Novell SENTINEL 6.1 Reference Guide

Novell®

www.novell.com

Reference Guide

novdocx (en) 7 January 2010

AUTHORIZED DOCUMENTATION

Sentinel

6.1 SP2

February 2010

Sentinel 6.1 Reference Guide

Legal Notices

Novell, Inc., makes no representations or warranties with respect to the contents or use of this documentation, and specifically disclaims any express or implied warranties of merchantability or fitness for any particular purpose. Further, Novell, Inc., reserves the right to revise this publication and to make changes to its content, at any time, without obligation to notify any person or entity of such revisions or changes.

Further, Novell, Inc., makes no representations or warranties with respect to any software, and specifically disclaims any express or implied warranties of merchantability or fitness for any particular purpose. Further, Novell, Inc., reserves the right to make changes to any and all parts of Novell software, at any time, without any obligation to notify any person or entity of such changes.

Any products or technical information provided under this Agreement may be subject to U.S. export controls and the trade laws of other countries. You agree to comply with all export control regulations and to obtain any required licenses or classification to export, re-export or import deliverables. You agree not to export or re-export to entities on the current U.S. export exclusion lists or to any embargoed or terrorist countries as specified in the U.S. export laws. You agree to not use deliverables for prohibited nuclear, missile, or chemical biological weaponry end uses. See the Novell International Trade Services Web page (http://www.novell.com/info/exports/) for more information on exporting Novell software. Novell assumes no responsibility for your failure to obtain any necessary export approvals.

novdocx (en) 7 January 2010

Copyright © 1999-2010 Novell, Inc. All rights reserved. No part of this publication may be reproduced, photocopied, stored on a retrieval system, or transmitted without the express written consent of the publisher.

Novell, Inc., has intellectual property rights relating to technology embodied in the product that is described in this document. In particular, and without limitation, these intellectual property rights may include one or more of the U.S. patents listed on the Novell Legal Patents Web page (http://www.novell.com/company/legal/patents/) and one or more additional patents or pending patent applications in the U.S. and in other countries.

Novell, Inc. 404 Wyman Street, Suite 500 Waltham, MA 02451 U.S.A. www.novell.com

Online Documentation: To access the latest online documentation for this and other Novell products, see

the Novell Documentation Web page (http://www.novell.com/documentation).

Novell Trademarks

For Novell trademarks, see the Novell Trademark and Service Mark list (http://www.novell.com/company/legal/

trademarks/tmlist.html).

Third-Party Materials

All third-party trademarks are the property of their respective owners.

novdocx (en) 7 January 2010

4 Sentinel 6.1 Reference Guide

Contents

Preface 13

novdocx (en) 7 January 2010

1Sentinel

User Reference Introduction 15

2 Sentinel Event Fields 17

2.1 Event Field Labels and Tags . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17

2.1.1 Free-Form Filters and Correlation Rules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18

2.1.2 Actions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19

2.1.3 Proprietary Collectors . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21

2.1.4 JavaScript Collectors . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21

2.2 List of Fields and Representations. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21

3 Sentinel Control Center User Permissions 31

3.1 General . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33

3.1.1 General – Public Filters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33

3.1.2 General – Manage Private Filters of Other Users . . . . . . . . . . . . . . . . . . . . . . . . . . . 33

3.1.3 General – Integration Actions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34

3.2 Active Views. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34

3.2.1 Active Views – Menu Items . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34

3.2.2 Active Views – Active Views . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34

3.3 iTRAC. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35

3.3.1 iTRAC - Template Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35

3.3.2 iTRAC - Process Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35

3.4 Incidents. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35

3.5 Integrators . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 36

3.6 Actions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 36

3.7 Event Source Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37

3.8 Analysis Tab. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37

3.9 Advisor Tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37

3.10 Administration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 38

3.10.1 Administration – Global Filters. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 38

3.10.2 Administration – Server Views. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 38

3.11 Correlation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39

3.12 Solution Pack . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39

3.13 Identity . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39

4 Sentinel Correlation Engine RuleLG Language 41

4.1 Correlation RuleLG Language Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41

4.2 Event Fields . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41

4.3 Event Operations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 42

4.3.1 Filter Operation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 42

4.3.2 Window Operation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 44

4.3.3 Trigger Operation. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 45

4.4 Rule Operations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 46

4.4.1 Gate Operation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 46

4.4.2 Sequence Operation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 47

Contents 5

4.5 Operators . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 47

4.5.1 Flow Operator . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 47

4.5.2 Union Operator . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 48

4.5.3 Intersection Operator . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 48

4.5.4 Discriminator Operator. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 48

4.6 Order of Operators . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 48

4.7 Differences between Correlation in 5.x and 6.x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 49

5 Sentinel Data Access Service 51

5.1 DAS Container Files. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 51

5.1.1 Reconfiguring Database Connection Properties . . . . . . . . . . . . . . . . . . . . . . . . . . . . 51

5.1.2 DAS Logging Properties Configuration Files . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 52

5.1.3 Certificate Management for DAS_Proxy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 54

6 Sentinel Accounts and Password Changes 59

6.1 Sentinel Default Users . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 59

6.1.1 Native Database Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 59

6.1.2 Windows Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 59

6.2 Password Changes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 60

6.2.1 Changing Password. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 60

6.2.2 Sentinel Updates After a Password Change . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 61

novdocx (en) 7 January 2010

7 Sentinel Database Views for Oracle 65

7.1 Views . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 65

7.1.1 ACTVY_PARM_RPT_V. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 65

7.1.2 ACTVY_REF_PARM_VAL_RPT_V. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 65

7.1.3 ACTVY_REF_RPT_V . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 66

7.1.4 ACTVY_RPT_V . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 66

7.1.5 ADV_NXS_FEED_V . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 67

7.1.6 ADV_NXS_PRODUCTS_V . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 68

7.1.7 ADV_NXS_SIGNATURES_V . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 69

7.1.8 ADV_NXS_MAPPINGS_V. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 69

7.1.9 ADV_OSVDB_DETAILS_V . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 70

7.1.10 ADV_NXS_KB_PATCH_V. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 73

7.1.11 ADV_NXS_KB_PRODUCTSREF_V . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 74

7.1.12 ASSET_CATEGORY_RPT_V . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 74

7.1.13 ASSET_HOSTNAME_RPT_V . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 75

7.1.14 ASSET_IP_RPT_V . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 75

7.1.15 ASSET_LOCATION_RPT_V . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 75

7.1.16 ASSET_RPT_V . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 76

7.1.17 ASSET_VALUE_RPT_V . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 76

7.1.18 ASSET_X_ENTITY_X_ROLE_RPT_V . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 77

7.1.19 ASSOCIATIONS_RPT_V . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 77

7.1.20 ATTACHMENTS_RPT_V . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 78

7.1.21 AUDIT_RECORD_RPT_V. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 78

7.1.22 CONFIGS_RPT_V. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 79

7.1.23 CONTACTS_RPT_V . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 79

7.1.24 CORRELATED_EVENTS_RPT_V (legacy view) . . . . . . . . . . . . . . . . . . . . . . . . . . . 80

7.1.25 CORRELATED_EVENTS_RPT_V1 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 80

7.1.26 CRITICALITY_RPT_V . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 80

7.1.27 CUST_HIERARCHY_V . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 81

7.1.28 CUST_RPT_V . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 81

7.1.29 ENTITY_TYPE_RPT_V . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 81

7.1.30 ENV_IDENTITY_RPT_V . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 82

6 Sentinel 6.1 Reference Guide

7.1.31 ESEC_CONTENT_GRP_CONTENT_RPT_V. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 82

7.1.32 ESEC_CONTENT_GRP_RPT_V . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 83

7.1.33 ESEC_CONTENT_PACK_RPT_V . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 83

7.1.34 ESEC_CONTENT_RPT_V . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 83

7.1.35 ESEC_CTRL_CTGRY_RPT_V . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 84

7.1.36 ESEC_CTRL_RPT_V . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 84

7.1.37 ESEC_DISPLAY_RPT_V . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 85

7.1.38 ESEC_PORT_REFERENCE_RPT_V . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 86

7.1.39 ESEC_PROTOCOL_REFERENCE_RPT_V . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 86

7.1.40 ESEC_SEQUENCE_RPT_V . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 87

7.1.41 ESEC_UUID_UUID_ASSOC_RPT_V . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 87

7.1.42 EVENTS_ALL_RPT_V (legacy view) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 87

7.1.43 EVENTS_ALL_RPT_V1 (legacy view) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 88

7.1.44 EVENTS_RPT_V (legacy view) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 88

7.1.45 EVENTS_RPT_V1 (legacy view). . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 88

7.1.46 EVENTS_RPT_V2 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 88

7.1.47 EVENTS_RPT_V3. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 92

7.1.48 EVT_AGENT_RPT_V . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 96

7.1.49 EVT_AGENT_RPT_V3 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 97

7.1.50 EVT_ASSET_RPT_V . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 97

7.1.51 EVT_ASSET_RPT_V3 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 98

7.1.52 EVT_DEST_EVT_NAME_SMRY_1_RPT_V. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 99

7.1.53 EVT_DEST_SMRY_1_RPT_V . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 99

7.1.54 EVT_DEST_TXNMY_SMRY_1_RPT_V . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 100

7.1.55 EVT_NAME_RPT_V . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 100

7.1.56 EVT_PORT_SMRY_1_RPT_V . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 101

7.1.57 EVT_PRTCL_RPT_V . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 101

7.1.58 EVT_PRTCL_RPT_V3 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 102

7.1.59 EVT_RSRC_RPT_V . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 102

7.1.60 EVT_SEV_SMRY_1_RPT_V. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 102

7.1.61 EVT_SRC_COLLECTOR_RPT_V. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 103

7.1.62 EVT_SRC_GRP_RPT_V. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 103

7.1.63 EVT_SRC_MGR_RPT_V . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 104

7.1.64 EVT_SRC_OFFSET_RPT_V . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 104

7.1.65 EVT_SRC_RPT_V. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 104

7.1.66 EVT_SRC_SMRY_1_RPT_V . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 105

7.1.67 EVT_SRC_SRVR_RPT_V. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 106

7.1.68 EVT_TXNMY_RPT_V . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 106

7.1.69 EVT_USR_RPT_V. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 106

7.1.70 EVT_XDAS_TXNMY_RPT_V . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 107

7.1.71 EXTERNAL_DATA_RPT_V. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 107

7.1.72 HIST_CORRELATED_EVENTS_RPT_V (legacy view) . . . . . . . . . . . . . . . . . . . . . 108

7.1.73 HIST_EVENTS_RPT_V (legacy view). . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 108

7.1.74 IMAGES_RPT_V . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 108

7.1.75 INCIDENTS_ASSETS_RPT_V . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 108

7.1.76 INCIDENTS_EVENTS_RPT_V . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 109

7.1.77 INCIDENTS_RPT_V . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 109

7.1.78 INCIDENTS_VULN_RPT_V . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 110

7.1.79 L_STAT_RPT_V . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 110

7.1.80 LOGS_RPT_V . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 110

7.1.81 MSSP_ASSOCIATIONS_V . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 111

7.1.82 NETWORK_IDENTITY_RPT_V . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 111

7.1.83 ORGANIZATION_RPT_V . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 111

7.1.84 PERSON_RPT_V . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 112

7.1.85 PHYSICAL_ASSET_RPT_V . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 112

7.1.86 PRODUCT_RPT_V . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 113

7.1.87 ROLE_RPT_V . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 113

7.1.88 RPT_LABELS_RPT_V . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 113

7.1.89 SENSITIVITY_RPT_V . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 114

novdocx (en) 7 January 2010

Contents 7

7.1.90 SENTINEL_HOST_RPT_V . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 114

7.1.91 SENTINEL_PLUGIN_RPT_V . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 114

7.1.92 SENTINEL_RPT_V . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 115

7.1.93 STATES_RPT_V . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 115

7.1.94 UNASSIGNED_INCIDENTS_RPT_V . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 116

7.1.95 USERS_RPT_V. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 116

7.1.96 USR_ACCOUNT_RPT_V . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 117

7.1.97 USR_IDENTITY_EXT_ATTR_RPT_V. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 117

7.1.98 USR_IDENTITY_RPT_V . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 118

7.1.99 VENDOR_RPT_V . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 118

7.1.100 VULN_CALC_SEVERITY_RPT_V . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 119

7.1.101 VULN_CODE_RPT_V . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 119

7.1.102 VULN_INFO_RPT_V . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 120

7.1.103 VULN_RPT_V . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 120

7.1.104 VULN_RSRC_RPT_V . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 121

7.1.105 VULN_RSRC_SCAN_RPT_V . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 122

7.1.106 VULN_SCAN_RPT_V . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 122

7.1.107 VULN_SCAN_VULN_RPT_V . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 122

7.1.108 VULN_SCANNER_RPT_V . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 123

7.1.109 WORKFLOW_DEF_RPT_V . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 123

7.1.110 WORKFLOW_INFO_RPT_V . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 124

7.2 Deprecated Views . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 124

novdocx (en) 7 January 2010

8 Sentinel Database Views for Microsoft SQL Server 125

8.1 Views . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 125

8.1.1 ACTVY_PARM_RPT_V. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 125

8.1.2 ACTVY_REF_PARM_VAL_RPT_V. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 125

8.1.3 ACTVY_REF_RPT_V . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 126

8.1.4 ACTVY_RPT_V . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 126

8.1.5 ADV_NXS_FEED_V . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 127

8.1.6 ADV_NXS_PRODUCTS_V . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 127

8.1.7 ADV_NXS_SIGNATURES_V . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 128

8.1.8 ADV_NXS_MAPPINGS_V. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 129

8.1.9 ADV_OSVDB_DETAILS_V . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 130

8.1.10 ADV_NXS_KB_PATCH_V. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 132

8.1.11 ADV_NXS_KB_PRODUCTSREF_V . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 133

8.1.12 ANNOTATIONS_RPT_V . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 133

8.1.13 ASSET_CATEGORY_RPT_V . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 134

8.1.14 ASSET_HOSTNAME_RPT_V . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 134

8.1.15 ASSET_IP_RPT_V . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 134

8.1.16 ASSET_LOCATION_RPT_V . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 135

8.1.17 ASSET_RPT_V . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 135

8.1.18 ASSET_VALUE_RPT_V . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 136

8.1.19 ASSET_X_ENTITY_X_ROLE_RPT_V . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 136

8.1.20 ASSOCIATIONS_RPT_V . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 137

8.1.21 ATTACHMENTS_RPT_V . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 137

8.1.22 AUDIT_RECORD_RPT_V. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 138

8.1.23 CONFIGS_RPT_V. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 138

8.1.24 CONTACTS_RPT_V . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 139

8.1.25 CORRELATED_EVENTS_RPT_V (legacy view) . . . . . . . . . . . . . . . . . . . . . . . . . . 139

8.1.26 CORRELATED_EVENTS_RPT_V1 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 139

8.1.27 CRITICALITY_RPT_V . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 140

8.1.28 CUST_HIERARCHY_V . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 140

8.1.29 CUST_RPT_V . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 141

8.1.30 ENTITY_TYPE_RPT_V . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 141

8.1.31 ENV_IDENTITY_RPT_V . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 141

8.1.32 ESEC_CONTENT_GRP_CONTENT_RPT_V. . . . . . . . . . . . . . . . . . . . . . . . . . . . . 142

8 Sentinel 6.1 Reference Guide

8.1.33 ESEC_CONTENT_GRP_RPT_V . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 142

8.1.34 ESEC_CONTENT_PACK_RPT_V . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 143

8.1.35 ESEC_CONTENT_RPT_V . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 143

8.1.36 ESEC_CTRL_CTGRY_RPT_V . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 143

8.1.37 ESEC_CTRL_RPT_V . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 144

8.1.38 ESEC_DISPLAY_RPT_V . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 144

8.1.39 ESEC_PORT_REFERENCE_RPT_V . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 145

8.1.40 ESEC_PROTOCOL_REFERENCE_RPT_V . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 146

8.1.41 ESEC_SEQUENCE_RPT_V . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 146

8.1.42 ESEC_UUID_UUID_ASSOC_RPT_V . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 147

8.1.43 EVENTS_ALL_RPT_V (legacy view) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 147

8.1.44 EVENTS_ALL_RPT_V1 (legacy view) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 147

8.1.45 EVENTS_ALL_V (legacy view) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 147

8.1.46 EVENTS_RPT_V (legacy view) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 147

8.1.47 EVENTS_RPT_V1 (legacy view). . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 147

8.1.48 EVENTS_RPT_V2. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 147

8.1.49 EVENTS_RPT_V3. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 152

8.1.50 EVT_AGENT_RPT_V . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 156

8.1.51 EVT_AGENT_RPT_V3 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 157

8.1.52 EVT_ASSET_RPT_V . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 157

8.1.53 EVT_ASSET_RPT_V3 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 158

8.1.54 EVT_DEST_EVT_NAME_SMRY_1_RPT_V. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 159

8.1.55 EVT_DEST_SMRY_1_RPT_V . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 159

8.1.56 EVT_DEST_TXNMY_SMRY_1_RPT_V . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 160

8.1.57 EVT_NAME_RPT_V . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 161

8.1.58 EVT_PORT_SMRY_1 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 161

8.1.59 EVT_PORT_SMRY_1_RPT_V . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 162

8.1.60 EVT_PRTCL_RPT_V . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 162

8.1.61 EVT_RSRC_RPT_V . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 162

8.1.62 EVT_SEV_SMRY_1_RPT_V. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 163

8.1.63 EVT_SRC_COLLECTOR_RPT_V. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 163

8.1.64 EVT_SRC_GRP_RPT_V. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 164

8.1.65 EVT_SRC_MGR_RPT_V . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 164

8.1.66 EVT_SRC_OFFSET_RPT_V . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 164

8.1.67 EVT_SRC_RPT_V. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 165

8.1.68 EVT_SRC_SMRY_1_RPT_V . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 165

8.1.69 EVT_SRC_SRVR_RPT_V. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 166

8.1.70 EVT_TXNMY_RPT_V . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 166

8.1.71 EVT_USR_RPT_V. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 167

8.1.72 EVT_XDAS_TXNMY_RPT_V . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 167

8.1.73 EXTERNAL_DATA_RPT_V. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 168

8.1.74 HIST_CORRELATED_EVENTS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 168

8.1.75 HIST_CORRELATED_EVENTS_RPT_V (legacy view) . . . . . . . . . . . . . . . . . . . . . 169

8.1.76 HIST_EVENTS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 169

8.1.77 HIST_EVENTS_RPT_V (legacy view). . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 172

8.1.78 IMAGES_RPT_V . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 172

8.1.79 INCIDENTS_ASSETS_RPT_V . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 172

8.1.80 INCIDENTS_EVENTS_RPT_V . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 173

8.1.81 INCIDENTS_RPT_V . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 173

8.1.82 INCIDENTS_VULN_RPT_V . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 174

8.1.83 L_STAT_RPT_V . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 174

8.1.84 LOGS_RPT_V . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 175

8.1.85 MSSP_ASSOCIATIONS_V . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 175

8.1.86 NETWORK_IDENTITY_RPT_V . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 175

8.1.87 ORGANIZATION_RPT_V . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 176

8.1.88 PERSON_RPT_V . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 176

8.1.89 PHYSICAL_ASSET_RPT_V . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 176

8.1.90 PRODUCT_RPT_V . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 177

8.1.91 ROLE_RPT_V . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 177

novdocx (en) 7 January 2010

Contents 9

8.1.92 RPT_LABELS_RPT_V . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 178

8.1.93 SENSITIVITY_RPT_V . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 178

8.1.94 SENTINEL_HOST_RPT_V . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 178

8.1.95 SENTINEL_PLUGIN_RPT_V . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 179

8.1.96 SENTINEL_RPT_V . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 179

8.1.97 STATES_RPT_V . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 179

8.1.98 UNASSIGNED_INCIDENTS_RPT_V . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 180

8.1.99 USERS_RPT_V. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 180

8.1.100 USR_ACCOUNT_RPT_V . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 181

8.1.101 USR_IDENTITY_EXT_ATTR_RPT_V. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 182

8.1.102 USR_IDENTITY_RPT_V . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 182

8.1.103 VENDOR_RPT_V . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 182

8.1.104 VULN_CALC_SEVERITY_RPT_V . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 183

8.1.105 VULN_CODE_RPT_V . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 183

8.1.106 VULN_INFO_RPT_V . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 184

8.1.107 VULN_RPT_V . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 184

8.1.108 VULN_RSRC_RPT_V . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 185

8.1.109 VULN_RSRC_SCAN_RPT_V . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 186

8.1.110 VULN_SCAN_RPT_V . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 186

8.1.111 VULN_SCAN_VULN_RPT_V . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 186

8.1.112 VULN_SCANNER_RPT_V . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 187

8.1.113 WORKFLOW_DEF_RPT_V . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 187

8.1.114 WORKFLOW_INFO_RPT_V . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 187

8.2 Deprecated Views . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 188

novdocx (en) 7 January 2010

A Sentinel Troubleshooting Checklist 189

B Sentinel Service Logon Account 193

B.1 Sentinel Services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 193

B.2 Introduction to Service Logon Accounts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 193

B.2.1 Disadvantages of running a service in the context of a user logon . . . . . . . . . . . . . 194

B.3 To Setup NT AUTHORITY\NetworkService as the Logon Account for Sentinel Service. . . . 195

B.3.1 Adding Sentinel Service as a Login Account to ESEC and ESEC_WF DB

Instances . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 195

B.3.2 Changing logon account . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 198

B.3.3 Setting the Sentinel Service to Start Successfully . . . . . . . . . . . . . . . . . . . . . . . . . . 199

C Sentinel Service Permission Tables 201

C.1 Advisor . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 201

C.2 Collector Manager . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 202

C.3 Correlation Engine . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 203

C.4 Data Access Server (DAS) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 204

C.5 Sentinel Communication Server. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 205

C.6 Sentinel Service . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 206

C.7 Reporting Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 206

D Sentinel Database Users, Roles, and Access Permissions 207

D.1 Sentinel Database Instance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 207

D.1.1 ESEC . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 207

D.1.2 ESEC_WF . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 207

D.2 Sentinel Database Users . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 207

D.2.1 Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 208

10 Sentinel 6.1 Reference Guide

D.2.2 esecadm . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 208

D.2.3 esecapp . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 208

D.2.4 esecdba . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 209

D.2.5 esecrpt . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 209

D.3 Sentinel Database Roles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 209

D.3.1 Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 209

D.3.2 ESEC_APP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 209

D.3.3 ESEC_ETL . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 218

D.3.4 ESEC_USER . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 224

D.4 Sentinel Server Roles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 228

D.5 Windows Domain Authentication DB users and permissions. . . . . . . . . . . . . . . . . . . . . . . . . 228

E Sentinel Log Locations 229

E.1 Sentinel Data Manager . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 229

E.2 iTRAC. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 229

E.3 Advisor . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 230

E.4 Event Insertion . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 230

E.5 Database Queries . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 230

E.6 Active Views . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 230

E.7 Aggregation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 231

E.8 Wrapper . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 231

E.9 Collector Manager . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 231

E.10 Correlation Engine . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 231

E.11 Sentinel Control Center . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 232

E.12 DAS Proxy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 232

E.13 Solution Designer. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 232

E.14 Multiple Instances . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 232

novdocx (en) 7 January 2010

Contents 11

novdocx (en) 7 January 2010

12 Sentinel 6.1 Reference Guide

Preface

SentinelTM is a security information and event management solution that receives information from many sources throughout an enterprise, standardizes it, prioritizes it and presents it to you to make threat, risk and policy related decisions.

The Sentinel 6.1 Reference Guide is your reference for the following:

 Chapter 1, “SentinelTM User Reference Introduction,” on page 15

 Chapter 2, “Sentinel Event Fields,” on page 17

 Chapter 3, “Sentinel Control Center User Permissions,” on page 31

 Chapter 4, “Sentinel Correlation Engine RuleLG Language,” on page 41

 Chapter 5, “Sentinel Data Access Service,” on page 51

 Chapter 6, “Sentinel Accounts and Password Changes,” on page 59

 Chapter 7, “Sentinel Database Views for Oracle,” on page 65

 Chapter 8, “Sentinel Database Views for Microsoft SQL Server,” on page 125

novdocx (en) 7 January 2010

Audience

This documentation is intended for Information Security Professionals.

Feedback

We want to hear your comments and suggestions about this manual and the other documentation included with this product. Please use the User Comments feature at the bottom of each page of the online documentation and enter your comments there.

Additional Documentation

Sentinel Technical documentation is broken down into several different volumes. They are:

 Sentinel 6.1 Installation Guide

 Sentinel 6.1 User Guide

 Sentinel 6.1 User Reference Guide

 The documentation for this product is available at http://www.novell.com/documentation/

sentinel61/index.html (http://www.novell.com/documentation/sentinel61/index.html)

 Additional documentation on developing collectors (proprietary or JavaScript) and JavaScript

correlation actions is available at the Novell Developer Community web site: http://

developer.novell.com/wiki/index.php?title=Develop_to_Sentinel (http://developer.novell.com/ wiki/index.php?title=Develop_to_Sentinel)

Documentation Conventions

The following are the conventions used in this manual:

 Notes and Warnings

Preface 13

NOTE: Notes provide additional information that may be useful or for reference.

WARNING: Warnings provide additional information that helps you identify and stop performing

actions in the system that cause damage or loss of data.

 Commands appear in courier font. For example:

useradd –g dba –d /export/home/oracle –m –s /bin/csh oracle

 Go to Start > Program Files > Control Panel to perform this action: Multiple actions in a step.

 References

 For more information, see “Section Name” (if in the same Chapter).

 For more information, see “Chapter Name” (if in the same Guide).

 For more information, see “Section Name” in “Chapter Name”, Name of the Guide (if in a

different Guide).

In Novell documentation, a greater-than symbol (>) is used to separate actions within a step and items in a cross-reference path.

A trademark symbol (

, TM, etc.) denotes a Novell trademark. An asterisk (*) denotes a third-party

trademark.

novdocx (en) 7 January 2010

When a single pathname can be written with a backslash for some platforms or a forward slash for other platforms, the pathname is presented with a backslash. Users of platforms that require a forward slash, such as Linux or UNIX, should use forward slashes as required by your software.

Contacting Novell

 Web Site: http://www.novell.com (http://www.novell.com)

 Novell Technical Support: http://support.novell.com/

phone.html?sourceidint=suplnav4_phonesup (http://support.novell.com/ phone.html?sourceidint=suplnav4_phonesup)

 Self Support: http://support.novell.com/

support_options.html?sourceidint=suplnav_supportprog (http://support.novell.com/ support_options.html?sourceidint=suplnav_supportprog)

 Patch Download Site: http://download.novell.com/index.jsp (http://download.novell.com/

index.jsp)

 24x7 support: http://www.novell.com/company/contact.html (http://www.novell.com/

company/contact.html)

 For Collectors/Connectors/Reports/Correlation/Hotfixes/TIDS: http://support.novell.com/

products/sentinel (http://support.novell.com/products/sentinel)

14 Sentinel 6.1 Reference Guide

SentinelTM User Reference

novdocx (en) 7 January 2010

Introduction

The Sentinel User Reference Guide is your reference for:

Collector administrator functions

Collector and Sentinel meta tags

Sentinel console user permissions

This guide assumes that you are familiar with Network Security, Database Administration and UNIX operating systems.

This guide discusses about:

 Sentinel Meta tags

 Sentinel User Permissions

 Correlation Engine RuleLG Language

 Sentinel Data Access Service

 Sentinel Accounts and Password Changes

 Sentinel Database Views for Oracle

 Sentinel Database Views for Microsoft SQL Server

Sentinel correlation engine

Sentinel command line options

Sentinel server database views

SentinelTM User Reference Introduction

novdocx (en) 7 January 2010

16 Sentinel 6.1 Reference Guide

Sentinel Event Fields

Every Sentinel event or correlated event has certain fields that are automatically populated (such as Event Time and Event UUID) and other fields that may or may not be populated, depending on the type of event, the collector parsing, and the mapping service configuration. This event data is visible in Active Views, historical queries, and reports. They are stored in the database and can be accessed via the report views. They can also be used in actions available through the right-click event menu, correlation actions, and iTRAC workflow actions.

2.1 Event Field Labels and Tags

Each field can be referred to by a user-friendly label or a short tag. The user-friendly label is visible throughout the Sentinel Control Center interface, for example:

 Column headers for Active Views, historical event queries, and the Active Browser

 Correlation wizard drop-down menus

novdocx (en) 7 January 2010

 Active View configuration drop-down menus

Each field has a default label, but that label is user-configurable using the Event Configuration option on the Admin tab. For more information, see “Admin Tab” section in Sentinel 6.1 User

Guide. InitUserName is the default label to represent the account name of the user who initiated the

event, but this can be changed by the administrator. When a user changes the default label, the changes are reflected in most areas of the interface, including any correlation rules, filters, and rightclick menu options.

WARNING: Changing the default label for any variables other than Customer Variables may cause confusion when working with Novell Technical Services or other parties who are familiar with the default names. In addition, JavaScript Collectors built by Novell refer to the default labels described in this chapter and are not automatically updated to refer to new labels.

Each field also has a short tag name that is always used for internal references to the field and is not user-configurable. This short tag name may not correspond exactly to the default label; Sentinel labels have changed over the years, but the underlying short tags remain the same for backward compatibility. (For example, InitUserName is the default label for the account name of the user who initiated the event. The default label was previously SourceUserName, and the underlying short tag is “sun”.)

NOTE: Many of the default labels were updated for clarity in the Sentinel 6.1 release. Because all filters, actions, and correlation rule definitions are defined using the short tags (even though the label may be visible in the interface), there is no change in functionality due to the label renaming.

Each field is associated with a specific data type, which corresponds to the data type in the database:

 string: limited to 255 characters (unless otherwise specified)

 integer: 32 bit signed integer

 UUID: 36 character (with hyphens) or 32 character (without hyphens) hexadecimal string in

the format XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX (For example, 6A5349DA-7CBF-1028-9795-000BCDFFF482)

Sentinel Event Fields

 date: Collector Variable must be set with date as number of milliseconds from January 1, 1970

00:00:00 GMT. When displayed in Sentinel Control Center, meta-tags of type date are displayed in a regular date format.

 IPv4: IP address in dotted decimal notation (that is – xxx.xxx.xxx.xxx)

2.1.1 Free-Form Filters and Correlation Rules

Users can use either the tag or the label when they write free-form language in the Sentinel Control Center. The Sentinel interface shows the user-friendly label.

Figure 2-1 Correlation Wizard displaying labels in drop-down and free-form language

novdocx (en) 7 January 2010

18 Sentinel 6.1 Reference Guide

Figure 2-2 Filter Wizard displaying labels in drop-down and free-form language

novdocx (en) 7 January 2010

The representation of fields in the free-form RuleLG language is usually prefaced by “e.” for example, “e.InitUserName” or “e.sun” can refer to the Initiator User Name for the incoming or current event. In special cases, “w.” may be used to refer to a field in a past event (for example, “w.InitUserName”). For more information about the RuleLG language, see Chapter 4, “Sentinel

Correlation Engine RuleLG Language,” on page 41.

2.1.2 Actions

Users can use either the tag or the label when they define parameters to be sent to right-click Event Menu actions, correlation actions, and iTRAC workflow actions.

To pass a field value to an action, you may use a checklist that shows the labels or type the parameter name directly into the configuration.

Sentinel Event Fields 19

Figure 2-3 Configuration Action - Select Event Attributes window

novdocx (en) 7 January 2010

When you type the label or short tag for a field to be used in an action, the name can be enclosed in percent signs (%tag%) or dollar signs ($tag$). For example:

 %sun% in a correlation action refers to the value of InitUser in the correlated event

 $sun$ in a correlation action refers to the value of InitUser in the current, “trigger” event (the

final event that caused the correlation rule to fire)

NOTE: In a right-click menu event operating on a single event, there is no functional difference between %sun% and $sun$.

For example, to pass the Initiator User Name to a command line action to look up information from a database about that user, you could use %InitUserName% or %sun%. For more information about Actions, see “Actions and Integrators” section in Sentinel 6.1 User Guide.

20 Sentinel 6.1 Reference Guide

Figure 2-4 Configuration Action window

novdocx (en) 7 January 2010

2.1.3 Proprietary Collectors

Proprietary Collectors, written in Novell’s own language, always use variables based on the short tag to refer to event fields. The short tag name must be prefaced by a letter and underscore, where the letter indicates the data type for the field (i_ for integer, s_ for string).

2.1.4 JavaScript Collectors

JavaScript Collectors usually refer to event fields using an “e.” followed by the same user-friendly label set in Event Configuration in the Sentinel Control Center. For a Sentinel system with a default configuration, for example, the Initiator User Name would be referred to as “e.InitUserName” in the JavaScript Collector. There are some exceptions to this general rule. Refer to the Sentinel Collector

SDK (http://developer.novell.com/wiki/index.php?title=Develop_to_Sentinel) for more details.

2.2 List of Fields and Representations

The table on the following pages shows the default labels, descriptions and data types for the Sentinel event fields, along with the proper way to refer to the tags in filters, correlation rules, actions, and proprietary collector scripts. Fields that cannot or should not be manipulated in the Collector parsing do not have a Collector variable.

Sentinel Event Fields 21

Table 2-1 Labels and Meta-tags used in Sentinel Control Center and proprietary Collector language

novdocx (en) 7 January 2010

Default Label

Filters and Correlation Rules

Menu and Correlation Actions

Proprietary Collector Language

Data Typ e

Description

DeviceEventTimeString e.et %et% s_ET string The normalized date and

time of the event, as reported by the sensor.

DeviceEventTime e.det %det% date The normalized date and

time of the event, as reported by the sensor.

SentinelProcessTime e.spt %spt% date The date and time

Sentinel received the event.

BeginTime e.bgnt %bgnt% s_BGNT date The date and time the

event started occurring (for repeated events).

EndTime e.endt %endt% s_ENDT date The date and time the

event stopped occurring (for repeated events).

RepeatCount e.rc %rc% s_RC integer The number of times the

same event occurred if multiple occurrences were consolidated.

EventTime e.dt %dt% date The normalized date and

time of the event, as given by the Collector.

SentinelServiceID e.src %src% UUID Unique identifier for the

Sentinel service which generated this event.

Severity e.sev %sev% i_Severity integer The normalized severity

of the event (0-5).

Vulnerability e.vul %vul% s_VULN integer The vulnerability of the

asset identified in this event. Set to 1 if Sentinel detects an exploit against a vulnerable system. Requires Advisor.

Criticality e.crt %crt% s_CRIT integer The criticality of the asset

identified in this event.

InitIP e.sip %sip% s_SIP IPv4 IPv4 address of the

initiating system.

TargetIP e.dip %dip% s_DIP IPv4 IPv4 address of the target

system.

Collector e.port %port% string Name of the Collector that

generated this event.

22 Sentinel 6.1 Reference Guide

novdocx (en) 7 January 2010

Default Label

Filters and Correlation Rules

Menu and Correlation Actions

Proprietary Collector Language

Data Typ e

Description

CollectorScript e.agent %agent% string The name of the Collector

Script used by the Collector to generate this event.

Resource e.res %res% s_Res string Compliance monitoring

hierarchy level 1

SubResource e.sres %sres% s_SubRes string Subresource name

ObserverHostName e.sn %sn% s_SN string Unqualified hostname of

the observer (sensor) of the event.

SensorType e.st %st% s_ST string The single character

designator for the sensor type (N, H, O, V, C, W, A, I, P, T).

 N: Network events

 H: Host events

 O: Other events

 V: Vulnerability

events

 C: Correlated events

 W: Watchlist events

 A: Audit events

 I: Internal events

 P: Performance

statistics events

 T: Realtime events

Protocol e.prot %prot% s_P string Protocol used between

initiating and target services.

InitHostName e.shn %shn% s_SHN string Unqualified hostname of

the initiating system.

InitServicePort e.spint %spint% s_SPINT integer Port used by service/

application that initiated the connection.

InitServicePortName e.sp %sp% s_SP string Name of the initiating

service that caused the event.

TargetHostName e.dhn %dhn% s_DHN string Unqualified hostname of

the target system.

TargetServicePort e.dpint %dpint% s_DPINT integer Network port accessed on

the target.

Sentinel Event Fields 23

novdocx (en) 7 January 2010

Default Label

Filters and Correlation Rules

Menu and Correlation Actions

Proprietary Collector Language

Data Typ e

Description

TargetServicePortName e.dp %dp% s_DP string Name of the target

service affected by this event.

InitUserName e.sun %sun% s_SUN string Initiating user's account

name. Example jdoe during an attempt to su.

TargetUserName e.dun %dun% s_DUN string Target user's account

name. Example root during a password reset.

FileName e.fn %fn% s_FN string The name of the program

executed or the file accessed, modified or affected.

ExtendedInformation e.ei %ei% s_EI string Stores additional

collector-processed information. Values within this variable are separated by semi-colons (;).

ReporterHostName e.rn %rn% s_RN string Unqualified hostname of

the reporter of the event.

ProductName e.pn %pn% s_PN string Indicates the type, vendor

and product code name of the sensor from which the event was generated.

Message e.msg %msg% s_BM string Free-form message text

for the event.

DeviceAttackName e.rt1 %rt1% s_RT1 string Device specific attack

name that matches attack name known by Advisor. Used in Exploit Detection.

Rt2 e.rt2 %rt2% s_RT2 string Reserved by Novell for

expansion.

Ct1 thru Ct2 e.ct1 thru

e.ct2

%ct1% thru %ct2%

s_CT1

and

string Reserved for use by

customers for customerspecific data.

s_CT2

Rt3 e.rt3 %rt3% integer Reserved by Novell for

expansion.

Ct3 e.ct3 %ct3% s_CT3 integer Reserved for use by

customers for customerspecific data.

24 Sentinel 6.1 Reference Guide

novdocx (en) 7 January 2010

Default Label

Filters and Correlation Rules

Menu and Correlation Actions

Proprietary Collector Language

Data Typ e

Description

CorrelatedEventUuids e.ceu %ceu% s_RT3 string List of event UUIDs

associated with th correlated event. Only relevant for correlated events.

CustomerHierarchyId e.rv1 %rv1% s_RV1 integer Used for MSSPs.

ReservedVar2 thru

ReservedVar10

ReservedVar11 thru

ReservedVar20

e.rv2 thru

e.rv10

e.rv11 thru

e.rv20

%rv2% thru

%rv10%

%rv11% thru

%rv20%

s_RV2

thru

s_RV10

s_RV11

thru

s_RV20

integer Reserved by Novell for

expansion.

date Reserved by Novell for

expansion.

CollectorManagerId e.rv21 %rv21% s_RV21 UUID Unique identifier for the

Collector Manager which generated this event.

CollectorId e.rv22 %rv22% s_RV22 UUID Unique identifier for the

Collector which generated this event.

ConnectorId e.rv23 %rv23% S_RV23 UUID Unique identifier for the

Connector which generated this event.

EventSourceId e.rv24 %rv24% S_RV24 UUID Unique identifier for the

Event Source which generated this event.

RawDataRecordId e.rv25 %rv25% S_RV25 UUID Unique identifier for the

Raw Data Record associated with this event.

ControlPack e.rv26 %rv26% S_RV26 string Sentinel control

categorization level 1 (for Solution Packs).

EventMetricClass e.rv28 %rv28% s_RV28 string Class of the event-

dependent numeric value.

InitIPCountry e.rv29 %rv29% s_RV29 string Country where the IPv4

address of the initiating system is located.

TargetIPCountry e.rv30 %rv30% s_RV30 string Country where the IPv4

address of the target system is located.

Sentinel Event Fields 25

novdocx (en) 7 January 2010

Default Label

Filters and Correlation Rules

Menu and Correlation Actions

Proprietary Collector Language

Data Typ e

Description

DeviceName e.rv31 %rv31% s_RV31 string Name of the device

generating the event. If this device is supported by Advisor, the name should match the name known by Advisor. Used in Exploit Detection.

DeviceCategory e.rv32 %rv32% s_RV32 string Device category (FW,

IDS, AV, OS, DB).

EventContext e.rv33 %rv33% s_RV33 string Event context (threat

level).

InitThreatLevel e.rv34 %rv34% s_RV34 string Initiator threat level.

InitUserDomain e.rv35 %rv35% s_RV35 string Domain (namespace) in

which the initiating account exists.

DataContext e.rv36 %rv36% s_RV36 string Data context.

InitFunction e.rv37 %rv37% s_RV37 string Initiator function.

InitOperationalContext e.rv38 %rv38% s_RV38 string Initiator operational

context.

MSSPCustomerName e.rv39 %rv39% s_RV39 string MSSP customer name.

VendorEventCode e.rv40 %rv40% s_RV40 string Event code reported by

device vendor.

TargetHostDomain e.rv41 %rv41% s_RV41 string Domain portion of the

target system's fullyqualified hostname.

InitDomain e.rv42 %rv42% s_RV42 string Domain portion of the

initiating system's fullyqualified hostname.

ReservedVar43 e.rv43 %rv43% s_RV43 string Reserved by Novell for

expansion.

TargetThreatLevel e.rv44 %rv44% s_RV44 string Target threat level.

TargetUserDomain e.rv45 %rv45% s_RV45 string Domain (namespace) in

which the target account exists..

VirusStatus e.rv46 %rv46% s_RV46 string Virus status.

TargetFunction e.rv47 %rv47% s_RV47 string Target function.

TargetOperationalContext e.rv48 %rv48% s_RV48 string Target operational

context.

TaxonomyLevel4 e.rv53 %rv53% s_RV53 string Sentinel event code

categorization - level 4.

26 Sentinel 6.1 Reference Guide

novdocx (en) 7 January 2010

Default Label

Filters and Correlation Rules

Menu and Correlation Actions

Proprietary Collector Language

Data Typ e

Description

CustomerHierarchyLevel2 e.rv54 %rv54% s_RV54 string Customer Hierarchy Level

2 (used by MSSPs).

VirusStatus e.rv56 %rv56% s_RV56 string Virus Status.

InitMacAddress e.rv57 %rv57% s_RV57 string Initiator Mac Address.

Part of initiator host asset data.

InitNetworkIdentity e.rv58 %rv58% s_RV58 string Initiator Network Identity.

Part of initiator host asset data.

InitAssetFunction e.rv60 %rv60% s_RV60 string Function of the initiating

system (fileserver, webserver, etc.).

InitAssetValue e.rv61 %rv61% s_RV61 string Initiator Asset Value. Part

of initiator host asset data.

InitAssetCriticality e.rv62 %rv62% s_RV62 string Criticality of the initiating

system (0-5).

Variables reserved for future use by Novell

e.rv63 thru e.rv75

%rv63% thru

s_RV63 thru s_rv75

string Variables not currently in

use

%rv75%

InitAssetDepartment e.rv76 %rv76% s_RV76 string Department of the

initiating system.

InitAssetId e.rv77 %rv77% s_RV77 string Internal asset identifier of

the initiator.

Variables reserved for future use by Novell

e.rv78 thru e.rv80

%rv78% thru

s_RV78 thru s_rv80

string Variables not currently in

use

%rv80%

TargetAssetClass e.rv81 %rv81% s_RV81 string Class of the target system

(desktop, server, etc.).

TargetAssetFunction e.rv82 %rv82% s_RV82 string Function of the target

system (fileserver, webserver, etc.).

TargetAssetValue e.rv83 %rv83% s_RV83 string Target Asset Value. Part

of target host asset data.

Variables reserved for future use by Novell

e.rv84 thru e.rv97

%rv84% thru

s_RV84 thru s_rv97

string Variables not currently in

use.

%rv97%

TargetDepartment e.rv98 %rv98% s_RV98 string Target Department. Part

of target host asset data.

TargetAssetId e.rv99 %rv99% s_RV99 string Internal asset identifier of

the target.

CustomerHierarchyLevel4 e.rv100 %rv100% s_RV100 string Customer Hierarchy Level

4 (used by MSSPs)

Sentinel Event Fields 27

novdocx (en) 7 January 2010

Default Label

Variables reserved for future use by Novell

CustomerVar1

thru

CustomerVar10

CustomerVar11 thru

CustomerVar20

CustomerVar21 thru

CustomerVar89

Filters and Correlation Rules

e.rv101 thru e.rv200

e.cv1 thru e.cv10

e.cv11 thru

e.cv20

e.cv21 thru

e.cv89

Menu and Correlation Actions

%rv101% thru %rv200%

%cv1% thru %cv10%

%cv11% thru

%cv20%

%cv21% thru

%cv89%

Proprietary Collector Language

s_rv101 thru s_rv200

s_CV1

thru

s_CV10

s_CV11

thru

s_CV20

s_CV21

thru

s_CV29

Data Typ e

Description

various Variables not currently in

use

integer Number variable reserved

for customer use. Stored in database.

date Date variable reserved for

customer use. Stored in database.

string String variable reserved

for customer use. Stored in database.

SARBOX e.cv90 %cv90% s_CV90 string Set to 1 if the asset is

governed by SarbanesOxley.

HIPAA e.cv91 %cv91% s_CV91 string Set to 1 if the asset is

governed by the Health Insurance Portability and Accountability Act (HIPAA) regulation.

GLBA e.cv92 %cv92% s_CV92 string Set to 1 if the asset is

governed by the GrammLeach Bliley Act (GLBA) regulation.

FISMA e.cv93 %cv93% s_CV93 string Set to 1 if the asset is

governed by the Federal Information Security Management Act (FISMA) regulation.

NISPOM e.cv94 %cv94% s_CV94 string Set to 1 via an asset map

if the target asset is governed by the National Industrial Security Program Operating Manual (NISPOM)

CustomerVar95 thru CustomerVar100

e.cv95 thru e.cv100

%cv95% thru %cv100%

s_CV95 thru s_CV100

string String variable reserved

for customer use. Stored in database.

CustomerVar101 thru CustomerVar110

28 Sentinel 6.1 Reference Guide

e.cv101 thru e.cv110

%cv101% thru %cv110%

s_CV101 thru s_CV110

string Integer variable reserved

for customer use. Stored in database.

novdocx (en) 7 January 2010

Default Label

CustomerVar111 thru CustomerVar120

CustomerVar121 thru CustomerVar130

CustomerVar131 thru CustomerVar140

CustomerVar141 thru CustomerVar150

CustomerVar151 thru CustomerVar160

CustomerVar161 thru CustomerVar170

CustomerVar171 thru CustomerVar180

Filters and Correlation Rules

e.cv111 thru e.cv120

e.cv121 thru e.cv130

e.cv131 thru e.cv140

e.cv141 thru e.cv150

e.cv151 thru e.cv160

e.cv161 thru e.cv170

e.cv171 thru e.cv180

Menu and Correlation Actions

%cv111% thru %cv120%

%cv121% thru %cv130%

%cv131% thru %cv140%

%cv141% thru %cv150%

%cv151% thru %cv160%

%cv161% thru %cv170%

%cv171% thru %cv180%

Proprietary Collector Language

s_C V111 thru s_CV120

s_CV121 thru s_CV130

s_CV131 thru s_CV140

s_CV141 thru s_CV150

s_CV151 thru s_CV160

s_CV161 thru s_CV170

s_CV171 thru s_CV180

Data Typ e

Description

string Date variable reserved for

customer use. Stored in database.

string UUID variable reserved

for customer use. Stored in database.

string IPv4 variable reserved for

customer use. Stored in database.

string String variable reserved

for customer use. Stored in database.

string Integer variable reserved

for customer use. Not stored in database.

string Date variable reserved for

customer use. Not stored in database.

string UUID variable reserved

for customer use. Not stored in database.

CustomerVar181 thru CustomerVar190

CustomerVar191 thru CustomerVar200

e.cv181 thru e.cv190

e.cv191 thru e.cv200

%cv181% thru %cv190%

%cv191% thru %cv200%

s_CV181 thru s_CV190

s_CV191 thru s_CV200

string IPv4 variable reserved for

customer use. Not stored in database.

string String variable reserved

for customer use. Not stored in database.

Sentinel Event Fields 29

novdocx (en) 7 January 2010

30 Sentinel 6.1 Reference Guide

+ 202 hidden pages

Novell SENTINEL 6.1 Reference Guide

Specifications and Main Features

Frequently Asked Questions

User Manual

Sentinel 6.1 Reference Guide

Preface

SentinelTM User Reference Introduction

Sentinel Event Fields

2.1 Event Field Labels and Tags

2.1.1 Free-Form Filters and Correlation Rules

2.1.2 Actions

2.1.3 Proprietary Collectors

2.1.4 JavaScript Collectors

2.2 List of Fields and Representations