Table of Contents
Advertisement
Figure 5-3
iTRAC Activities can be used in iTRAC templates to define a workflow step, or they can be
manually executed from within an Incident. Sentinel provides three types of actions that can be used
to build Activities:
Incident Command Activity
Incident Internal Activity
Incident Composite Activity
5.7.1 Incident Command Activity
An Incident Command Activity enables you to launch a specific command with or without
arguments. The following fields from the incident associated with the workflow process can be used
as input to the command:
DIP [Target IP]
DIP : Port
RT1 (DeviceAttackName)
NOTE: The command (or a batch file or script that refers to the command) must be stored in the
%ESEC_HOME%\config\exec or $ESEC_HOME/config/exec directory on the iTRAC workflow
server, usually the same machine where the Data Access Server (DAS) is installed.
5.7.2 Incident Internal Activity
An Incident Internal Activity enables you to mail and/or attach information from the Sentinel
database to the incident associated with the workflow process. Each of these options has a
prerequisite:
Vulnerability for the Initiator IP address (SIP) or the Target IP address (DIP): This
requires that you run a vulnerability scanner and bring the results of the scan into Sentinel using
a Vulnerability (or "information") Collector
Advisor attack-related data: This requires the purchase and installation of the optional
Advisor data subscription service.
Asset data: This requires that you run an asset management tool such as NMAP and bring the
results into Sentinel using an Asset Collector.
134 Sentinel 6.1 User Guide
Activity Pane
SIP [Initiator IP]
SIP : Port
Text (incident information in name value pair
format)
Advertisement
Table of Contents
