Novell SENTINEL RAPID DEPLOYMENT Reference Guide
Novell®
www.novell.com
Reference Guide
SentinelTM Rapid Deployment
novdocx (en) 13 May 2009
AUTHORIZED DOCUMENTATION
6.1
June 15, 2009
Sentinel 6.1 Rapid Deployment Reference Guide
Legal Notices
Novell, Inc., makes no representations or warranties with respect to the contents or use of this documentation, and
specifically disclaims any express or implied warranties of merchantability or fitness for any particular purpose.
Further, Novell, Inc., reserves the right to revise this publication and to make changes to its content, at any time,
without obligation to notify any person or entity of such revisions or changes.
Further, Novell, Inc., makes no representations or warranties with respect to any software, and specifically disclaims
any express or implied warranties of merchantability or fitness for any particular purpose. Further, Novell, Inc.,
reserves the right to make changes to any and all parts of Novell software, at any time, without any obligation to
notify any person or entity of such changes.
Any products or technical information provided under this Agreement may be subject to U.S. export controls and the
trade laws of other countries. You agree to comply with all export control regulations and to obtain any required
licenses or classification to export, re-export or import deliverables. You agree not to export or re-export to entities on
the current U.S. export exclusion lists or to any embargoed or terrorist countries as specified in the U.S. export laws.
You agree to not use deliverables for prohibited nuclear, missile, or chemical biological weaponry end uses. See the
Novell International Trade Services Web page (http://www.novell.com/info/exports/) for more information on
exporting Novell software. Novell assumes no responsibility for your failure to obtain any necessary export
approvals.
novdocx (en) 13 May 2009
Copyright © 1999-2009 Novell, Inc. All rights reserved. No part of this publication may be reproduced, photocopied,
stored on a retrieval system, or transmitted without the express written consent of the publisher.
Novell, Inc., has intellectual property rights relating to technology embodied in the product that is described in this
document. In particular, and without limitation, these intellectual property rights may include one or more of the U.S.
patents listed on the Novell Legal Patents Web page (http://www.novell.com/company/legal/patents/) and one or
more additional patents or pending patent applications in the U.S. and in other countries.
Novell, Inc.
404 Wyman Street, Suite 500
Waltham, MA 02451
U.S.A.
www.novell.com
Online Documentation: To access the latest online documentation for this and other Novell products, see
the Novell Documentation Web page (http://www.novell.com/documentation).
Novell Trademarks
For Novell trademarks, see the Novell Trademark and Service Mark list (http://www.novell.com/company/legal/
trademarks/tmlist.html).
Third-Party Materials
All third-party trademarks are the property of their respective owners.
novdocx (en) 13 May 2009
novdocx (en) 13 May 2009
4 Sentinel 6.1 Rapid Deployment Reference Guide
Contents
About This Guide 9
1 Sentinel 6.1 Rapid Deployment Event Fields 11
1.1 Event Field Labels and Tags . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11
1.1.1 Free-Form Filters and Correlation Rules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12
1.1.2 Actions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13
1.1.3 Proprietary Collectors . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15
1.1.4 JavaScript Collectors . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15
1.2 List of Fields and Representations. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15
2 Sentinel 6.1 Rapid Deployment Control Center User Permissions 25
2.1 Changing User Permissions. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25
2.2 General . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27
2.2.1 General – Public Filters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28
2.2.2 General – Manage Private Filters of Other Users . . . . . . . . . . . . . . . . . . . . . . . . . . . 28
2.2.3 General – Integration Actions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28
2.3 Active Views. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28
2.3.1 Active Views – Menu Items . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29
2.4 iTRAC. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29
2.4.1 iTRAC - Template Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29
2.4.2 iTRAC - Process Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30
2.5 Incidents. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30
2.6 Integrators . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30
2.7 Actions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31
2.8 Event Source Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31
2.9 Analysis Tab. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32
2.10 Administration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32
2.10.1 Administration – Global Filters. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32
2.10.2 Administration – Server Views. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33
2.11 Correlation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33
2.12 Solution Pack . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33
2.13 Identity . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33
2.14 Reporting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34
2.15 Downloading . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35
2.16 Java Webstart . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35
novdocx (en) 13 May 2009
3 Sentinel 6.1 Rapid Deployment Correlation Engine RuleLG Language 37
3.1 Correlation RuleLG Language Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37
3.2 Event Fields . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 38
3.3 Event Operations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 38
3.3.1 Filter Operation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 38
3.3.2 Window Operation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 40
3.3.3 Trigger Operation. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 42
3.4 Rule Operations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 42
3.4.1 Gate Operation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43
3.4.2 Sequence Operation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43
Contents 5
3.5 Operators . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 44
3.5.1 Flow Operator . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 44
3.5.2 Union Operator . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 44
3.5.3 Intersection Operator . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 44
3.5.4 Discriminator Operator. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 45
3.6 Order of Operators . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 45
3.7 Differences between Correlation in 5.x and 6.x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 45
4 Sentinel 6.1 Rapid Deployment Data Access Service 47
4.1 DAS Container Files. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 47
4.1.1 Reconfiguring Database Connection Properties . . . . . . . . . . . . . . . . . . . . . . . . . . . . 47
4.1.2 DAS Logging Properties Configuration Files . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 48
5 Sentinel 6.1 Rapid Deployment Accounts and Password Changes 51
5.1 Sentinel Default Users . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 51
5.2 Password Changes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 51
5.2.1 Changing Application User Passwords . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 52
5.2.2 Changing Database Passwords . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 52
novdocx (en) 13 May 2009
6 Sentinel 6.1 Rapid Deployment Database Views for PostgreSQL 55
6.1 Views . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 55
6.1.1 ACTVY_PARM_RPT_V. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 58
6.1.2 ACTVY_REF_PARM_VAL_RPT_V. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 59
6.1.3 ACTVY_REF_RPT_V . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 59
6.1.4 ACTVY_RPT_V . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 59
6.1.5 ADV_ATTACK_MAP_RPT_V . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 60
6.1.6 ADV_ATTACK_PLUGIN_RPT_V . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 60
6.1.7 ADV_ATTACK_RPT_V . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 61
6.1.8 ADV_ATTACK_SIGNATURES . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 62
6.1.9 ADV_FEED_RPT_V . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 62
6.1.10 ADV_MASTER_RPT_V. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 63
6.1.11 ADV_PRODUCT_RPT_V . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 63
6.1.12 ADV_PRODUCT_SERVICE_PACK_RPT_V . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 64
6.1.13 ADV_PRODUCT_VERSION_RPT_V . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 64
6.1.14 ADV_VENDOR_RPT_V . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 65
6.1.15 ADV_VULN_KB_RPT_V . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 66
6.1.16 ADV_VULN_PRODUCT_RPT_V . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 66
6.1.17 ADV_VULN_SIGNATURES . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 67
6.1.18 ANNOTATIONS_RPT_V . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 67
6.1.19 ASSET_CATEGORY_RPT_V . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 67
6.1.20 ASSET_HOSTNAME_RPT_V . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 68
6.1.21 ASSET_IP_RPT_V . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 68
6.1.22 ASSET_LOCATION_RPT_V . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 68
6.1.23 ASSET_RPT_V . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 69
6.1.24 ASSET_VALUE_RPT_V . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 69
6.1.25 ASSET_X_ENTITY_X_ROLE_RPT_V . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 70
6.1.26 ASSOCIATIONS_RPT_V . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 70
6.1.27 ATTACHMENTS_RPT_V . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 71
6.1.28 AUDIT_RECORD_RPT_V. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 71
6.1.29 CONFIGS_RPT_V. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 72
6.1.30 CONTACTS_RPT_V . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 72
6.1.31 CORRELATED_EVENTS_RPT_V (legacy view) . . . . . . . . . . . . . . . . . . . . . . . . . . . 73
6.1.32 CORRELATED_EVENTS_RPT_V1 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 73
6.1.33 CRITICALITY_RPT_V . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 73
6 Sentinel 6.1 Rapid Deployment Reference Guide
6.1.34 CUST_HIERARCHY_V . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 74
6.1.35 CUST_RPT_V . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 74
6.1.36 ENTITY_TYPE_RPT_V . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 75
6.1.37 ENV_IDENTITY_RPT_V . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 75
6.1.38 ESEC_CONTENT_GRP_CONTENT_RPT_V. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 75
6.1.39 ESEC_CONTENT_GRP_RPT_V . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 76
6.1.40 ESEC_CONTENT_PACK_RPT_V . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 76
6.1.41 ESEC_CONTENT_RPT_V . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 76
6.1.42 ESEC_CTRL_CTGRY_RPT_V . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 77
6.1.43 ESEC_CTRL_RPT_V . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 77
6.1.44 ESEC_DISPLAY_RPT_V . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 78
6.1.45 ESEC_PORT_REFERENCE_RPT_V . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 79
6.1.46 ESEC_PROTOCOL_REFERENCE_RPT_V . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 79
6.1.47 ESEC_SEQUENCE_RPT_V . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 80
6.1.48 ESEC_UUID_UUID_ASSOC_RPT_V . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 80
6.1.49 EVENTS_ALL_RPT_V (legacy view) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 80
6.1.50 EVENTS_ALL_RPT_V1 (legacy view) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 81
6.1.51 EVENTS_ALL_V (legacy view) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 81
6.1.52 EVENTS_RPT_V (legacy view). . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 81
6.1.53 EVENTS_RPT_V1 (legacy view). . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 81
6.1.54 EVENTS_RPT_V2. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 81
6.1.55 EVENTS_RPT_V3. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 86
6.1.56 EVT_AGENT_RPT_V . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 90
6.1.57 EVT_AGENT_RPT_V3 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 91
6.1.58 EVT_ASSET_RPT_V . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 91
6.1.59 EVT_ASSET_RPT_V3 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 93
6.1.60 EVT_DEST_EVT_NAME_SMRY_1_RPT_V. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 94
6.1.61 EVT_DEST_SMRY_1_RPT_V . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 94
6.1.62 EVT_DEST_TXNMY_SMRY_1_RPT_V . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 95
6.1.63 EVT_NAME_RPT_V . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 95
6.1.64 EVT_PORT_SMRY_1_RPT_V . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 96
6.1.65 EVT_PRTCL_RPT_V . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 96
6.1.66 EVT_PRTCL_RPT_V3 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 97
6.1.67 EVT_RSRC_RPT_V . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 97
6.1.68 EVT_SEV_SMRY_1_RPT_V. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 97
6.1.69 EVT_SRC_COLLECTOR_RPT_V. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 98
6.1.70 EVT_SRC_GRP_RPT_V. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 98
6.1.71 EVT_SRC_MGR_RPT_V . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 99
6.1.72 EVT_SRC_OFFSET_RPT_V . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 99
6.1.73 EVT_SRC_RPT_V. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 99
6.1.74 EVT_SRC_SMRY_1_RPT_V . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 100
6.1.75 EVT_SRC_SRVR_RPT_V. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 101
6.1.76 EVT_TXNMY_RPT_V . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 101
6.1.77 EVT_USR_RPT_V. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 102
6.1.78 EVT_XDAS_TXNMY_RPT_V . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 102
6.1.79 EXTERNAL_DATA_RPT_V. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 102
6.1.80 HIST_CORRELATED_EVENTS_RPT_V (legacy view) . . . . . . . . . . . . . . . . . . . . . 103
6.1.81 HIST_EVENTS_RPT_V (legacy view). . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 103
6.1.82 IMAGES_RPT_V . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 103
6.1.83 INCIDENTS_ASSETS_RPT_V . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 103
6.1.84 INCIDENTS_EVENTS_RPT_V . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 104
6.1.85 INCIDENTS_RPT_V . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 104
6.1.86 INCIDENTS_VULN_RPT_V . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 105
6.1.87 L_STAT_RPT_V . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 105
6.1.88 LOGS_RPT_V . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 106
6.1.89 MSSP_ASSOCIATIONS_V . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 106
6.1.90 NETWORK_IDENTITY_RPT_V . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 106
6.1.91 ORGANIZATION_RPT_V . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 107
6.1.92 PERSON_RPT_V . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 107
novdocx (en) 13 May 2009
Contents 7
6.1.93 PHYSICAL_ASSET_RPT_V . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 107
6.1.94 PRODUCT_RPT_V . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 108
6.1.95 ROLE_RPT_V . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 108
6.1.96 RPT_LABELS_RPT_V . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 109
6.1.97 SENSITIVITY_RPT_V . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 109
6.1.98 SENTINEL_HOST_RPT_V . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 109
6.1.99 SENTINEL_PLUGIN_RPT_V . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 110
6.1.100 SENTINEL_RPT_V . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 110
6.1.101 STATES_RPT_V . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 110
6.1.102 UNASSIGNED_INCIDENTS_RPT_V . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 111
6.1.103 USERS_RPT_V. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 111
6.1.104 USR_ACCOUNT_RPT_V . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 112
6.1.105 USR_IDENTITY_EXT_ATTR_RPT_V. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 113
6.1.106 USR_IDENTITY_RPT_V . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 113
6.1.107 VENDOR_RPT_V . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 114
6.1.108 VULN_CALC_SEVERITY_RPT_V . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 114
6.1.109 VULN_CODE_RPT_V . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 114
6.1.110 VULN_INFO_RPT_V . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 115
6.1.111 VULN_RPT_V . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 115
6.1.112 VULN_RSRC_RPT_V . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 116
6.1.113 VULN_RSRC_SCAN_RPT_V . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 117
6.1.114 VULN_SCAN_RPT_V . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 117
6.1.115 VULN_SCAN_VULN_RPT_V . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 118
6.1.116 VULN_SCANNER_RPT_V . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 118
6.1.117 WORKFLOW_DEF_RPT_V . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 118
6.1.118 WORKFLOW_INFO_RPT_V . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 119
6.2 Deprecated Views . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 119
novdocx (en) 13 May 2009
A Sentinel 6.1 Rapid Deployment Troubleshooting Checklist 121
B Sentinel 6.1 Rapid Deployment Service Permission Tables 125
B.1 Advisor . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 125
B.2 Collector Manager . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 126
B.3 Correlation Engine . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 127
B.4 Data Access Server (DAS). . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 128
B.5 Sentinel Communication Server. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 129
B.6 Sentinel Service . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 130
B.7 Reporting Engine . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 131
C Sentinel 6.1 Rapid Deployment Log Locations 133
C.1 Sentinel Data Manager . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 133
C.2 iTRAC. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 133
C.3 Advisor . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 133
C.4 DAS Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 133
C.5 Event Insertion . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 134
C.6 Messaging . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 134
C.7 Collector Manager . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 134
C.8 Correlation Engine . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 134
C.9 Sentinel Control Center . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 134
C.10 Solution Designer . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 134
C.11 Multiple Instances . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 134
8 Sentinel 6.1 Rapid Deployment Reference Guide
About This Guide
SentinelTM is a security information and event management solution that receives information from
many sources throughout an enterprise, standardizes it, prioritizes it and presents it to you to make
threat, risk and policy related decisions. The Sentinel 6.1 RD User Reference Guide is your
reference for the following:
Collector administrator functions
Collector and Sentinel meta tags
Sentinel console user permissions
Sentinel correlation engine
Sentinel command line options
Sentinel server database views
This guide assumes that you are familiar with Network Security, Database Administration and Linux
operating system.
novdocx (en) 13 May 2009
This guide discusses about:
Chapter 1, “Sentinel 6.1 Rapid Deployment Event Fields,” on page 11
Chapter 2, “Sentinel 6.1 Rapid Deployment Control Center User Permissions,” on page 25
Chapter 3, “Sentinel 6.1 Rapid Deployment Correlation Engine RuleLG Language,” on
page 37
Chapter 4, “Sentinel 6.1 Rapid Deployment Data Access Service,” on page 47
Chapter 6, “Sentinel 6.1 Rapid Deployment Database Views for PostgreSQL,” on page 55
Appendix A, “Sentinel 6.1 Rapid Deployment Troubleshooting Checklist,” on page 121
Appendix B, “Sentinel 6.1 Rapid Deployment Service Permission Tables,” on page 125
Appendix C, “Sentinel 6.1 Rapid Deployment Log Locations,” on page 133
Audience
This documentation is intended for Information Security Professionals.
Feedback
We want to hear your comments and suggestions about this manual and the other documentation
included with this product. Please use the User Comments feature at the bottom of each page of the
online documentation and enter your comments there.
Additional Documentation
Sentinel technical documentation is broken down into several different volumes. They are:
Novell Sentinel 6.1 RD Installation Guide (http://www.novell.com/documentation/
sentinel61rd/s61rd_install/data/index.html)
About This Guide 9
Novell Sentinel 6.1 RD User Guide (http://www.novell.com/documentation/sentinel61rd/
s61rd_user/data/index.html)
Novell Sentinel 6.1 RD Reference Guide (http://www.novell.com/documentation/sentinel61rd/
s61rd_reference/data/index.html)
Sentinel 6.1 Install Guide (http://www.novell.com/documentation/sentinel61/pdfdoc/
sentinel_61_installation_guide.pdf)
Sentinel 6.1 User Guide (http://www.novell.com/documentation/sentinel61/pdfdoc/
sentinel_61_user_guide.pdf)
Sentinel 6.1 Reference Guide (http://www.novell.com/documentation/sentinel61/pdfdoc/
sentinel_61_reference_guide.pdf)
Sentinel SDK (http://developer.novell.com/wiki/index.php?title=Develop_to_Sentinel)
The Sentinel SDK site provides the details about developing collectors (proprietary or
JavaScript) and JavaScript correlation actions.
Documentation Conventions
In this documentation, a greater-than symbol (>) is used to separate actions within a step and items
within a cross-reference path.
novdocx (en) 13 May 2009
A trademark symbol (®, ™, etc.) denotes a Novell trademark. An asterisk (*) denotes a third-party
trademark.
When a single path name can be written with a backslash for some platforms or a forward slash for
other platforms, the path name is presented with forward slashes to reflect the Linux* convention.
®
Users of platforms that require a backslash, such as NetWare
, should use backlashes as required by
your software.
Contacting Novell
Novell Website (http://www.novell.com)
Novell Technical Support (http://support.novell.com/
phone.html?sourceidint=suplnav4_phonesup)
Novell Self Support (http://support.novell.com/
support_options.html?sourceidint=suplnav_supportprog)
Patch Download Site (http://download.novell.com/index.jsp)
Novell 24x7 Support (http://www.novell.com/company/contact.html)
Sentinel TIDS (http://support.novell.com/products/sentinel)
10 Sentinel 6.1 Rapid Deployment Reference Guide
1
Sentinel 6.1 Rapid Deployment
novdocx (en) 13 May 2009
Event Fields
Every Sentinel event or correlated event has certain fields that are automatically populated (such as
Event Time and Event UUID) and other fields that may or may not be populated, depending on the
type of event, the collector parsing, and the mapping service configuration. This event data is visible
in Active Views, historical queries, and reports. They are stored in the database and can be accessed
via the report views. They can also be used in actions available through the right-click event menu,
correlation actions, and iTRAC workflow actions.
Section 1.1, “Event Field Labels and Tags,” on page 11
Section 1.2, “List of Fields and Representations,” on page 15
1.1 Event Field Labels and Tags
Each field can be referred to by a user-friendly label or a short tag. The user-friendly label is visible
throughout the Sentinel Control Center interface, for example:
Column headers for Active Views, historical event queries, and the Active Browser
Correlation wizard drop-down menus
Active View configuration drop-down menus
1
Each field has a default label, but that label is user-configurable using the Event Configuration
option on the Admin tab. For more information, see “Admin” section in Sentinel 6.1 Rapid
Deployment User Guide.
user who initiated the event, but this can be changed by the administrator. When a user changes the
default label, the changes are reflected in most areas of the interface, including any correlation rules,
filters, and right-click menu options.
WARNING: Changing the default label for variables other than Customer Variables may cause
confusion when working with Novell Technical Services or other parties who are familiar with the
default names. In addition, JavaScript Collectors built by Novell refer to the default labels described
in this chapter and are not automatically updated to refer to new labels.
Each field also has a short tag name that is always used for internal references to the field and is not
user-configurable. This short tag name may not correspond exactly to the default label; Sentinel
labels have changed over the years, but the underlying short tags remain the same for backward
compatibility. (For example, InitUserName is the default label for the account name of the user who
initiated the event. The default label was previously SourceUserName, and the underlying short tag
is “sun”.)
NOTE: Many of the default labels were updated for clarity in the Sentinel 6.1 release. Because all
filters, actions, and correlation rule definitions are defined using the short tags, even though the label
may be visible in the interface, there is no change in functionality due to the label renaming.
InitUserName
is the default label to represent the account name of the
Sentinel 6.1 Rapid Deployment Event Fields
11
Each field is associated with a specific data type, which corresponds to the data type in the database:
string: limited to 255 characters (unless otherwise specified)
integer: 32-bit signed integer
UUID: 36 character (with hyphens) or 32 character (without hyphens) hexadecimal string in
the format XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX (For example, 6A5349DA-7CBF-1028-9795-000BCDFFF482)
date: Collector Variable must be set with date as number of milliseconds from January 1, 1970
00:00:00 GMT. When displayed in Sentinel Control Center, meta-tags of type date are
displayed in a regular date format.
IPv4: IP address in dotted decimal notation (that is – xxx.xxx.xxx.xxx)
This section has the following information:
Section 1.1.1, “Free-Form Filters and Correlation Rules,” on page 12
Section 1.1.2, “Actions,” on page 13
Section 1.1.3, “Proprietary Collectors,” on page 15
Section 1.1.4, “JavaScript Collectors,” on page 15
novdocx (en) 13 May 2009
1.1.1 Free-Form Filters and Correlation Rules
You can use either the tag or the label when you write free-form language in the Sentinel Control
Center. The Sentinel interface shows the user-friendly label.
Figure 1-1 Correlation Wizard displaying labels in drop-down and free-form language
12 Sentinel 6.1 Rapid Deployment Reference Guide
Figure 1-2 Filter Wizard displaying labels in drop-down and free-form language
novdocx (en) 13 May 2009
The representation of fields in the free-form RuleLG language is usually prefaced by “e.” for
example, “e.InitUserName” or “e.sun” can refer to the Initiator User Name for the incoming or
current event. In special cases, “w.” may be used to refer to a field in a past event (for example,
“w.InitUserName”). For more information about the RuleLG language, see Chapter 3, “Sentinel 6.1
Rapid Deployment Correlation Engine RuleLG Language,” on page 37.
1.1.2 Actions
Users can use either the tag or the label when they define parameters to be sent to right-click Event
Menu actions, correlation actions, and iTRAC workflow actions.
To pass a field value to an action, you may use a checklist that shows the labels or type the parameter
name directly into the configuration.
Sentinel 6.1 Rapid Deployment Event Fields 13
Figure 1-3 Configuration Action - Select Event Attributes window
novdocx (en) 13 May 2009
When you type the label or short tag for a field to be used in an action, the name can be enclosed in
percent signs (%tag%) or dollar signs ($tag$). For example:
%sun% in a correlation action refers to the value of InitUser in the correlated event
$sun$ in a correlation action refers to the value of InitUser in the current, “trigger” event (the
final event that caused the correlation rule to fire)
NOTE: In a right-click menu event operating on a single event, there is no functional
difference between %sun% and $sun$.
For example, to pass the Initiator User Name to a command line action to look up information from
a database about that user, you could use %InitUserName% or %sun%. For more information about
Actions, see “Actions and Integrators” section in Sentinel 6.1 Rapid Deployment User Guide.
14 Sentinel 6.1 Rapid Deployment Reference Guide
Figure 1-4 Configuration Action window
novdocx (en) 13 May 2009
1.1.3 Proprietary Collectors
Proprietary Collectors, written in Novell’s own language, always use variables based on the short
tag to refer to event fields. The short tag name must be prefaced by a letter and underscore, where
the letter indicates the data type for the field (i_ for integer, s_ for string).
1.1.4 JavaScript Collectors
JavaScript Collectors usually refer to event fields using an “e.” followed by the same user-friendly
label set in Event Configuration in the Sentinel Control Center. For a Sentinel system with a default
configuration, for example, the Initiator User Name would be referred to as “e.InitUserName” in the
JavaScript Collector. There are some exceptions to this general rule. Refer to the Sentinel Collector
SDK (http://developer.novell.com/wiki/index.php?title=Develop_to_Sentinel) for more details.
1.2 List of Fields and Representations
The table on the following pages shows the default labels, descriptions and data types for the
Sentinel event fields, along with the proper way to refer to the tags in filters, correlation rules,
actions, and proprietary collector scripts. Fields that cannot or should not be manipulated in the
Collector parsing do not have a Collector variable.
Sentinel 6.1 Rapid Deployment Event Fields 15
Table 1-1 Labels and Meta-tags used in Sentinel Control Center and proprietary Collector language
novdocx (en) 13 May 2009
Default Label
Filters and
Correlation
Rules
Menu and
Correlation
Actions
Proprietary
Collector
Language
Data
Typ e
Description
DeviceEventTimeString e.et %et% s_ET string The normalized date and
time of the event, as
reported by the sensor.
DeviceEventTime e.det %det% date The normalized date and
time of the event, as
reported by the sensor.
SentinelProcessTime e.spt %spt% date The date and time
Sentinel received the
event.
BeginTime e.bgnt %bgnt% s_BGNT date The date and time the
event started occurring
(for repeated events).
EndTime e.endt %endt% s_ENDT date The date and time the
event stopped occurring
(for repeated events).
RepeatCount e.rc %rc% s_RC integer The number of times the
same event occurred if
multiple occurrences were
consolidated.
EventTime e.dt %dt% date The normalized date and
time of the event, as given
by the Collector.
SentinelServiceID e.src %src% UUID Unique identifier for the
Sentinel service which
generated this event.
Severity e.sev %sev% i_Severity integer The normalized severity
of the event (0-5).
Vulnerability e.vul %vul% s_VULN integer The vulnerability of the
asset identified in this
event. Set to 1 if Sentinel
detects an exploit against
a vulnerable system.
Requires Advisor.
Criticality e.crt %crt% s_CRIT integer The criticality of the asset
identified in this event.
InitIP e.sip %sip% s_SIP IPv4 IPv4 address of the
initiating system.
TargetIP e.dip %dip% s_DIP IPv4 IPv4 address of the target
system.
Collector e.port %port% string Name of the Collector that
generated this event.
16 Sentinel 6.1 Rapid Deployment Reference Guide
novdocx (en) 13 May 2009
Default Label
Filters and
Correlation
Rules
Menu and
Correlation
Actions
Proprietary
Collector
Language
Data
Typ e
Description
CollectorScript e.agent %agent% string The name of the Collector
Script used by the
Collector to generate this
event.
Resource e.res %res% s_Res string Compliance monitoring
hierarchy level 1
SubResource e.sres %sres% s_SubRes string Subresource name
ObserverHostName e.sn %sn% s_SN string Unqualified hostname of
the observer (sensor) of
the event.
SensorType e.st %st% s_ST string The single character
designator for the sensor
type (N, H, O, V, C, W, A,
I).
Protocol e.prot %prot% s_P string Protocol used between
initiating and target
services.
InitHostName e.shn %shn% s_SHN string Unqualified hostname of
the initiating system.
InitServicePort e.spint %spint% s_SPINT integer Port used by service/
application that initiated
the connection.
InitServicePortName e.sp %sp% s_SP string Name of the initiating
service that caused the
event.
TargetHostName e.dhn %dhn% s_DHN string Unqualified hostname of
the target system.
TargetServicePort e.dpint %dpint% s_DPINT integer Network port accessed on
the target.
TargetServicePortName e.dp %dp% s_DP string Name of the target service
affected by this event.
InitUserName e.sun %sun% s_SUN string Initiating user's account
name. Example jdoe
during an attempt to su.
TargetUserName e.dun %dun% s_DUN string Target user's account
name. Example root
during a password reset.
FileName e.fn %fn% s_FN string The name of the program
executed or the file
accessed, modified or
affected.
Sentinel 6.1 Rapid Deployment Event Fields
17
novdocx (en) 13 May 2009
Default Label
Filters and
Correlation
Rules
Menu and
Correlation
Actions
Proprietary
Collector
Language
Data
Typ e
Description
ExtendedInformation e.ei %ei% s_EI string Stores additional
collector-processed
information. Values within
this variable are
separated by semi-colons
(;).
ReporterHostName e.rn %rn% s_RN string Unqualified hostname of
the reporter of the event.
ProductName e.pn %pn% s_PN string Indicates the type, vendor
and product code name of
the sensor from which the
event was generated.
Message e.msg %msg% s_BM string Free-form message text
for the event.
DeviceAttackName e.rt1 %rt1% s_RT1 string Device specific attack
name that matches attack
name known by Advisor.
Used in Exploit Detection.
Rt2 e.rt2 %rt2% s_RT2 string Reserved by Novell for
expansion.
Ct1 thru Ct2 e.ct1 thru
e.ct2
%ct1%
thru
%ct2%
s_CT1
and
string Reserved for use by
customers for customerspecific data.
s_CT2
Rt3 e.rt3 %rt3% integer Reserved by Novell for
expansion.
Ct3 e.ct3 %ct3% s_CT3 integer Reserved for use by
customers for customerspecific data.
CorrelatedEventUuids e.ceu %ceu% s_RT3 string List of event UUIDs
associated with th
correlated event. Only
relevant for correlated
events.
CustomerHierarchyId e.rv1 %rv1% s_RV1 integer Used for MSSPs.
ReservedVar2 thru
ReservedVar10
ReservedVar11 thru
ReservedVar20
e.rv2 thru
e.rv10
e.rv11 thru
e.rv20
%rv2%
thru
%rv10%
%rv11%
thru
s_RV2
thru
s_RV10
s_RV11
thru
integer Reserved by Novell for
expansion.
date Reserved by Novell for
expansion.
%rv20%
s_RV20
18 Sentinel 6.1 Rapid Deployment Reference Guide
novdocx (en) 13 May 2009
Default Label
Filters and
Correlation
Rules
Menu and
Correlation
Actions
Proprietary
Collector
Language
Data
Typ e
Description
CollectorManagerId e.rv21 %rv21% s_RV21 UUID Unique identifier for the
Collector Manager which
generated this event.
CollectorId e.rv22 %rv22% s_RV22 UUID Unique identifier for the
Collector which generated
this event.
ConnectorId e.rv23 %rv23% S_RV23 UUID Unique identifier for the
Connector which
generated this event.
EventSourceId e.rv24 %rv24% S_RV24 UUID Unique identifier for the
Event Source which
generated this event.
RawDataRecordId e.rv25 %rv25% S_RV25 UUID Unique identifier for the
Raw Data Record
associated with this event.
ControlPack e.rv26 %rv26% S_RV26 string Sentinel control
categorization level 1 (for
Solution Packs).
EventMetricClass e.rv28 %rv28% s_RV28 string Class of the event-
dependent numeric value.
InitIPCountry e.rv29 %rv29% s_RV29 string Country where the IPv4
address of the initiating
system is located.
TargetIPCountry e.rv30 %rv30% s_RV30 string Country where the IPv4
address of the target
system is located.
DeviceName e.rv31 %rv31% s_RV31 string Name of the device
generating the event. If
this device is supported
by Advisor, the name
should match the name
known by Advisor. Used
in Exploit Detection.
DeviceCategory e.rv32 %rv32% s_RV32 string Device category (FW,
IDS, AV, OS, DB).
EventContext e.rv33 %rv33% s_RV33 string Event context (threat
level).
InitThreatLevel e.rv34 %rv34% s_RV34 string Initiator threat level.
InitUserDomain e.rv35 %rv35% s_RV35 string Domain (namespace) in
which the initiating
account exists.
DataContext e.rv36 %rv36% s_RV36 string Data context.
InitFunction e.rv37 %rv37% s_RV37 string Initiator function.
Sentinel 6.1 Rapid Deployment Event Fields 19
novdocx (en) 13 May 2009
Default Label
Filters and
Correlation
Rules
Menu and
Correlation
Actions
Proprietary
Collector
Language
Data
Typ e
Description
InitOperationalContext e.rv38 %rv38% s_RV38 string Initiator operational
context.
MSSPCustomerName e.rv39 %rv39% s_RV39 string MSSP customer name.
VendorEventCode e.rv40 %rv40% s_RV40 string Event code reported by
device vendor.
TargetHostDomain e.rv41 %rv41% s_RV41 string Domain portion of the
target system's fullyqualified hostname.
InitDomain e.rv42 %rv42% s_RV42 string Domain portion of the
initiating system's fullyqualified hostname.
ReservedVar43 e.rv43 %rv43% s_RV43 string Reserved by Novell for
expansion.
TargetThreatLevel e.rv44 %rv44% s_RV44 string Target threat level.
TargetUserDomain e.rv45 %rv45% s_RV45 string Domain (namespace) in
which the target account
exists..
VirusStatus e.rv46 %rv46% s_RV46 string Virus status.
TargetFunction e.rv47 %rv47% s_RV47 string Target function.
TargetOperationalContext e.rv48 %rv48% s_RV48 string Target operational
context.
TaxonomyLevel4 e.rv53 %rv53% s_RV53 string Sentinel event code
categorization - level 4.
CustomerHierarchyLevel2 e.rv54 %rv54% s_RV54 string Customer Hierarchy Level
2 (used by MSSPs).
VirusStatus e.rv56 %rv56% s_RV56 string Virus Status.
InitMacAddress e.rv57 %rv57% s_RV57 string Initiator Mac Address.
Part of initiator host asset
data.
InitNetworkIdentity e.rv58 %rv58% s_RV58 string Initiator Network Identity.
Part of initiator host asset
data.
InitAssetFunction e.rv60 %rv60% s_RV60 string Function of the initiating
system (fileserver,
webserver, etc.).
InitAssetValue e.rv61 %rv61% s_RV61 string Initiator Asset Value. Part
of initiator host asset data.
InitAssetCriticality e.rv62 %rv62% s_RV62 string Criticality of the initiating
20 Sentinel 6.1 Rapid Deployment Reference Guide
system (0-5).
novdocx (en) 13 May 2009
Default Label
Variables reserved for future
use by Novell
Filters and
Correlation
Rules
e.rv63 thru
e.rv75
Menu and
Correlation
Actions
%rv63%
thru
Proprietary
Collector
Language
s_RV63
thru s_rv75
Data
Typ e
Description
string Variables not currently in
use
%rv75%
InitAssetDepartment e.rv76 %rv76% s_RV76 string Department of the
initiating system.
InitAssetId e.rv77 %rv77% s_RV77 string Internal asset identifier of
the initiator.
Variables reserved for future
use by Novell
e.rv78 thru
e.rv80
%rv78%
thru
s_RV78
thru s_rv80
string Variables not currently in
use
%rv80%
TargetAssetClass e.rv81 %rv81% s_RV81 string Class of the target system
(desktop, server, etc.).
TargetAssetFunction e.rv82 %rv82% s_RV82 string Function of the target
system (fileserver,
webserver, etc.).
TargetAssetValue e.rv83 %rv83% s_RV83 string Target Asset Value. Part
of target host asset data.
Variables reserved for future
use by Novell
e.rv84 thru
e.rv97
%rv84%
thru
s_RV84
thru s_rv97
string Variables not currently in
use.
%rv97%
TargetDepartment e.rv98 %rv98% s_RV98 string Target Department. Part
of target host asset data.
TargetAssetId e.rv99 %rv99% s_RV99 string Internal asset identifier of
the target.
CustomerHierarchyLevel4 e.rv100 %rv100% s_RV100 string Customer Hierarchy Level
4 (used by MSSPs)
Variables reserved for future
use by Novell
CustomerVar1
thru
CustomerVar10
CustomerVar11 thru
CustomerVar20
CustomerVar21 thru
CustomerVar89
e.rv101
thru
e.rv200
e.cv1 thru
e.cv10
e.cv11 thru
e.cv20
e.cv21 thru
e.cv89
%rv101%
thru
%rv200%
%cv1%
thru
%cv10%
%cv11%
thru
%cv20%
%cv21%
thru
%cv89%
s_rv101
thru
s_rv200
s_CV1
thru
s_CV10
s_CV11
thru
s_CV20
s_CV21
thru
various Variables not currently in
use
integer Number variable reserved
for customer use. Stored
in database.
date Date variable reserved for
customer use. Stored in
database.
string String variable reserved
for customer use. Stored
in database.
s_CV29
Sentinel 6.1 Rapid Deployment Event Fields 21
novdocx (en) 13 May 2009
Default Label
Filters and
Correlation
Rules
Menu and
Correlation
Actions
Proprietary
Collector
Language
Data
Typ e
Description
SARBOX e.cv90 %cv90% s_CV90 string Set to 1 if the asset is
governed by SarbanesOxley.
HIPAA e.cv91 %cv91% s_CV91 string Set to 1 if the asset is
governed by the Health
Insurance Portability and
Accountability Act
(HIPAA) regulation.
GLBA e.cv92 %cv92% s_CV92 string Set to 1 if the asset is
governed by the GrammLeach Bliley Act (GLBA)
regulation.
FISMA e.cv93 %cv93% s_CV93 string Set to 1 if the asset is
governed by the Federal
Information Security
Management Act (FISMA)
regulation.
NISPOM e.cv94 %cv94% s_CV94 string Set to 1 via an asset map
if the target asset is
governed by the National
Industrial Security
Program Operating
Manual (NISPOM)
CustomerVar95 thru
CustomerVar100
CustomerVar101 thru
CustomerVar110
CustomerVar111 thru
CustomerVar120
CustomerVar121 thru
CustomerVar130
CustomerVar131 thru
CustomerVar140
CustomerVar141 thru
CustomerVar150
CustomerVar151 thru
CustomerVar160
e.cv95 thru
e.cv100
e.cv101
thru
e.cv110
e.cv111
thru
e.cv120
e.cv121
thru
e.cv130
e.cv131
thru
e.cv140
e.cv141
thru
e.cv150
e.cv151
thru
e.cv160
%cv95%
thru
%cv100%
%cv101%
thru
%cv110%
%cv111%
thru
%cv120%
%cv121%
thru
%cv130%
%cv131%
thru
%cv140%
%cv141%
thru
%cv150%
%cv151%
thru
%cv160%
s_CV95
thru
s_CV100
s_CV101
thru
s_CV110
s_C V111
thru
s_CV120
s_CV121
thru
s_CV130
s_CV131
thru
s_CV140
s_CV141
thru
s_CV150
s_CV151
thru
s_CV160
string String variable reserved
for customer use. Stored
in database.
string Integer variable reserved
for customer use. Stored
in database.
string Date variable reserved for
customer use. Stored in
database.
string UUID variable reserved
for customer use. Stored
in database.
string IPv4 variable reserved for
customer use. Stored in
database.
string String variable reserved
for customer use. Stored
in database.
string Integer variable reserved
for customer use. Not
stored in database.
22 Sentinel 6.1 Rapid Deployment Reference Guide
novdocx (en) 13 May 2009
Default Label
CustomerVar161 thru
CustomerVar170
CustomerVar171 thru
CustomerVar180
CustomerVar181 thru
CustomerVar190
CustomerVar191 thru
CustomerVar200
Filters and
Correlation
Rules
e.cv161
thru
e.cv170
e.cv171
thru
e.cv180
e.cv181
thru
e.cv190
e.cv191
thru
e.cv200
Menu and
Correlation
Actions
%cv161%
thru
%cv170%
%cv171%
thru
%cv180%
%cv181%
thru
%cv190%
%cv191%
thru
%cv200%
Proprietary
Collector
Language
s_CV161
thru
s_CV170
s_CV171
thru
s_CV180
s_CV181
thru
s_CV190
s_CV191
thru
s_CV200
Data
Typ e
Description
string Date variable reserved for
customer use. Not stored
in database.
string UUID variable reserved
for customer use. Not
stored in database.
string IPv4 variable reserved for
customer use. Not stored
in database.
string String variable reserved
for customer use. Not
stored in database.
Sentinel 6.1 Rapid Deployment Event Fields 23
novdocx (en) 13 May 2009
24 Sentinel 6.1 Rapid Deployment Reference Guide
2
Sentinel 6.1 Rapid Deployment
novdocx (en) 13 May 2009
Control Center User Permissions
SentinelTM allows administrators to set user permissions in the Sentinel Control Center at a granular
admin
level. The only user created by default is the
created by the Sentinel Administrator, or someone with similar permissions.
The permissions in the User Manager are grouped into several major categories:
Each of these groups of settings are described in the following sections:
Section 2.1, “Changing User Permissions,” on page 25
Section 2.2, “General,” on page 27
Section 2.3, “Active Views,” on page 28
Section 2.4, “iTRAC,” on page 29
Section 2.5, “Incidents,” on page 30
Section 2.6, “Integrators,” on page 30
Section 2.7, “Actions,” on page 31
Section 2.8, “Event Source Management,” on page 31
Section 2.9, “Analysis Tab,” on page 32
Section 2.10, “Administration,” on page 32
Section 2.11, “Correlation,” on page 33
, or Sentinel Administrator. All other users are
2
Section 2.12, “Solution Pack,” on page 33
Section 2.13, “Identity,” on page 33
Section 2.14, “Reporting,” on page 34
Section 2.15, “Downloading,” on page 35
Section 2.16, “Java Webstart,” on page 35
2.1 Changing User Permissions
1 Log into the Sentinel Control Center as a user with the User Management permissions.
2 Click the Admin tab.
3 Select User Configuration from Admin tab. Alternatively, Select User Manager from User
Configuration in the Navigator.
Sentinel 6.1 Rapid Deployment Control Center User Permissions
25
4 Right click user and select User Details.
novdocx (en) 13 May 2009
5 Select the Permissions tab.
26 Sentinel 6.1 Rapid Deployment Reference Guide
novdocx (en) 13 May 2009
6 Deselect the check boxes for which you want to restrict the user.
7 Click OK.
2.2 General
Table 2-1 Permissions-General
Permission Name Description
Save Workspace Allows user to save preferences. If this permission is unavailable, user
will never be prompted to save changes to preferences when logging out
or exiting the Sentinel Control Center.
Column Management Allows user to manage the columns in the Active View tables.
Snapshot Allows user to take a snapshot of Active View tables.
Sentinel 6.1 Rapid Deployment Control Center User Permissions 27
2.2.1 General – Public Filters
Table 2-2 Permissions-General-Public Filters
Permission Name Description
Create Public Filters Allows user to create a filter with an owner ID of PUBLIC. If user does
not have this permission, then the value PUBLIC will not be listed as
one of the owner IDs that user can create a filter for.
Modify Public Filters Allows user to modify a public filter.
Delete Public Filters Allows user to delete a public filter.
2.2.2 General – Manage Private Filters of Other Users
Table 2-3 Permissions-General-Manage Private Filters of Other Users
novdocx (en) 13 May 2009
Permission Name Description
Create Private Filters for Other Users Allows user to create private filters for themselves or for
other users.
Modify Private Filters of Other Users Allows user to modify their own private filters and private
filters created by other users.
Delete Private Filters of Other Users Allows user to delete their own private filters and private
filters created by other users.
View/Use Private Filters of Other Users Allows user to view/use their own private filters and private
filters crated by other users.
2.2.3 General – Integration Actions
Table 2-4 Permissions-General-Integration Actions
Permission Name Description
Send to HP Service Desk Allows user to send events, incident and associated objects to
Remedy. (requires the optional Remedy integration component)
2.3 Active Views
Table 2-5 Permissions-Active Views
Permission Name Description
View Active Views Tab Allows user to see and use the Active Views tab, menu and other
related functions associated with the Active Views tab.
28 Sentinel 6.1 Rapid Deployment Reference Guide
Permission Name Description
Use/View Active Views Allows user to access the Active Views charts.
2.3.1 Active Views – Menu Items
Table 2-6 Permissions-Active Views-Menu Items
Permission Name Description
Use Assigned Menu Items Allows user to use assigned menu items in the
Active Views Events table (the right-click menu).
Add to Existing Incident Allows user to add events to existing incidents
using the Active Views Events table (the right-click
menu).
Remove from Incident Allows user to remove events from an existing
incident using the Events tab Events table (the
right-click menu).
novdocx (en) 13 May 2009
Email Events Allows user to e-mail events using the Active Views
Events table (the right-click menu).
View Advisor Attack Data Allows user to view the Advisor Attack Data stream.
View Vulnerability Allows user to view the vulnerabilities present in the
Sentinel database
2.4 iTRAC
Table 2-7 Permissions-iTRAC
Permission Name Description
View iTRAC Tab Allows user to see and use the iTRAC tab, menu and other related
functions associated with the iTRAC tab.
Activity Management Allows user to access the Activity Manager.
Manage Work Items Of Users Gives user administrative control over all workitems, including
those assigned to other users.
2.4.1 iTRAC - Template Management
Table 2-8 Permissions-iTRAC-Template Management
Permission Name Description
View/Use Template Manager Allows user to access the Template Manager.
Create/Modify Templates Allows user to create and modify templates.
Sentinel 6.1 Rapid Deployment Control Center User Permissions 29
2.4.2 iTRAC - Process Management
Table 2-9 Permissions-iTRAC-Process Management
Permission Name Description
View/Use Process Manager Allows user to access the Process View Manager.
Start/Stop Processes Allows user to use the Process View Manager.
2.5 Incidents
Table 2-10 Permissions-Incidents
Permission Name Description
View Incidents Tab Allows user to see and use the Incidents tab, menu and other related
functions associated with the View Incidents tab.
novdocx (en) 13 May 2009
Incident Administration Allows user to modify an incident.
View Incident(s) Allows user to view/modify the details of an incident. If the user does not
have this permission, then the Incident Details window will not be displayed
when the user either double-clicks an Incident in the Incident View window
or right-clicks the incident or selects the Modify option.
Create Incident(s) Allows user to create Incidents in the in the Incident View window or by right
clicking on the incident and select Modify option. Alternatively you can
select Create Incident menu item in the Incidents menu bar and clicking
Create Incident option in the tool bar.
Modify Incident(s) Allows user to modify an incident in the Incident Details window.
Delete Incident(s) Allows user to delete incidents.
Assign Incident(s) Allows user to assign an incident in the Modify and Create Incident window.
Email Incidents Allows user to e-mail Incidents of interest.
Incident Actions Allows user to view Execute Incident Action menu option in an Incident and
to execute actions.
Add Notes Allows user to add any number notes to an incident.
2.6 Integrators
Table 2-11 Permissions-Integrators
Permission Name Description
View Integrator Allows user to view Integrators, open Integrator Manager, use
update, refresh, help, test buttons and view integrator event details.
30 Sentinel 6.1 Rapid Deployment Reference Guide
Loading...