2.1 Summary Sentinel Database Users-Summary Table D-1 User Name Group Name Login Name Default DB Name Esecadm ESEC_USER esecadm ESEC Esecapp ESEC_APP esecapp ESEC Esecapp ESEC_ETL esecapp ESEC Esecapp db_owner esecapp ESEC Esecdba db_owner esecdba ESEC Esecrpt ESEC_USER esecrpt ESEC D.2.2 esecadm Sentinel Database Users-esecadm Table D-2...
Page 209: D.2.4 Esecdba
D.2.4 esecdba Sentinel Database Users-esecdba Table D-4 Login Name DB Name User Name User of Alias Esecdba ESEC db_owner MemberOf Esecdba ESEC esecdba User D.2.5 esecrpt Sentinel Database Users-esecrpt Table D-5 Login Name DB Name User Name User of Alias Esecrpt ESEC ESEC_USER...
Page 210 Role Name Object Name Action Type ESEC_APP ActivityData 193 SELECT U User table ESEC_APP ActivityData 195 INSERT U User table ESEC_APP ActivityData 196 DELETE U User table ESEC_APP ActivityData 197 UPDATE U User table ESEC_APP ActivityDataBLOBs 193 SELECT U User table ESEC_APP ActivityDataBLOBs 195 INSERT...
Page 211 Role Name Object Name Action Type ESEC_APP Counters 193 SELECT U User table ESEC_APP Counters 195 INSERT U User table ESEC_APP Counters 196 DELETE U User table ESEC_APP Counters 197 UPDATE U User table ESEC_APP CreateProcessEventAudits 193 SELECT U User table ESEC_APP CreateProcessEventAudits 195 INSERT...
Page 212 Role Name Object Name Action Type ESEC_APP GroupUserPackLevelParticipant 193 SELECT U User table ESEC_APP GroupUserPackLevelParticipant 195 INSERT U User table ESEC_APP GroupUserPackLevelParticipant 196 DELETE U User table ESEC_APP GroupUserPackLevelParticipant 197 UPDATE U User table ESEC_APP GroupUserProcLevelParticipant 193 SELECT U User table ESEC_APP GroupUserProcLevelParticipant 195 INSERT...
Page 213 Role Name Object Name Action Type ESEC_APP ObjectId 193 SELECT U User table ESEC_APP ObjectId 195 INSERT U User table ESEC_APP ObjectId 196 DELETE U User table ESEC_APP ObjectId 197 UPDATE U User table ESEC_APP OldEventAuditData 193 SELECT U User table ESEC_APP OldEventAuditData 195 INSERT...
Page 214 Role Name Object Name Action Type ESEC_APP PackLevelXPDLAppTAAppUser 193 SELECT U User table ESEC_APP PackLevelXPDLAppTAAppUser 195 INSERT U User table ESEC_APP PackLevelXPDLAppTAAppUser 196 DELETE U User table ESEC_APP PackLevelXPDLAppTAAppUser 197 UPDATE U User table ESEC_APP PackLevelXPDLAppToolAgentApp 193 SELECT U User table ESEC_APP PackLevelXPDLAppToolAgentApp 195 INSERT...
Page 215 Role Name Object Name Action Type ESEC_APP ProcessStateEventAudits 193 SELECT U User table ESEC_APP ProcessStateEventAudits 195 INSERT U User table ESEC_APP ProcessStateEventAudits 196 DELETE U User table ESEC_APP ProcessStateEventAudits 197 UPDATE U User table ESEC_APP ProcessStates 193 SELECT U User table ESEC_APP ProcessStates 195 INSERT...
Page 216 Role Name Object Name Action Type ESEC_APP ResourcesTable 193 SELECT U User table ESEC_APP ResourcesTable 195 INSERT U User table ESEC_APP ResourcesTable 196 DELETE U User table ESEC_APP ResourcesTable 197 UPDATE U User table ESEC_APP StateEventAudits 193 SELECT U User table ESEC_APP StateEventAudits 195 INSERT...
Page 217 Role Name Object Name Action Type ESEC_APP UserPackLevelParticipant 193 SELECT U User table ESEC_APP UserPackLevelParticipant 195 INSERT U User table ESEC_APP UserPackLevelParticipant 196 DELETE U User table ESEC_APP UserPackLevelParticipant 197 UPDATE U User table ESEC_APP UserProcLevelParticipant 193 SELECT U User table ESEC_APP UserProcLevelParticipant 195 INSERT...
Page 218: D.3.3 Esec_Etl
Role Name Object Name Action Type ESEC_APP XPDLParticipantPackage 193 SELECT U User table ESEC_APP XPDLParticipantPackage 195 INSERT U User table ESEC_APP XPDLParticipantPackage 196 DELETE U User table ESEC_APP XPDLParticipantPackage 197 UPDATE U User table ESEC_APP XPDLParticipantProcess 193 SELECT U User table ESEC_APP XPDLParticipantProcess 195 INSERT...
Page 219 Role Name Object Name Action Type ESEC_ETL ADV_ATTACK_PLUGIN 193 SELECT U User table ESEC_ETL ADV_CREDIBILITY 193 SELECT U User table ESEC_ETL ADV_FEED 193 SELECT U User table ESEC_ETL ADV_PRODUCT 193 SELECT U User table ESEC_ETL ADV_PRODUCT_SERVICE_PACK 193 SELECT U User table ESEC_ETL ADV_PRODUCT_VERSION 193 SELECT...
Page 220 Role Name Object Name Action Type ESEC_ETL CORRELATED_EVENTS_P_MAX 193 SELECT U User table ESEC_ETL CORRELATED_EVENTS_P_MIN 193 SELECT U User table ESEC_ETL CRIT_LKUP 193 SELECT U User table ESEC_ETL CUST 193 SELECT U User table ESEC_ETL CUST_HIERARCHY 193 SELECT U User table ESEC_ETL ENTITY_TYP_LKUP 193 SELECT...
Page 221 Role Name Object Name Action Type ESEC_ETL EVT_DEST_EVT_NAME_SMRY_1_P_MIN 193 SELECT U User table ESEC_ETL EVT_DEST_SMRY_1_P_MAX 193 SELECT U User table ESEC_ETL EVT_DEST_SMRY_1_P_MAX 195 INSERT U User table ESEC_ETL EVT_DEST_SMRY_1_P_MAX 196 DELETE U User table ESEC_ETL EVT_DEST_SMRY_1_P_MAX 197 UPDATE U User table ESEC_ETL EVT_DEST_SMRY_1_P_MIN 193 SELECT...
Page 222 Role Name Object Name Action Type ESEC_ETL EVT_SRC_SMRY_1_P_MAX 193 SELECT U User table ESEC_ETL EVT_SRC_SMRY_1_P_MAX 195 INSERT U User table ESEC_ETL EVT_SRC_SMRY_1_P_MAX 196 DELETE U User table ESEC_ETL EVT_SRC_SMRY_1_P_MAX 197 UPDATE U User table ESEC_ETL EVT_SRC_SMRY_1_P_MIN 193 SELECT U User table ESEC_ETL EVT_SRC_SRVR 193 SELECT...
Page 223 Role Name Object Name Action Type ESEC_ETL NETWORK_IDENTITY_LKUP 193 SELECT U User table ESEC_ETL NLS_CONFIG 193 SELECT U User table ESEC_ETL NLS_MSG_TRANSLATION 193 SELECT U User table ESEC_ETL NORM_ATTACK_CD_MAP 193 SELECT U User table ESEC_ETL OBJ_STORE 193 SELECT U User table ESEC_ETL OFFLINE_QRY_STS 193 SELECT...
Page 224: D.3.4 Esec_User
D.3.4 ESEC_USER Sentinel Database Roles-ESEC_USER Table D-8 Role Name Object Name Action Type ESEC_USER ADV_ALERT_CVE_RPT_V 193 SELECT V View ESEC_USER ADV_ALERT_PRODUCT_RPT_V 193 SELECT V View ESEC_USER ADV_ALERT_RPT_V 193 SELECT V View ESEC_USER ADV_ATTACK_ALERT_RPT_V 193 SELECT V View ESEC_USER ADV_ATTACK_CVE_RPT_V 193 SELECT V View ESEC_USER ADV_ATTACK_PLUGIN_RPT_V...
Page 225 Role Name Object Name Action Type ESEC_USER CORRELATED_EVENTS 193 SELECT V View ESEC_USER CORRELATED_EVENTS_RPT_V 193 SELECT V View ESEC_USER CORRELATED_EVENTS_RPT_V1 193 SELECT V View ESEC_USER CRITICALITY_RPT_V 193 SELECT V View ESEC_USER CUST_HIERARCHY_V 193 SELECT V View ESEC_USER CUST_RPT_V 193 SELECT V View ESEC_USER ENTITY_TYPE_RPT_V...
Page 226 Role Name Object Name Action Type ESEC_USER EVT_AGENT_RPT_V 193 SELECT V View ESEC_USER EVT_ASSET_RPT_V 193 SELECT V View ESEC_USER EVT_DEST_EVT_NAME_SMRY_1 193 SELECT V View ESEC_USER EVT_DEST_EVT_NAME_SMRY_1_RPT_V 193 SELECT V View ESEC_USER EVT_DEST_SMRY_1 193 SELECT V View ESEC_USER EVT_DEST_SMRY_1_RPT_V 193 SELECT V View ESEC_USER EVT_DEST_TXNMY_SMRY_1...
Page 227 Role Name Object Name Action Type ESEC_USER INCIDENTS_EVENTS_RPT_V 193 SELECT V View ESEC_USER INCIDENTS_RPT_V 193 SELECT V View ESEC_USER INCIDENTS_VULN_RPT_V 193 SELECT V View ESEC_USER L_STAT_RPT_V 193 SELECT V View ESEC_USER LOGS_RPT_V 193 SELECT V View ESEC_USER MSSP_ASSOCIATIONS_V 193 SELECT V View ESEC_USER NETWORK_IDENTITY_RPT_V...
Page 228: D.4 Sentinel Server Roles
D.4 Sentinel Server Roles Sentinel Server Roles Table D-9 Server Role Description Sentinel User sysadmin System Administrators esecdba securityadmin Security Administrators esecapp serveradmin Server Administrators esecdba setupadmin Setup Administrators processadmin Process Administrators diskadmin Disk Administrators dbcreator Database Creators bulkadmin Bulk Insert Administrators D.5 Windows Domain Authentication DB users and permissions A domain user will be associated with esecadm, esecapp, esecdba and esecrpt user according to the...
Page 229: E Sentinel Log Locations
Sentinel Log Locations The purpose of this document is to provide information of the log file locations for the following components of Sentinel. Sentinel Data Manager   iTRAC Advisor  Event Insertion  Database Queries   Active ViewsAggregation Wrapper (formerly Sentinel Watchdog) ...
Page 230: E.3 Advisor
E.3 Advisor Logs activities related to Advisor data download and process. For Windows: %ESEC_HOME%\log\advisor_script.log %ESEC_HOME%\log\advisor0.*.log For UNIX: $ESEC_HOME/log/advisor_script.log $ESEC_HOME/log/advisor0.*.log E.4 Event Insertion Logs activities related to event insertion into the database. For Windows: %ESEC_HOME%\log\das_binary0.*.log For UNIX: $ESEC_HOME/log/das_binary0.*.log E.5 Database Queries Logs activities related to database queries, Collector, Collector Manager health, identity insertion, and all other DAS activities not performed by other DAS components.
Page 231: E.7 Aggregation
E.7 Aggregation Logs activities related to Aggregation. For Windows: %ESEC_HOME%\log\das_aggregation0.*.log For UNIX: $ESEC_HOME/log/das_aggregation0.*.log E.8 Wrapper Logs activities related to Wrapper. NOTE: is for the service wrapper. sentinel_wrapper.log For Windows: %ESEC_HOME%\log\sentinel0.*.log %ESEC_HOME%\log\sentinel_wrapper.log For UNIX: $ESEC_HOME/log/sentinel0.*.log $ESEC_HOME/log/sentinel_wrapper.log E.9 Collector Manager Logs activities related to Collector Manager. For Windows: %ESEC_HOME%\log\collector_mgr0.*.log For UNIX:...
Page 232: E.11 Sentinel Control Center
E.11 Sentinel Control Center Logs activities related to the Sentinel Control Center. For Windows: %ESEC_HOME%\log\control_center0.*.log For UNIX: $ESEC_HOME/log/control_center0.*.log E.12 DAS Proxy Logs activities related to Proxy Communication. For Windows: %ESEC_HOME%\log\das_proxy0.*.log For UNIX: $ESEC_HOME/log/das_proxy0.*.log E.13 Solution Designer Logs activities related to Solution Designer. For Windows: %ESEC_HOME%\log\solution_designer0.*.log For UNIX:...

This manual is also suitable for:

Sentinel 6.1 sp2

Novell SENTINEL 6.1 SP2 - REFERENCE GUIDE 02-2010 Reference Manual

Table of Contents

Preface

2 Sentinel Event Fields

3 Sentinel Control Center User Permissions

4 Sentinel Correlation Engine Rulelg Language

5 Sentinel Data Access Service

6 Sentinel Accounts and Password Changes

7 Sentinel Database Views for Oracle

7.1.43 Events_All_Rpt_V1 (Legacy View)

8 Sentinel Database Views for Microsoft SQL Server

E Sentinel Log Locations

Quick Links

Chapters

Need help?

Questions and answers

Subscribe to Our Youtube Channel

Related Manuals for Novell SENTINEL 6.1 SP2 - REFERENCE GUIDE 02-2010

Summary of Contents for Novell SENTINEL 6.1 SP2 - REFERENCE GUIDE 02-2010