Mapping - Novell SENTINEL 6.1 SP2 - 02-2010 User Manual

11.8 Mapping

A map is a collection of values and keys defined in a CSV or text file. You can enrich your data by
using maps. With the help of maps you can add additional information to the incoming events from
your source device. This additional information which was not present can be used for correlation
and reporting.
You can create your custom maps in addition to the default maps available. You can use event
mapping which allows you to add additional data to an event by using data already present in the
event and by referencing and pulling data from an outside source. For more information, see
Section 11.9, "Event Configuration," on page 261
page 261.
NOTE: In order to do Mapping, your
Communication Server that has DAS_Binary and DAS_Query connected to it. This will normally be
the case, by default, as long as the Communication Server and DAS processes are running.
The Mapping tab allows you to:
Add new map definitions

Edit map definitions

Delete map definitions

Update map data

Mapping works together with the Referenced from Map Data Source setting for individual fields
under Section 11.9, "Event Configuration," on page
range. The following are the default maps available:
AccountIdentity: Contains information about identities and the accounts associated with

them. The keys are UserName, UserDomain, and CustomerName (for MSSPs). This map is
populated from information in the Account and Identity tables in the Sentinel database.
Asset: Contains the data from the map data source file

automatically generated from asset data from Sentinel Database when an asset Collector is run.
This file could be populated manually instead, if desired. The keys are PhysicalAssetName and
CustomerName (for MSSPs).
 AssetToRegulation: Contains the data from the map data source file
AssetToRegulation.csv
CustomerHierarchy: Generally used for Managed Security Service Providers (MSSPs), this

can be used to organize customers into a four-level hierarchy Contains data from the
customerhierachy.csv. This file must be populated manually. The key is CustomerName.
 IpToCountry: Contains the data from the map data source file
must be populated manually.
 IsExploitWatchlist: Contains the data from the map data source file
exploitDetection.csv
automatically generated from Advisor and Vulnerability data from Sentinel Database when
either an Advisor feed is completed or a vulnerability Collector is run. The keys are IP,
AttackName, DeviceName, and CustomerName (for MSSPs).
and Section 11.9.1, "Event Mapping," on
configuration.xml
261. You can map by using a string or number
. This file must be populated manually.
(vulnerabilities and threats). The
file must be pointing to a
. The
asset.csv asset.csv
IpToCountry.csv
exploitDetection.csv
is
. This file
file is
Administration 251