Table of Contents
Advertisement
8.2.2 Generating the Exploit Detection File
When you run the intrusion detection system or vulnerability type Collectors, events from all the
selected products are scanned for possible attacks and vulnerabilities, and the product name and
MSSP customer name are mapped to the Advisor product name and MSSP customer name. If the
events match successfully, the exploit information (IP address, Device Name, Attack Name, and
MSSP Customer Name) is updated in the
map_data
The initial mapping time might take up to 30 minutes. However, you can modify the time by
changing the value of the
ExploitDetectDataGenerator
milliseconds. For example, you can change the time from 1800000 (30 minutes) to 180000 (3
minutes).
NOTE: You must restart the das_query services after you change the time.
8.2.3 Viewing the Events
To view events that indicate a possible exploitation, create an Active View with a filter that has the
Vulnerability value set to 1.
Within an event, the values in the Vulnerability field convey the following:
1: the asset or destination device is possibly exploited.
0: the asset or destination device is not exploited.
NOTE: If the Vulnerability field is blank, the exploitdetection.csv file is not generated.
For more information on viewing events in Active Views, see
Events," on page
8.3 Introduction to the Advisor User Interface
Section 8.3.1, "The Advisor Window," on page 163
Section 8.3.2, "Processing the Advisor Feed," on page 164
Section 8.3.3, "Configuring the Advisor Products for Exploit Detection," on page 165
Ensure that you have Advisor Configuration permission to access the Advisor window.
You can access the Advisor user interface through one of the following methods:
162 Sentinel 6.1 User Guide
directory.
minregenerateinterval
component of the
39.
exploitdetection.csv
property in the
das_query.xml
Section 2.4, "Viewing Real Time
file in the
ESEC_HOME/data/
file. The time is given in
Advertisement
Table of Contents
