Sent61 Lab 11 12 09

Advanced Technical Training
Lab Manual November 12, 2009
Sentinel 6.1
Novell Training Services (en) 15 April 2009
Part Number
SENTINEL LABS
Legal Notices
Novell, Inc. makes no representations or warranties with respect to the contents or use of this documentation, and specifically disclaims any express or implied warranties of merchantability or fitness for any particular purpose. Further, Novell, Inc. reserves the right to revise this publication and to make changes to its content, at any time, without obligation to notify any person or entity of such revisions or changes. Further, Novell, Inc. makes no representations or warranties with respect to any software, and specifically disclaims any express or implied warranties of merchantability or fitness for any particular purpose. Further, Novell, Inc. reserves the right to make changes to any and all parts of Novell software, at any time, without any obligation to notify any person or entity of such changes. Any products or technical information provided under this Agreement may be subject to U.S. export controls and the trade laws of other countries. You agree to comply with all export control regulations and to obtain any required licenses or classification to export, re-export or import deliverables. You agree not to export or re-export to entities on the current U.S. export exclusion lists or to any embargoed or terrorist countries as specified in the U.S. export laws. You agree to not use deliverables for prohibited nuclear, missile, or chemical biological weaponry end uses. See the Novell International Trade Services Web page (http:/ /www.novell.com/info/exports/) for more information on exporting Novell software. Novell assumes no responsibility for your failure to obtain any necessary export approvals. Copyright 2006 Novell, Inc. All rights reserved. No part of this publication may be reproduced, photocopied, stored on a retrieval system, or transmitted without the express written consent of the publisher. Novell, Inc. has intellectual property rights relating to technology embodied in the product that is described in this document. In particular, and without limitation, these intellectual property rights may include one or more of the U.S. patents listed on theNovell Legal Patents Web page (http://www.novell.com/ company/legal/patents/) and one or more additional patents or pending patent applications in the U.S. and in other countries. Novell, Inc. 404 Wyman Street, Suite 500 Waltham, MA 02451 U.S.A. www.novell.com Online Documentation: To access the latest online documentation for this and other Novell products, see the Novell Documentation Web page (http://www.novell.com/documentation).
Novell Trademarks
For Novell trademarks, see the Novell Trademark and Service Mark list (http:// www.novell.com/company/legal/trademarks/tmlist.html).
Third-Party Materials
All third-party trademarks are the property of their respective owners.
Contents
SECTION 1
Exercise 1-1
Introduction
Introduction. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8
SECTION 2
Exercise 2-1
Labs for Chapter 2 - Active Views
Active Views. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10
SECTION 3
Exercise 3-1
Labs for Chapter 3 - Filters
15
Filters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16
SECTION 4
Exercise 4-1 Exercise 4-2 Exercise 4-3 Exercise 4-4 Exercise 4-5 Exercise 4-6 Exercise 4-7
Analysis
Event Table . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Investigating a Series of Events . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Attack - Severity . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Investigating Vulnerabilities. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Events Table Snapshots . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Chart Snapshot . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Event Queries . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
21
22 23 24 25 26 27 28
SECTION 5
Exercise 5-1
Incidents
29
Incident creation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30
SECTION 6
Exercise 6-1
iTRAC
33
Creating an iTRAC workflow. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34
SECTION 7
Exercise 7-1 Exercise 7-2
Administration
39
Creating Global Filters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 40 Creating New Users . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 42
SECTION 8
Installing and Configuring Business Objects
45
Check Configuration Requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 46 Configure Crystal Reports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 47
SECTION 9
Exercise 9-1
Database
49
Jobs Exercise. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 50
SECTION 10
Exercise 10-1
Correlation Workshop 1
51
Create a correlation that will find any port scan . . . . . . . . . . . . . . . . . . . . . . . . . . . 52
Version 1
Copying all or part of this manual, or distributing such copies, is strictly prohibited. To report suspected copying, please call 1-800-PIRATES.
Sentinel 6.1
Exercise 10-2 Exercise 10-3 Exercise 10-4 Exercise 10-5 Exercise 10-6 Exercise 10-7 Exercise 10-8
IDS Critical Events . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Create a Correlated Event with Conditions. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Adding an Action . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Repeat the Steps 4a-4d Using the Rule NIDS Critical Events . . . . . . . . . . . . . . Change the Active View Screen to Reveal Different Information . . . . . . . . . . . . . Firewall Correlated Event with a Discriminator . . . . . . . . . . . . . . . . . . . . . . . . . . . A Simple Aggragate . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
54 55 56 58 59 60 61
SECTION 11
Exercise 11-1 Exercise 11-2 Exercise 11-3
Correlation - RuleLG II
63
A Spreading Attack . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 64 IDS Attack comes from the Outside . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 65 Using an Intersection to narrow events . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 66
SECTION 12
Correlation - RuleLG II Answers
67
A Spreading Attack . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 68 IDS Attack comes from the Outside . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 69 Using an Intersection to narrow events . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 70
Exercise Answers 70
SECTION 13
Exercise 13-1
Correlation Actions
71
Correlation Actions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 72
SECTION 14
Objective 1
Troubleshooting
There are No labs for this section.
73
74
SECTION 15
Exercise 15-1
Collectors
75
Collectors . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 76
SECTION 16
Exercise 16-1 Exercise 16-2 Exercise 16-3 Exercise 16-4
Data Injection - Business Relevance

Prepare a Map . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Load the Map File . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Modifying Event Tags. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Manage Columns. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
77
78 79 81 83
SECTION 17
Exercise 17-1
Audit Platform Agents
85
Configuring Platform Agents . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 86
SECTION 18
Event Source Management
87
Configuring for Novell Events . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 88 Further Testing the Environment . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 104
Version 1
SECTION 19
Configuring the Audit Event Source

Installation of the Audit Connector . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Install the eDirectory Collector. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Real-World . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Extra Credit - Connect the Database machine via WMS.. . . . . . . . . . . . . . . . . . .
111
112 115 136 137
SECTION 20
Exercise 20-1
Installing the Sentinel Driver
139
Installing the Driver . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 140 Installing the Driver Files on the Metadirectory Engine . . . . . . . . . . . . . . . . . . . 140 Placing Prerequisite Files . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 140
SECTION 21
Exercise 21-1
Using Designer to Create and Configure the Driver
143
Create the Driver. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 144
SECTION 22
Exercise 22-1
Configuring Account Tracking
145
Configure Account Tracking . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 146
SECTION 23
Creating Connections to the JMS Message Bus
147
Connecting the Queue Factories . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 148 Configure the Queues . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 150
SECTION 24
Installing and Configuring the Identity Vault Collector
151
Install the Identity Vault Collector . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 152 Configuring the Identity Vault Collector . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 153 Starting the Collector . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 155
SECTION 25
Objective 1
Custom Audit Events (Informational - NOT a lab)

Components of the Event
157
158
SECTION 26
Reporting when Terminated Users Accessing Company Resources165

Installing the Identity Tracking Solution Pack . . . . . . . . . . . . . . . . . . . . . . . . . . . Configuring the Global Setup . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Installing the Identity De-Provisioning Control . . . . . . . . . . . . . . . . . . . . . . . . . . Configuring the Identity De-Provisioning Control . . . . . . . . . . . . . . . . . . . . . . . . Enabling Audit on All Endpoint Systems. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Configuring the Unauthorized Access by Terminated Employee Rule . . . . . . . . 166 167 168 170 170 171
SECTION 27
Sending Alerts when Rogue Administration Occurs
173
Installing the Identity Tracking Solution Pack . . . . . . . . . . . . . . . . . . . . . . . . . . . 174 Installing the Rogue Administration Control . . . . . . . . . . . . . . . . . . . . . . . . . . . . 175 Configuring the Rogue Administration Control . . . . . . . . . . . . . . . . . . . . . . . . . . 177
Version 1
Sentinel 6.1
Enabling Audit on All Endpoint Systems . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Populating the ApprovedAccountAdmin Map . . . . . . . . . . . . . . . . . . . . . . . . . . . Populating the IdentityManagedSystems Map . . . . . . . . . . . . . . . . . . . . . . . . . . . Configuring the SOAP Integrator . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Configuring the LDAP Integrator . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Script Files. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Copying Script Files . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Configuring Right-Click Menu Options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Importing the Rogue Administration Workflow. . . . . . . . . . . . . . . . . . . . . . . . . .
Event Field Labels and Tags
177 178 178 178 179 180 180 182 184

187
Free-Form Filters and Correlation Rules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Actions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Proprietary Collectors . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . JavaScript Collectors. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
List of Fields and Representations
188 189 191 191

191
Version 1
Introduction
SECTION 1
Introduction
There are no labs for this section
Version 1
Introduction
Exercise 1-1
Introduction
There are no Labs for this section
(End of Exercise)
Version 1
SECTION 2
In the Active Views tab, you have the ability to monitor events as they are happening (near real time) and perform queries on these events. You can monitor them in a table form or though 3D bar, 2D stacked, Line or ribbon chart representation. Don't read anything more into this lab than it isit is intended as a get-to-know-the-interface lab. By the end of this lab, the student will be able to create new Active Views and manipulate the tables and graphs to display different timeframes and modify existing views. All Active Views use a filter to display events; the filters can be broad, such as the ALL filter, which allows events of all severity levels into the view. The following workshop includes different filters which relate to the events generated by the demonstration collectors on the instructor machine. Complete the following steps:
Version 1
Exercise 2-1
Active Views
1.
Create a new Active View with the ALL filter and the Severity attribute.
a. b.
Select the Active Views tab. From the Active Views menu, select Create Active View to open the Active Views.
Select Create Active View from the graphical menu bar.
Figure 2-1
c.
In the Active Views Wizard window, Step 1, click the down arrows to select your Z-axis, Filter and Displayed Events settings:

Select Event Attribute (Z-axis) = Severity Filter 1. Click on Filter Selection and a dialog will pop up 2. Click on the Filter Name column header to sort by that column 3. Single-click filter Owner = PUBLIC, Filter Name = ALL from list
NOTE: We call this filter the Public-all or the Public: All filter. Meaning that it passes all events.
Figure 2-2
Step 1 of creating a filter
4.
Display Events ? = Yes
10
Version 1
d. e.
After making the selections, click Next. In the next window, Step 2, click the down arrows to select:

Display interval = 5 Minutes Refresh rate = 30 Seconds Total display time = 15 Minutes Axis Values = Event Count
Step 2 of creating a filter; statistical parameters
Figure 2-3
f.
Figure 2-4
After making the selection, click Next.

Active Views Toolbar
g. h.
Select the chart type = Stacked Bar 2D (default) and click Finish. Notice it will take a few seconds to update the data in the chart and event table.
Version 1
11
2.
Using the Active View you just created, review the following:
a. b. c.
The display interval is set to 5 minutes; look at the x-axis and notice how each charted bar is labeled. Using the graph buttons (yellow feet), decrease the display interval notice how the legend at the top and the data in the chart change as you do this. Using the graph buttons (stopwatch with green arrow), increase the display time from 15 minutes to 20 minutes notice the legend at the top and the data changing as you do this.. Leave the graph with a 15 minute display time and 30 second display interval.
d.
3.
Follow the instructions above to create a new Active View, but instead of London, receive Sydney events. You will create a Private Filter named Chicago that accepts all events from the Sydney resource regardless of severity. In this example, we are using a filter that uses an asset category that applies to all Collectors regardless of the source device.
a. b. c.
Select the Active Views tab. Click on the Create Active View button (black oscilloscope screen) to bring up the Active View Wizard. In the Active Views Wizard window, Step 1, click the down arrows to select your Z-axis, Filter and Displayed Events settings:

Event Attribute = SourceIP Filter = PUBLIC:Chicago Display Events = Yes
d. e.
After making the selection, click Next. In the next window, Step 2, click the down arrows to select:

Display interval = 1 Minute Refresh rate = 30 Seconds Total display time = 20 Minutes Axis Values = Event Count
f.
After making the selection, click Finish and your Active View will open. Notice it will take a few seconds to update the data in the chart and event table, and (depending on configuration) once data appears the entire chart will not be full. Right-click on the chart and select Line Chart from the menu.
g.
4.
Create a new Active View with the Attack filter and the Severity attribute. This view will display data based on severity level for events that have been
12
Version 1
categorized as Attack; the categorization is done at the Collector or Collector Manager level based on messages produced by the source devices.
a. b. c.
Select the Active Views tab. From the Active Views menu, select Create Active View to open the Active Views Wizard. In the Active Views Wizard window, Step 1, click the down arrows to select your Z-axis, Filter and Displayed Events settings:

Event Attribute = Severity Filter = Attack Display Events = Yes After making the selection, click Finish and your Active View will open. Notice it will take a few seconds to update the data in the chart and event table.
5.
Using the same Active View, modify the order of the columns:
a. b. c.
Click the Manage Columns button on the toolbar. The Manage Columns window will open. You will see a list of event tags in the right-hand pane. Multi-select all the meta-tags and click the Remove button to clear the list. Select the following meta-tags on the left, Add, and then use the up/down arrows to place in the listed order:
1. 2. 3. 4. 5. 6. 7. 8. 9.
Severity EventTime EventName Resource SubResource InitIP TargetIP OS City
10. TaxonomyLevel1 11. TaxonomyLevel2 12. TaxonomyLevel3 13. TaxonomyLevel4 (End of Exercise)
Version 1
13
14
Version 1
SECTION 3
By the end of this lecture, the student will be able to create public and private filters through the graphical Builder and free-form editor. This exercise will teach you how to create filters that are used to manage event viewing in Active Views and for various other filtering purposes throughout the course. Complete the following steps:
Version 1
15
Exercise 3-1
Filters
1.
Select the Admin tab on the Sentinel Console. The Navigator pane on the left has a list of all the administrative functions; click on Filter Configuration, then Filter Manager. Notice the Filter Manager window opens on the right pane. The Filter Manager window has a list of all Public and Private filters. New filters created through the workshop will appear on this window. You will create both PRIVATE and PUBLIC filters; the option is determined through the owner of the filter when it is first created. When you click on the Add button on the Filter Manager, the Filter Details window will open
IMPORTANT: Private filters are simply filters created by users defined using the Admin console. These filters will appear as (for instance) esecadm:attack. Notice the prefic for each private filter lists the name of the user who created the filter. Private defines filters owned by individual users rather than Public, which are useable by everyone.
2.
3.
In step 3 you will create a Private Filter named Lon that accepts all events from the London resource regardless of severity.
a.
By default, the Owner ID is set to PUBLIC; the drop-down list displays other users in the system, if one of them is selected, the filter becomes Private for that user. For this exercise, select esecadm from the drop-down list as the owner. In this step you will name the Filter: Enter the name London on the Filter Name box. The filter will accept all events from the London resource so, on the Property box, select Resource from the drop-down box. On the Operator box select match regex (regular expressions)you will have to scroll-down. On the Value box type London (note that this regex will match any string which contains the substring London, such as LondonHeathrow).
b. c. d. e.
16
Version 1
Figure 3-1
Public filter that uses regular expressions to match on London
f. 4.
Click on the Save button. The filter will appear on the Filter Manager window.
Follow the instructions above to create a new Filter, but instead of London, receive Tokyo events. You will create a Private Filter named Sydney that accepts all events from the Sydney resource regardless of severity. You will create a Private Filter named TargetUser that looks for guest destination (target) users.
a. b. c. d.
5.
Click the Add button on the Filter Manager window; the Filter Details window will open. Select btoney as the username from the drop-down list as the owner. Enter the name TargetUser on the Filter Name box. The filter will accept all events that have the TargetUserName meta-tag filled in with the user guest, so on the Property box, select TargetUserName from the drop-down box. On the Operator box select =.
e.
Version 1
17
f. g. 6.
On the Value box type guest. Save the filter. Notice it will appear on the Filter Manager window.
You will create a Private filter Severity4orhigher for events with severity higher than four.
a. b. c. d. e. f. g.
On the Filter Manager window, click the Add button. The Filter Details window opens. Select gporter or any other username from the drop-down list as the owner. On the Filter Name box enter the name Severity 4 or higher. The filter will accept all events with Severity higher or equal to 4 so on the Property box, select Severity from the drop-down box. On the Operator box select >=. On the Value box select 4. Save the filter. Notice it will appear on the Filter Manager window.
7.
You will create a filter that accepts events for two subnets
a. b. c. d. e. f. g. h. i. j. k. l.
On the Filter Manager window, click the Add button. The Filter Details window opens. Select a username from the drop-down list as the owner. On the Filter Name box enter the name SubnetWatch. First allow one subnet; select TargetIP from the Property box. On the Operator box select match subnet. On the Value box type 172.17.0.0/16. Click the + button on the right. Repeat the above instructions step d through f, but type 192.168.0.0/16 in Value. Look at the expression that appears in the Expression String box. Switch the Match if section to combine phrases with OR. Note the change. Save the filter. Notice it will appear on the Filter Manager window. You will create a filter named FireWall_Severity5 using the free-form editor that accepts all events generated from a Firewall with Severity 5. Navigator pane. The Filter Manager window opens.
m. Select the Filter Manager under the Filter Configuration folder in the n. o.
Click the Add button. The Filter Details window will open. Select jdasilva as the owner. On the Filter Name box enter the name FireWall_Sev5 .
18
Version 1
p.
Click on the Use free-form editor button to type in the definition of the filter. The definition of this filter will be: filter((e.res match regex(FW)) and (e.sev=5))
NOTE: Notice that once you use the free-form editor, you cant go back to the graphical definition window.
q.
Click on the Save button. The filter will appear on the Filter Manager window.
8.
Create a Public Filter for Correlated Events:

a. b. c. d. e. f. g.
Select the Filter Manager under the Filter Configuration folder in the Navigator pane. The Filter Manager window opens. Click the Add button. The Filter Details window will open. Leave PUBLIC as the owner. Enter the name CorrelatedEvents. On the Property box, select Sensor Type from the drop-down box. On the Operator box select =. In the Value box type C (without quotes). Save the filter.
NOTE: At this point there are no correlated events occurring in your system. We havent written them yet; but this filter will come in handy later in the course when you are testing your correlated events.
(End of Exercise)
Version 1
19
20
Version 1
Analysis
SECTION 4
Analysis
In the Active Views tab, you have the ability to monitor events as they are happening (near real time) and perform queries on these events. By the end of this lecture, the student should be able to investigate events in various ways, doing further analysis on the event data presented in the Active View.
Version 1
21
Analysis
Exercise 4-1
Event Table
1.
Using the PUBLIC:ALL Active View, reveiw the Event Table.

a.
Select an event with TargetIP of 172.17.11.5 and right-click on it.
b. c. d. e.
Check the option to Show Details; a table will open on the left. Scroll down to review the event tags under the Base heading. There will be four more headings: Custom, Asset, Exploit, Reserved. Open each of them to review the event tags populated under them. Find the Reserved heading, look for four taxonomy levels:
i.
Identify the Event Name and the Product Name and Resource. The relationship between the event type and the categorization is taxonomy.
f.
Now select two events with the same EventName = Successful loginadministrator
i. ii.
If the Event Details table is already opened, you will see only event tags that are the same in both selected events. The commonalities in the event tags can give the user an indication of what possible correlation exists between the two events.
g.
Active Views display events in real-time, so they reflect the last interval for the refresh rate set for that view. Select the first event that appears in the window and wait until the window is refreshed with the next set of events; the selected event will move (selected) as the window refreshes Double-click on the event. You will notice the Event Details window closes. If you double-click again, the Event Details will reopen.
h.
(End of Exercise)
22
Version 1
Analysis
Exercise 4-2
Investigating a Series of Events

In this lab you will investigate conversations and connectivity.
1. 2.
Using the same Active View used in the previous exercise, select an event with the EventName=BLASTER variant detected Right-mouse click and under Investigate, select More Events from this Source.
3.
A new window will open with the results of the query. Using these results, select the first 15-20 events in the table and right-mouse click to select Investigate > Show Graph. At the prompt, use the down arrows to select:
a. b.
From = InitIP To=TargetIP
4.
Notice that a graphical representation of the attacks display in the Graph Mapper. The number indicates the number of attacks to the same TargetIP.
NOTE: In one of the upcoming labs you will be recording information such as this to include in an incident, but for now the point of this lab is for you to know how to obtain this information
(End of Exercise)
Version 1
23
Analysis
Exercise 4-3
Attack - Severity
Create a new Active View with the Attack filter and the Severity attribute. This view will display data based on severity level for events that have been categorized as Attack; the categorization is done at the Collector or Collector Manager leve
1. 2.
Select the Active Views tab. From the Active Views menu, select Create Active View to open the Active Views Wizard. In the Active Views Wizard window, Step 1, click the down arrows to select your Z-axis, Filter and Displayed Events settings: After making the selection, click Finish and your Active View will open. Notice it will take a few seconds to update the data in the chart and event table.
a. b. c.
Event Attribute = Severity Filter = Attack Display Events = Yes
3. (End of Exercise)
24
Version 1
Analysis
Exercise 4-4
Investigating Vulnerabilities
Using the Active View you just created, investigate vulnerabilities in your assets. The demo data that we are using contains only a few IP addresses that are also reflected in a vulnerability scan result in the database
IMPORTANT: It is important to note that the image may NOT have Vulnerability data installed. If this is the case, skip this exercise. 1.
Select an attack with the following values:

a. b. c.
EventName = BLASTER variant detected DestinationIP = 172.17.11.5 Resource = eCommIDS01
2.
Right-mouse click on the event and under Analysis select Event Time Vulnerability. The Vulnerability Results window will open with a summary of the Nessus scan results for the Destination IP address of the selected event.
a. b.
Review the port vulnerabilities under the Vulnerability Report tab. On the left pane, uncheck different ports: 0/TCP, ms-sql-s 1433/TCP
(End of Exercise)
Version 1
25
Analysis
Exercise 4-5
Events Table Snapshots

Using the PUBLIC:ALL Active View, create a snapshot in the Events Table:
1. 2. 3.
Select the Snapshot Event Real Time Table button on the toolbar to open a separate window. Notice the Date/Time stamp at the top of the window. This window will not be updated, so you will be able to sort the columns Select the Resource column and click on the heading to sort by Resource. Review the results. Select the EventName column and click on the heading to sort by EventName Look for HTTP_IIS_ASP_Chunked_Overflow in the EventName sorted column. Right-click on the event and select the menu option WhoIs? A separate window will open with the WhoIs results. Note: you must have an internet connection to view the results.
4.
(End of Exercise)
26
Version 1
Analysis
Exercise 4-6
Chart Snapshot
Lock the Active View and create a webpage snapshot
1. 2.
Using the PUBLIC:ALL Active View, click on the chart Lock button to lock the display. Click on the chart Snapshot button (in chart, camera icon) to create a webpage snapshot. Save to your desktop and use a web browser to view.
(End of Exercise)
Version 1
27
Analysis
Exercise 4-7
Event Queries
Generate a quick query; click the Launch Event Query button on the toolbar. A Historical Event Query window will open:
1. 2. 3. 4. 5. 6.
Using the drop arrows, select the PUBLIC:IDS_Events filter. Click the Severity icon and deselect Severity 0 and 1 levels. Click OK Select a 15 minute timeframe in the From To time drop boxes. Leave the Batch Size with 100 default. Click on the magnifying glass icon to run the query. Click the blue arrow at the top right to return another 100 events to this view.
(End of Exercise)
28
Version 1
Incidents
SECTION 5
Incidents
Using the Active Views and Incidents tabs, you have the ability to create and modify Incidetns, assign related information and iTRAC processes.
Version 1
29
Incidents
Exercise 5-1
Incident creation
1.
Start by creating a new Incident in the Active Views tab.

a. b.
Using an Active View with the ALL filter, use the Event Table to select an EventName Failed_su. Right-mouse click on the event and select Create Incident.The Incident window will open.
i. ii.
In the Title box, type su_root_Watch For State, use the drop box and select Assigned
iii. For Priority, use the drop box and select Medium (2) iv. In the Category box, Select UNAUTHORIZED ACCESS v.
Under Resposible, use the drop box to select btoney
30
Version 1
Incidents
c. d. 2.
The Events tab contains the selected event Click Create to finish the Incident creation. Sort by TargetIP and look for 172.17.11.5 and 172.16.5.102. Locate several events that have an EventName which mentions BLASTER. Select the events (3 or more)and right-mouse click to create an Incident.
i. ii.
Using an Active View, select the snapshoot toool to view events.

a. b.
In the Title box, BLASTER_Watch For State, use the drop box and select Investigating
iii. For Prioroty, use the drop box and select High (3) iv. By the Category box, click the ... button, and create a new category
sent_servers
v. c. d. e. f. 3.
Under Responsible, use the drop box to select gporter
The Events tab contains the selected events. Select the Vulnerabilty tab and review the known vulnerabilities for these events. (You may not see any) Select the iTRAC tab and use the drop box to select a process. Click Create to finish the Incident creation. In the filter drop box, select the PUBLIC:IDS_Events filter. Leave the defaults and run the query. Select all the ev ents in the results window, right-mouse click and select Add to Incident. Click the Browse button to select an Incident. Click the Search button at the top to display a list of all incidents. Look your BLASTER_Watch and select it. Click OK to finish. Using the Event Table, select three or four events, right-mouse click and create a new Incident. Name the Incident SupplyChain_LinuxSvr. Change the State to Investigating. Save the Incident. Using the Event Table, select two events with the EventName of Object_modified and right-mouse click to create a new Incident. Name the Incident WinSvr_Watch.
In the Active Views tab, create a new Event Query.

a. b. c. d. e. f.
4.
Open a new Active View, using the London filter and the Severity attribute.
a. b. c. d.
5.
Open a new Active View, using the Dallas filter and the InitIP attribute.
a. b.
Version 1
31
Incidents
c. d. 6.
Change the State to Investigating. Save the Incident.
Switch to the Incidents tab. If the Incident View Manager is not open, select Incident View Manager under Incident Views in the left navigator pane.
a. b. c. d. e.
When the window opens, select the first default view, ALL INCIDENTS, and double-click to open it. Your Incident will be listed here, select su_root_Watch and double-click to open it. Notice that the Severity is automatically calculated as an average of the severities of hte selected events. Change the State from Assigned to Verified and click the save button. Select the History tab and view the listed modifications. Open the ALL INCIDENTS View, and select your SupplyChain_LinuxSrv Incident. Right-click on the Incident and delete it. Fill in the definition for new Attachment Viewer for the Adobe PDF format. Locate Acrobat Viewer on your machine as the application. Specify the subtype as sent. Save your Attachment Viewer definition.
7.
Under the Incidence tab, open the Incidents View Manager.

a. b.
8.
Select the Configure Attachment Viewers button from the main toolbar.
a. b. c.
(End of Exercise)
32
Version 1
iTRAC
SECTION 6
iTRAC
In this lab you will create an iTRAC Virus Response using the iTRAC Process Builder, create a manual step to fix a problem, and include any nessessary transitions.
Version 1
33
iTRAC
Exercise 6-1
Creating an iTRAC workflow

1.
In the following lab you will create iTRAC Virus Response templates using the iTRAC Process Builder.
a.
Create a Template named OneStepManualProcess.
b.
Name the manual step Investigate and assign it to the Admin role.
34
Version 1
iTRAC
c.
Right-mouse click on the start icon and select Add Start Transition.
d. e.
Ensure that the Destination is set to Investigate and click OK. Right-mouse click on the manual process Investigate and select Add End Transition.
f. g. h.
Select File/Save and Exit. In an Active View, select a number of events and create an Incident from them. Assign the Incident to the iTRAC process OneStepManualProcess.
Version 1
35
iTRAC
i.
The iTRAC process should appear as a job availible for your group in your worklist. Accept this iTRAC process and view the Details.
j.
Explore the iTRAC process and its option, then select Complete.
k. 2.
Open the Incidents tab and find the Incident that was just marked as complete. Ensure that it was properly closed.
Create a second template using a two step process.
36
Version 1
iTRAC
a. b. c. d. e. f. 3.
Create a manual task to gather data. Assign this task to the Analyst role. Create a second manual task and assign this to the Admin role. From the Administration tab, add the user esecadm to the Analyst role in User Manager. In the Active View tab, instantiate a iTrac process by creating an Incident and assigning it to this workflow. From the Work List, accept the Work Item. Mark the Work Item as complete, then check the Incidents tab and view the process from the Process Management screen. In a new iTRAC workflow, create a Manual step in which an Analyst will populate a boolean variable. Next create a Decision step, where the flow direction is determined by the value of the boolean variable. If the value is true, have the Incident move to a Manual step assigned to the Admin role. If the value is false, log the Incident with a Manual step to the Analyst role. (Notice that the Work Item is automatically placed in the users queue, not the Analysts role queue)
Create another iTRAC workflow template that includes a decision step.

a. b.
(End of Exercise)
Version 1
37
iTRAC
38
Version 1
Administration
SECTION 7
Administration
By the end of these excercises you will be able to create and manage filters, create and manage new users with different permissions, and populate roles with users.
Version 1
39
Administration
Exercise 7-1
Creating Global Filters

As the adminitrator you will now create two Global Filters. Global filters apply to events on the Collector Manager, but they are created in the Admin tab of Sentinel. These filters apply to all collectors on the system.
1.
From the Admin tab, create a Global filter for all events coming from a firewall resourse using the Public Filter Firewalls.
a. b.
Select the Global Filter icon from the navigation pane. (Looks like a globe with a funnel) The Global Filter Configuration window appears. Click the Add button and a new line will appear in the Global Filter Configuration window. Double-click under the Filter Name heading and the Filter Selection window will pop up. Select the PUBLIC:SubnetWatch Public filter, then check the Active box. In the Action box, select the database option. The filter definition will appear in the Expression box. Click the Save button to complete.
c. d. 2.
Again from the Admin tab create a global filter for all events with Severity 2 using the Pulbic Filter Severity 4 or higher.
a. b.
Select the Global Filter icon from the navigation pane. In the Global Filter COnfiguration window, select Add. in the Filter Sleection window, select the PUBLIC:Severity 4 or higher filter. Check the Active box.
40
Version 1
Administration
c. d.
In the Action box, select the drop option. The filter definition will appear in the Expression box. Click the Save button to complete.
After completing this excersice, all events from a firewall resource will go directly to the database, and all events of severity 4 or higher are being dropped. None of these events will show up in the Active View. In order to continue with the excercise you must delete the Global Filters that you just created.
(End of Exercise)
Version 1
41
Administration
Exercise 7-2
Creating New Users

Next, create two new users, one is a Sentinel Operator, and the other is a Sentinel Manager. The Operator is tasked with monitoring the Active Views; the Manager monitors tasks, creates incidents and analyzes historical and vulnerability data.
1.
To create an Operator, use the User Manager window.

a. b. c. d. e.
In the Admin tab, select the User Configuration icon. This will open the User Manager. In the User Manager window click the Add User button. The Add User window will appear with three tabs across the top. Using the default tab, Details, enter the users name esecop and select the local Authentication radial button. In the password and the confirm password fields enter the string novell. Select the drop down in the Security Filter field, the Filter Selection window will open. From this window, select the PUBLIC:ALL filter from the list and click Select. In the bottom half of the Add User window, under Details, enter your First and Last name. From the Add User window, select the Permissions tab.
f. g.
42
Version 1
Administration
h. i.
This Operator will only need to access to Active Views, check the Active Views box. In the Add User window, select the Roles tab and select the Analyst check box.
j.
Click the Ok button to save the user. The new user will appear in the User Manager window. Notice that the selected filter is included in the user definition. In the Admin tab, select the User Configuration icon. This will open the User Manager. In the User Manager window click the Add User button. The Add User window will appear with three tabs across the top. Using the default tab, Details, enter the users name esecmgr and select the local Authentication radial button. In the password and the confirm password fields enter the string novell. Select the drop down in the Security Filter field, the Filter Selection window will open. From this window, select the PUBLIC:Internal_Events filter from the list and click Select. From the Add User window, select the Permissions tab.
2.
To create a Manager, use the User Manager window.

a. b. c. d. e.
f.
Version 1
43
Administration
g. h. i.
This Operator will only need to access to Active Views, check the Permissions box, then uncheck theIncidents check box. In the Add User window, select the Roles tab and select the Admin check box. Click the Ok button to save the user. The new user will appear in the User Manager window. Notice that the selected filter is included in the user definition. Log out of the Sentinel Control Center, and log in as the user esecmgr. Move through the Control Center tabs and observe what permissions are availible. Select the Admin tab and open up the User Configuration. Click on the Active User Sessions to open the window. Does your new user name appear on the list? Log out of the Sentinel Control Center, and log in as the user esecop. Move through the Control Center tabs and observe what permissions are availible. Select the Admin tab and notice that you cannot access this tab. What do you have access to? Log out of the Sentinel Control Center and log in a esecadm. From the Admin tab, in the left hand side navigation pane, select Role Manager. Select the Add Role button and the Add New Role window will appear. In the name field enter sent_role. Click the Add button and select gporter and add that user to this role. Click Ok to continue. In the left hand navigation pane, select the User Manager. In the User Manager, select the user esecmgr. Right-mouse click on the user, and select User Details. Select the Roles tab and check the box for the new role sent_role. Click ok to complete.
3.
Log in as the user esecmgr to observe the differences in permissions.

a. b. c. d.
4.
Log in as the user esecop to observe the differences in permissions.

a. b. c. d. e.
5.
In the Admin tab, create a new role.

a. b. c. d. e. f. g. h. i.
(End of Exercise)
44
Version 1
SECTION 8
In this exercise you will configure Crystal Reports to work with Sentinel 6.1. This functionality will be used throughout the rest of the class. Crystal Reports has already been installed on the VMware image named Sentinal Database.
Overview of the install:

1. 2. 3. 4.
Install Microsoft IIS and ASP.NET Install Microsoft SQL (depending on configuration as Windows authentication or SQL Server authentication) For Chinese (Traditional & Simple) and Japanese users only: Install Asian Fonts (for example, Arial Unicode MS) to view reports in these languages. Install Crystal Reports Server
Configuring Open Database Connectivity (ODBC) for SQL Authentication or Installing and Configuring Oracle Client Software
5. 6. 7. 8. 9.
Configure inetmgr Patch Crystal reports Publish (Importing) Crystal reports Set a Named User account Test connectivity to the Web Server
10. Increase Crystal Reports Server Report Refresh Record Limit (recommended) 11. Configure Sentinel Control Center to integrate with Crystal Reports Server.
Version 1
45
Exercise 8-1
Check Configuration Requirements

There are some things to check before you begin.
1.
Set Data Execution Prevention (DEP) to run on essential Windows programs and services only. This is particularly helpful to avoid Error 1920. Service Crystal Report Cache Server on Windows 2003. DEP is accessed through Control Panel > System > Advanced tab > Performance Settings > Data Execution Prevention. Select Turn on DEP for essential Windows programs and services only.
2.
The installation and configuration instructions for Crystal Reports Server assume that the Sentinel server and database have already been installed. You need to know which authentication mode was chosen for the Sentinel Report User. This user is called esecrpt, if you are using local database authentication. It could be called anything you choose if using Windows Authentication. The authentication mode was set on a screen similar to the one below during the Sentinel installation process.
NOTE: The esecrpt password can be explicitly set in case of Windows. 3. 4.
Video resolution should be set to 1024 x 768 or higher. Ensure Microsoft Internet Information Server (IIS) and ASP.NET are installed.
(End of Exercise)
46
Version 1
Exercise 8-2
Configure Crystal Reports

In the lab environment ASP.NET, IIS, and Crystal Reports have been installed. Do the following: To configure inetmgr:
1.
Copy the web.config file from:

C:\Program Files\Business Objects\BusinessObjects Enterprise 11.5\Web Content
to c:\Inetpub\wwwroot.
2. 3. 4. 5. 6.
Launch Internet Service Manager by clicking Start > Run. Provide inetmgr and click OK. Expand (local computer) > Web Sites > Default Web Site > businessobjects. On businessobjects, right-click > properties. Under Virtual Directory tab, click Configuration. You should already have the following mappings. If not, add them. If you are going to add a mapping, do not click businessobjects or crystalreportsviewer11 nodes.
Extension Executable
.csp .cwr .cri .wis
C:\Windows\Microsoft.NET\Framework\v1.1.4322\aspnet_isa pi.dll C:\Windows\Microsoft.NET\Framework\v1.1.4322\aspnet_isa pi.dll C:\Windows\Microsoft.NET\Framework\v1.1.4322\aspnet_isa pi.dll ...\BusinessObjects Enterprise 11.5
Click OK to close the window.

7. 8.
Restart IIS by expanding (local computer) > Web Sites > Default Web Site, high-light Default Web Site and right-click > Stop. Expand (local computer) > Web Sites > Default Web Site, high-light Default Web Site and right-click > Start.
(End of Exercise)
Version 1
47
48
Version 1
Database
SECTION 9
Database
Jobs can be scheduled and executed inside Sentinel or outside by a dba. The point of this exercise is to demonstrate this ability.You will use the Sentinel Data Manager utility and the Microsoft SQL Server Management Studio for this lab. By the end of this lab, the student will be able to create and manage database partitions. Remember. The primace of this lab is to demonstrate that some functions of Sentinel happen outside the Sentinel and are a built-in function of the database. In this case the Jobs are executed by the database (MS SQL or Oracle).
Version 1
49
Database
Exercise 9-1
Jobs Exercise
As the DBA administrator (user = sa, password = novell) you will now schedule automatic partitioning jobs. This lab is as simple as it looks.
1. 2.
Change scheduled time for add partition job for EVENTS table group to a few minutes from current system time. Change Add Min to 3, indicating the minimum number of partitions that exists before the job runs. Change Add Max to 5, which defines the number of partitions to add when the job runs. Save configuration changes. Launch SQL Server Management Studio Expand SQL Server Agent (the last selection). Expand Jobs. Execute SentinelAddPartitions EVENTS job by right mouse clicking and selecting Start Job. From SDM GUI, refresh partition listing Go to Partition Configuration tab, check job messages by clicking HISTORY button
3. 4. 5. 6. 7. 8. 9.
10. You should see the job advanced and appear as executed. (End of Exercise)
50
Version 1
SECTION 10
Correlation allows you to define rules that identify critical threats and complex attack patterns so that you can prioritize events and initiate effective incident management and response. We will begin with simple correlations and progress to more complex scenarios. In this lab you will use the Sentinel Control Center utility utilizing the Correlation Tab.
Version 1
51
Sentinel 6.1
Exercise 10-1
Create a correlation that will find any port scan

1.
Create a filter for e.EventName = Port_scan.
2.
Set the Update Criteria to 5 minutes.
52
Version 1
3. 4.
Name the rule Port scan Select Yes, create another rule
NOTE: We will test this rule in Exercise 10.4 below.
(End of Exercise)
Version 1
53
Sentinel 6.1
Exercise 10-2
IDS Critical Events
1.
Create a filter for DeviceCatagory = NIDS and Severity >= 4.
2. 3. 4.
Select an Update Criteria of 2 minutes. Name the rule NIDS Critical Event. Select Yes, create another rule.
(End of Exercise)
54
Version 1
Exercise 10-3
Create a Correlated Event with Conditions
1. 2.
This one is slightly different; it utilizes an Aggregate correlation but it is still simple. Create an Aggreate correlation using the filter used in Exercise 10-2. Add a trigger of (5,300) 5 times in 300 seconds (5 minutes.)
3. 4.
Set the Update Criteria to 5 minutes and name the rule - 5 critical NIDS Events in 5 Minutes Save the rule and exit.
(End of Exercise)
Version 1
55
Sentinel 6.1
Exercise 10-4
Adding an Action
1. 2.
Deploy the first rule (the one created in step 1) by double-clicking and selecting Deploy Rule. The Action Manager pops-up. Click on Add Action.
3. 4. 5. 6. 7.
Under Action Name is a drop-down list named Action. Select the drop-down list. Select Configure Correlated Event. Leave the Event options as Copy fields from trigger event. Set the Severity as 4 and the EventName as Port Scan. (We will work more with Actions later) Now you must name the action set it to Port scan correlated event.
56
Version 1
8.
Now, click on the selection box to the left of Port scan correlated event and click on ok.
NOTE: The rule turned green its running.
9.
Open an Active view and select Severity for the Z-Axis, select Correlation as the Filter and leave Display Events to Yes.
10. Wait a while and record your results. (End of Exercise)
Version 1
57
Sentinel 6.1
Exercise 10-5
Repeat the Steps 4a-4d Using the Rule NIDS Critical Events
1.
This time Do Not copy fields from the trigger, set the severity to 5, make the EventName critical ids event, and name the action IDS Correlated Event
(End of Exercise)
58
Version 1
Exercise 10-6
Change the Active View Screen to Reveal Different Information

The Active View screen isn't very telling, although its collecting the correlations its displaying them based on Severity
1. 2. 3. 4.
Create another Active View screen Set the Z-axis to EventName Select the Correlation filter Set Display events to Yes
5.
What is the difference between the port scan event and the IDS event? Why?
(End of Exercise)
Version 1
59
Sentinel 6.1
Exercise 10-7
Firewall Correlated Event with a Discriminator

Create a correlated event when 3 critical events occurring on a firewall in 5 minutes and the events come from the same user.
1. 2.
This rule is exactly the same as the previous ones; just add a discriminator for the InitIP or the same Init User Name (We used to call this the source user name). Deploy and record.
NOTE: Some of the answers are beginning to become a matter of judgment or preference. As the labs become more vague (human-speak) you will have to make many of these judgment calls.
(End of Exercise)
60
Version 1
Exercise 10-8
A Simple Aggragate
1.
Create a correlation for major events coming from Network IDSs - going to the same destination host.
(End of Exercise)
Version 1
61
Sentinel 6.1
62
Version 1
SECTION 11
In this section we will discuss mostly the Window function. It is used much like a trigger but for comparing historic data that sometimes is not the same as one would find using a discriminator. Dont freak out when you first begin working with this function. Many people take several exercises to get it right.
Version 1
63
Exercise 11-1
A Spreading Attack
You will use the Sentinel Control Center utility utilizing the Correlation Tab and writing Freeform RuleLG for this lab.
1.
Using the free-form editor, write a correlation rule that generates a correlation when seeing that a source of an attack (TaxonomyLevel1=Attack) was previously the destination of an attack (within 15 minutes).
NOTE: Following is a hint to the solution. filter( e.X) flow window ( e.Y=w.Z, filter ( TaxonomyLevel1=Attack ), 15m)
(End of Exercise)
64
Version 1
Exercise 11-2
IDS Attack comes from the Outside

1.
Write a rule that checks whether an IDS attack event seen inside your network came through your firewall (e.rv32=FW) in the last 10 seconds.
NOTE: The following is a hint toward the answer: filter( e.TaxonomyLevel = Attack ) flow Window (w.X=e.Y, filter (on FireWall), 10s)
(End of Exercise)
Version 1
65
Exercise 11-3
Using an Intersection to narrow events

In this lab you will use two window statements and an intersection between them to find a multi-teared attack.
1.
Write a rule that generates a correlation when seeing that the source of an attack was previously the destination of an attack and the event name is the same on both. In other words - check that the first attack and the second attack were the same.
(End of Exercise)
66
Version 1
SECTION 12
IMPORTANT: Guide with partial Answers - meant for students.
In this section we will discuss mostly the Window function. It is used much like a trigger but for comparing historic data that sometimes is not the same as one would find using a discriminator. Dont freak out when you first begin working with this function. Many people take several exercises to get it right.
Version 1
67
Exercise 12-1
A Spreading Attack
You will use the Sentinel Control Center utility utilizing the Correlation Tab and writing Freeform RuleLG for this lab.
1.
Using the free-form editor, write a correlation rule that generates a correlation when seeing that a source of an attack (TaxonomyLevel1=Attack) was previously the destination of an attack (within 15 minutes).
NOTE: Following is a hint to the solution. filter( e.X) flow window ( e.Y=w.Z, filter ( TaxonomyLevel1=Attack ), 15m)
(End of Exercise)
68
Version 1
Exercise 12-2
IDS Attack comes from the Outside

1.
Write a rule that checks whether an IDS attack event seen inside your network came through your firewall (e.rv32=FW) in the last 10 seconds.
NOTE: The following is a hint toward the answer: filter( e.TaxonomyLevel = Attack ) flow Window (w.X=e.Y, filter (on FireWall), 10s)
(End of Exercise)
Version 1
69
Exercise 12-3
Using an Intersection to narrow events

In this lab you will use two window statements and an intersection between them to find a multi-teared attack.
1.
Write a rule that generates a correlation when seeing that the source of an attack was previously the destination of an attack and the event name is the same on both. In other words - check that the first attack and the second attack were the same.
(End of Exercise)
Exercise Answers
NOTE: Give these some time to work. The first one may not fire for as long as 10 minutes.
Exercise 11-1 filter( e.TaxonomyLevel1=Attack ) flow window( e.sip=w.dip, filter( e.rv51 = Attack ), 3600) Exercise 11-2 filter( e.TaxonomyLevel1=Attack ) flow window( e.sip = w.sip, filter( e.rv32 = FW ), 10) Exercise 11-3 filter(e.TaxonomyLevel1=Attack ) flow (window (e.sip=w.dip, filter (e.TaxonomyLevel1=Attack ), 3600) intersection window ( e.evt=w.evt, filter ( e.TaxonomyLevel1=Attack ), 3600))
70
Version 1
Correlation Actions
SECTION 13
Correlation Actions
There are currently no labs for this section
Version 1
71
Correlation Actions
Exercise 13-1
Correlation Actions
There are currently no Labs for this section
(End of Exercise)
72
Version 1
Troubleshooting
SECTION 14
Troubleshooting
There are no labs for this section
Version 1
73
Troubleshooting
Objective 1
There are No labs for this section.
74
Version 1
Collectors
SECTION 15
Collectors
There are currently no labs for this section
Version 1
75
Collectors
Exercise 15-1
Collectors
There are currently no Labs for this section
(End of Exercise)
76
Version 1
SECTION 16
This exercise will demonstrate adding meta-data to existing collectors. The problem with data collection is in the device; it has the inconvenience of seeing only data that passes it detecting mechanisms. Sometimes that data is not very user friendly. The data is true enough but knowing an IP address is far less telling than knowing the name of the user or the location of the device. In order to correct this problem we must inject information at the Collector based on information collected at the source. That is the premice of this exercise.
Figure 16-1
Relevant data for analysis should be injected
Map data can be in any order so long as the format is text and it is delimited by comma, pipe, tab, semicolon or some other character that doesnt occur in the data itself. See Figure 1-2 for an example.
Figure 16-2
The data map that will be inserted.
Version 1
77
Exercise 16-1
Prepare a Map
1. 2. 3. 4.
Input and define the map. Open Sentinel Control Center and select the Admin tab. On the left find and select Map Data Configuration. Click Add, name the map RefMap1.
5.
Click Next.
(End of Exercise)
78
Version 1
Exercise 16-2
Load the Map File

1.
Browse to C:\Class Files\noise makers\WS22map.csv. Select the file and click Next.
2.
Check the box above column 1 named Key. The Key here is the IP address of the source.
NOTE: The Key field is the link between the data collected at the source and the map data just loaded.
Version 1
79
3.
Ensure that Comma is selected as the delimiter and in this case, Start at row is set to 0, you will need to change this to 1. If the data file has a header, you can use the Start at row offset to ensure the correct row is used and the header data is ignored. Click on Finish. Next you will name the Remote file that references this data. You can name the file assetip.csv but just to show this is simply a reference, name the file ExtRef1.
4. 5.
(End of Exercise)
80
Version 1
Exercise 16-3
Modifying Event Tags

Modify Event tags to reflect a more readable name and the correct data information.
1. 2.
Select the Admin tab, find and select Event Configuration. Scroll to ct1 and change the long-name to BusinessUnit. This may be completed already. Leave the Data Source set to External, which means the data is coming from the Collector. Scroll down to ct2 and change the long-name to City. Again leave the Data Source set to External.
3.
4. 5.
Select an available CustomerVariable representing a string; cv21 is what I use for the lab. You may want to start with CV23. Change the long-name of the variable to Owner_Name.
Version 1
81
6. 7. 8. 9.
Select Referenced from Map from the Data Source menu. Type ExtRef1 for the map. Select Column 4 as the source of the data. Next, define the key between the Map and the Collector data. The key is field 1 or InitIP (SourceIP).
(End of Exercise)
82
Version 1
Exercise 16-4
Manage Columns
1.
Change the CustomerVariable used in the instructions above so it is seen as one of the first listed items.
2.
Finally, wait. It will take aout 30 seconds for new data to begin populating.
(End of Exercise)
Version 1
83
84
Version 1
SECTION 17
The Platform Agent is not configured through eDirectory. Instead, the Platform Agents configuration settings are stored in a simple, text-based configuration file (logevent). The location of this file depends on the platform. This makes the Platform Agent small, unobtrusive, and self-containedthat is, it has no external dependencies so it is always available to receive logged events. Storing the Platform Agents configuration in a text-based file also allows the Platform Agent to eventually run on platforms that do not have eDirectory support. The logevent file stores the host name or IP address of the logging server, the Disconnected Mode Cache directory, port assignments, and other related information. For more information on Platform Agent configuration settings, including a sample logevent file.
Version 1
85
Exercise 17-1
Configuring Platform Agents

Platform Agents have been installed on the eDirectory server and in the IDM environment. We simply need to configure them.
1.
Configure IDM to point its audit output to Sentinel

a. b. c.
Find the IDM 3.6.1 SLES VM . Login as Root and the password novell. If you are familar with the Linux environment, preceed to edit /etc/ logevent.conf with any tool you like (f below). For those of you who need some help, right mouse-click and open a Terminal session. Type su and enter novell for the password. Type vi /etc/logevent.conf and press Enter. Manuver the cursor over the 1 in the 1289 of the line LogEnginePort = 1289, and press x.
d. e. f.
g.
On the first line, LogHost=172.17.5.100, place the cursor on the 1 of the 100. Press x three times, deleting the 100. Press a (for append) type in a 5, reflecting the LogHost entry above. Press <ESC> to exit the append mode, press the colon then wq. [ :wq ] The log server is now pointed to the correct log server using the correct port.
h. i.
(End of Exercise)
86
Version 1
SECTION 18
This exercise will teach you how to extend the eDirectory schema for the Novell Audit product, install the eDirectory Instrumentation, and install the Platform Agent for Novell eDirectory. Each piece of the afore mentioned are critical for Sentinel, and Compliance Management.
Version 1
87
Exercise 18-1
Configuring for Novell Events

In this exercise you will first install the Novell Audit Connector and then the Novell eDirectory Collector. Finally you will configure the server event source. The following graphic is your goal
1. 2. 3. 4.
Launch Event Source Management from the Control Center Stop the DemoAgent, DemoAgent2 and the BlasterIDS Collectors Go to eDirectory Services control (in the quick-launch area). When this series of controls are available, find nauditds.dlm. Start this process. On the left under Collectors click the + to add a new collector. It is okay to install audit over the current one if it is already there.
a.
Import the Collector in the zip format
88
Version 1
b. c.
Point to c:\Sentinel Files\audit_connector.zip Select the connector.
Version 1
89
d.
Select Deplay Plugin and Finish
90
Version 1
e.
Above the Supported Event Sources click on Add More
Version 1
91
f.
Add the Novell eDirectory 8.8 Collector in the same way as you added the Audit plugin.
92
Version 1
g.
Follow the next series of graphics exactly - most of them are default values.
NOTE: New software has been released since the lab manual was written always choose the latest Collector. In this case choose Novell_eDirectory_6.1r2.clz.zip.
Version 1
93
94
Version 1
Version 1
95
96
Version 1
Version 1
97
98
Version 1
Version 1
99
100
Version 1
Version 1
101
102
Version 1
h.
At this point you should click on Test Connection. Go to Novell iManager https:\\172.17.5.5:8443\nps. When the system begins to come up, it will complain about the security certificate. Click on the Continue to website button. Login as admin.services password novell. Use the Tree name of 172.17.5.5. The first time you login, it will take a long time to initialize the components. Go to Directory Administration and create a user (any username you like) in Users.Vault. The creation even may take a little time to process but will then be visable the raw data screen. Click Finish
i.
(End of Exercise)
Version 1
103
Exercise 18-2
Further Testing the Environment

In this section you are free to test your installation. I have included some scrfeenshots below to suggest testing possibilities. Good Luck!
NOTE: In the example above you will need to edit the freeform (Edit RuleLG) and change the logic slightly. The changes are displayed below. Make sure to use the correct Collector by entering the name you selecgted in number 9 (Novell_eDirectory_6.1r2.clz.zip).
104
Version 1
Version 1
105
106
Version 1
Now for the Actions!
Version 1
107
108
Version 1
Version 1
109
(End of Exercise)
110
Version 1
SECTION 19
This exercise is a repeat of Exercise 16. Instead of deleting it, I have included it. You can use it as a test or overview to check you selections in the previous lab or you can skip it. In this exercise you will first install the Novell Audit Connector and then the Novell eDirectory Collector. Finally you will configure the server event source. The following graphic demonstrates a deployment of the Audit Connector and eDirectoty Collector, as well as 3 demo collectors which provide a cache of events for the environment.
Version 1
111
Exercise 19-1
Installation of the Audit Connector

1. 2. 3.
Launch Event Source Management from the Control Center Stop any Collectors currently running. On the left under Connectors click the + to add a new collector
4.
Import the Connector in the zip format.
5. 6.
Point to c:\Class Files\Connectors\audit_connector.zip select Next.
112
Version 1
7.
Select the Deploy Plugin check-box .
Version 1
113
IMPORTANT: Do not close this window. There will be more instructions to follow in the next exercise from this point. (End of Exercise)
114
Version 1
Exercise 19-2
Install the eDirectory Collector

In this exercise you will install a Collector but the procedure is very close to the procedure just used to install the Connector.
1.
Above the Supported Event Sources click on Add More. You should see the graphic displayed below.
2.
Add the Novell eDirectory 8.8 Collector in the same way as you added the Audit plugin. Browse to the Class Files folder and select Novell_eDirectory_6.1r2.clz.zip.
Version 1
115
3.
Import the plugin.
116
Version 1
4.
Repeat the process for Novell_Identity-Manager_6.1r2.clz.zip and Novell_Access_Manager_3_LOG_600.zip. We dont have the supporting hardware in this class to work further with these collectors but it will be good experience to install them just the same.
Version 1
117
5.
After you have added all the scripts to the list of Collectors, click on Next.
118
Version 1
6.
Select Audit as the connector and click on Next. At this point, all we need is the Audit Connector otherwise we could have installed more Connectors with the Install more Connectors... button just above Version. Click Next until you see the Configure Collector Property page.
Version 1
119
7.
Keep the defaults and click Next.
120
Version 1
8.
This is the Collector configuration screen where you would select such things as data rates and filters and trusting the source time. However, at this point simply click on the box next to Run and select Next.
Version 1
121
9.
Add an event source.
10. Under Interface(s) select All interfaces.
122
Version 1
11. Ensure the Port Number is set to 289 ( the port used by Audit) 12. For our purposes here we will not select security. We will select and configure
security later in the course.
Version 1
123
13. Leave the defaults and click on Next.
124
Version 1
14. On the Advanced Settings screen accept the defaults and click on Next.
Version 1
125
15. Click on the box just beside Run and then click Finish.
126
Version 1
16. Click Next.
Version 1
127
17. This is where you you would install filters. Click Next.
128
Version 1
18. Select Run and Click Next. By selecting Run, you are saying you want the
connector or collector to automatically run when started. Notice this is again where you can insert a filter.
Version 1
129
19. Click Next until you see the screen above, The new Audit server is the IDM
Server so input the IP address of the IDM server (172.17.5.100).
130
Version 1
20. We will be using the eDirectory Instrumentation, so click Next.
Version 1
131
21. Select Run so the Event Source autostarts.
132
Version 1
22. Since we took the defaults it shouldnt be necessary to test the connection. Our
next step is to re-direct audit traffic to the audit server-the Sentinel server (172.17.5.5). This will produce traffic we can test later.
Version 1
133
23. Finally accept the default selection to create a new collector and connector and
click on Next.
134
Version 1
24. Click Next to connect to the existing Collector Manager. 25. Click Next until you see the Finish line, then click on it. 26. At this point you should click on Test Connection. Go to Novell iManager and
create a user (any username you like) in Users.Vault. The creation even may take a little time to process but will then be visable the raw data screen.
(End of Exercise)
Version 1
135
Exercise 19-3
Real-World
At this point lets go real world. In the field you will have only the documentation given you by Novell. Under Class files there is a documentation directory. Find the Microsoft_Active-Directory_6.1r3.pdf file and the wms_connector.pdf file and use the information inside to connect the local AD to Sentinel.
(End of Exercise)
136
Version 1
Exercise 19-4
Extra Credit - Connect the Database machine via WMS.
(End of Exercise)
Version 1
137
138
Version 1
SECTION 20
The SentinelTM driver is not included with base Identity Manager product, and therefore has a separate installation program. The following sections explain how to install one or more drivers.
Version 1
139
Exercise 20-1
Installing the Driver

Installing the driver requires three steps:

Installing the Driver Files on the Metadirectory Engine on page 140 Placing Prerequisite Files on page 140
Installing the Driver Files on the Metadirectory Engine

Use the Linux installation program and install it into the IDM RBPS VMWare image (172.17.5.100).
Table 20-1
Installation Programs
Platform Windows Linux Solaris* AIX* File sentinel_driver_install.exe ./sentinel_driver_install_linux.bin ./sentinel_driver_install_solaris.bin ./sentinel_driver_install_aix.bin
1.
Mount the iso: NIdM_Integration_Module_3_6_for_Sentinel.iso by issuing the following command.

a. b. c. d. e.
Open a terminal window. Type cd /home/userapp/Class files/IdM Integration Module Mount the disk by typing mount -o loop NIdM_Integration_Module_3_6_for_Sentinel.iso Find the installation program listed in Table 1-1 for Linux and cd into the appropriate directory. execute the command ./sentinel_driver_install_linix.bin
The installation program detects the installation location of Metadirectory engine and places the driver files in this location. No information is required during the installation.
Placing Prerequisite Files

The following the files must be copied into the correct directory for the driver to start.
1.
On the Sentinel server, locate the following files:

mfcontext.jar sonic_Client.jar
140
Version 1
Platform Windows Linux/UNIX
Location c:\Program Files\Novell\Sentinel6\3rdparty\SonicMQ\MQ7\lib /opt/Novell/Sentinel6/3rdpartySonicMQ/MQ7.0/lib
2.
Copy these files to the IDM/RBPS VM - 172.17.5.100 - these files should be located on the server already. Check to make sure.
Platform Windows Location Local Installation: c:\Novell\NDS\lib Remote Installation: c:\Novell\RemoteLoader\lib Linux/UNIX Location Installation: /opt/novell/eDirectory/lib/dirxml/ classes Remote Installation: /opt/novell/eDirectory/lib/dirxml/ classes
3.
Restart eDirectoryTM to pick up these new classes.
To restart eDirectory on Linux, enter: ndsmanage stopall then enter: ndsmanage startall
(End of Exercise)
Version 1
141
142
Version 1
SECTION 21
Importing the Sentinel driver configuration file creates the driver in the Identity Vault. Designer can then use and configure this driver to be exported back into the vault. First though you must read the existing vault into designer. This reads the existing information in the eDirectory Vault and adds the policies needed to make the driver work properly.
Version 1
143
Exercise 21-1
Create the Driver

1. 2. 3. 4. 5.
In Designer, select create project from Identity vault. Put in the credentials for the IDM image. (you should know them by now) Select Browse and in the left hand pane select Services, in the right side pane select driverset and then click OK. It will take some time to import the environment. In the Modeler, right-click the driver set where you want to create the driver (there is only one), then select New > Driver to display the Driver Configuration Wizard. In the Driver Configuration list, select Sentinel v2, then click Run. On the Import Information Requested page, fill in the following fields:

6. 7.
Driver Name: Specify a name that is unique within the driver set. Broker URL: Specify the IP address of the SonicMQ message queue with the default port of 10012. For example: tcp://localhost:10012
8. 9.
Click Next to import the driver configuration. Click Configure to make additional configuration changes, or click Close to finish. for the excluded user. After the SentinelTM driver files are deployed to the server where you want to run the driver, you can run the driver in the Identity Vault.
10. Deploy the driver.making the security eq. Admin.services. Use this same entity
(End of Exercise)
144
Version 1
SECTION 22
To enable account tracking, complete the following two tasks:
Enable account tracking GCV on each driver used with the Sentinel driver. Not all drivers can be enabled for account tracking. If a driver does not have the Account Tracking GCV, then account tracking cannot be enabled.
These steps to enable account tracking are the same for each driver.
Version 1
145
Exercise 22-1
Configure Account Tracking

1.
Access the Account Tracking GCV:

In Designer: Right -click the driver icon, then select Properties > GCVs. In iManager: Edit the driver properties, then click the Global Config Vaules tab.
2. 3. 4.
Set the Account Tracking > Show Account Tracking Configuration option to show. Use the information in Table 22-1 to correctly enable account tracking. Click OK to save the changes. If the driver is running, it must be restarted for the changes to take effect.
Table 22-1
Show Account Tracking Configuration Options

Option Enable account tracking Realm Identifiers Status attribute Description Select true to enable the policies in the driver to use the DirXMLAccounts attribute. Specify the name of your realm, security domain, or namespace where the account name is unique. Each driver has different account identifier attribute. By default the attributes are prepopulated for each driver. Specify the name of the attribute in the application namespace that represents the account status. By default the attributes are:

Active Directory: dirxml-uACAccountDisable LDAP: loginDisabled
Status active value Status inactive value
The value of the status attribute that represents an active state. By default, the value is false. The value of the status attribute that represents an inactive state. By default, the value is true.
Subscription default status The default status the policies assume when an object is subscribed to the application and the status attribute is not set in the Identity Vault. By default, the status is Active. Publication default status The default status the policies assume when an object is published to the Identity Vault and the status attribute is not set in the application. By default, the status is Uninitialized.
(End of Exercise)
146
Version 1
SECTION 23
In traditional Sentinel configuration, there is a connector and a collector. The connector establishes a connection to the JMS message bus. There is no connector for the Identity Vault Collector. The Sentinel driver connects directly to the JMS message bus through connection factories and queues. The connection factories and the queues must be created for the Sentinel driver. To create the connection factories: There are specific queues that must be created for the Sentinel Driver to work. If you have more than one instance of the Sentinel driver, you must create additional queues for each additional driver..
Version 1
147
Exercise 23-1
Connecting the Queue Factories

1.
Start the Sentinel serverby entering the following a command prompt:

Linux: /etc/init.d/ sentinel start Windows: Net start sentinel Linux: $ESEC_HOME/3rdparty/SonicMQ/MQ7.0/bin/ startmc.sh Windows: %ESEC_HOME%\3rdparty\SonicMQ\MQ7.0\bin\startmc.bat
2.
Launch the Sonic Management Console by entering:
3.
Log in to to Sonci Management Console by using the following information:

Connection Name: By default the value is Connection1. Any value is valid. Domain Name: esecDomain Connection URL: tcp://localhost:10012 The default Message Bus port is 10012. If you specified a different port during the installation of Sentinel, use that port.
User Name: Specify the administrator for Sentinel. For example esecadm. Password: Specify the password of the administrator.
4. 5.
From the Sonic Management Console toolbar, click Tools > JMS Administered Objects. Click JNDI Naming Service, then use the following information to create the JNDI naming service:

Sonic Storage: Select the Sonic Storage check box. Domain: Specify esecDomain for the domain name. Context Factory: This field is prepopulated and in the value cannot be changed. Provider URL: Specify tcp://localhost:10012 for the provider URL. If you are not using the default port, specify the port you are using.
6. 7. 8. 9.
Click Connect. Select the localhost:10012 entry in the tree on the left, then select the Connection Factories tab. Click New. Specify TopicConnectionFactory in the Lookup Name field. The connection factory name must be the specified name.
10. Specify ConnectionFactory in the Factory Type field. 11. Specify tcp://172.17.5.5:10012 in the Connection URL field. 12. Click Update to save the information.
148
Version 1
13. Repeat Step 8 through Step 12, but use QueueConnectionFactory as the
Lookup Name.
14. Close the JMS Administered Objects dialog box. (End of Exercise)
Version 1
149
Exercise 23-2
Configure the Queues

1. 2. 3. 4. 5. 6.
In the Sonic Management Console, select the Configuration tab, then expand the Brokers folder. Expand esecBroker, then select Queues. Right-click Queues in the left pane, then select New Queue. Specify pubReceiveEvent in the Name field. Click OK to create the new queue. Repeat Step 3 through Step 5 twice more. Use the names of pubReceiveEventResponse and subReceiveResponse for each of the new queues. Close the Management Console after the queues are created.
7.
(End of Exercise)
150
Version 1
SECTION 24
Use the information in the following sections to install and configure the Identity Vault Collector. The Identity Vault Collector must be added to the Event Source Manager to be installed. This step is only done once. The Identity Vault Collector is then displayed as a collector to select during configuration. To install the Identity Vault Collector:
Version 1
151
Exercise 24-1
Install the Identity Vault Collector

1. 2. 3. 4. 5.
Locate the Identity Vault Collector (Novell_IdentityVault_6.1r1.clz.zip) in the collector section of the Class Files. Log in to the Sentinel Control Center. Select the Event Source Management > Live View, then select Tools > Import plugin. Browse to and select the Novell_Identity-Vault_6.1r1.clz.zip file, then click Next. Follow the remaining prompts, then click Finish.
(End of Exercise)
152
Version 1
Exercise 24-2
Configuring the Identity Vault Collector

1. 2. 3. 4. 5.
In the Event Source Management live view, right-click the Collection Manager, then click Add Collector. Select Novell in the Vendor column. Select Identity Value in the Name column, then click Next. In the Installed Scripts column, select Novell_Identity_Manager_6.1r1, then click Next. Configure the Identity Vault Collector for your needs by using the following information:
Configuration Parameter Event Source Time Zone Default Value +0000 Description Sets the time zone offset UTC (+0000) of the event source data time stamps. This is used if the source data is reported only in local time with no time zone indicated. The format is + or followed by a two-digit hour and minute offset. Sets the execution mode for the collector. There are three options:
Execution Mode
release
release: Use this mode for normal operation. custom: Use this mode if the Identity Manager Collector is customized. debug: Use this mode when troubleshooting issues. It generates debug trace files.
MSSP Customer Name Script Error Severity Send Script Error Message 5 Severe (5) yes Sets the severity for a script error event. Sends a script error event when there is an error with the collector script.
Version 1
153
Configuration Parameter Sentinel Driver Instance ID
Default Value
Description Enables multiple Sentinel drivers. Each Sentinel driver is paired with a specific Identity Vault Collector. This instance ID is synchronized between the Sentinel driver and the Identity Vault Collector. By default, there is no value. Use letters and numbers only.
iSCALE Connection URL
localhost:10012
The URL that the Identity Vault Collector uses to retrieve identity events stored in the SonicMQ message queue.
6. 7.
Click Next. Complete the configuration of the Identity Manager Collector with the following information:

Name: Specify a name for this connector. Run: Select whether the connector is started whenever the Collector Manager is started. Alert if no data received in specified time period: (Optional) Select this option to send the No Data Alert event to Sentinel if data is not received by the Connector in the specified time period. Limit Data Rate: (Optional) Select this option to set a maximum limit on the rate of data the connector sends to Sentinel. If the data rate limit is reached, Sentinel throttles back on the source in order to limit the flow of data. Set Filter: (Optional) Specify a filter on the raw data passing through the connector. Trust Event Source Time: (Optional) Select this option if you trust the Event Source servers time.
8.
Click Finish.
(End of Exercise)
154
Version 1
Exercise 24-3
Starting the Collector

You must start the collector before the driver is started. When the collector is started, the JNDI destinations are created. The driver looks for these JNDI destinations and if they do not exist the driver cannot start. Start the collector before starting the Sentinel driver. To start the collector:
1. 2.
In the Event Source Management live view, right-click the Identity Vault collector. Click Start to start the Collector.
(End of Exercise)
Version 1
155
156
Version 1
SECTION 25
This section contains a list of the custom audit events that are generated by polices in each driver. These events are sent to the Identity Vault Collector. It parses the events and stores this information in the SentinelTM data store. These events are use to trace the business logic instead of the raw data events, so you can verify that your business policies and processes are being enforced. For example, in the past Sentinel could only understand that an Add event occurred. It did not know what that meant for the business logic. It did not know if that user was supposed to be added or not. It recorded that the Add occurred, but that was all. Now, if an Add occurs, Sentinel understands what business logic is in place and verifies if that user is entitled to be added or not. If the user is not entitled, Sentinel can then take action to let you know that the business policies are not being carried out.
Version 1
157
Objective 1
Components of the Event

Figure 25-1 represents the common components that make up the event structure. Each item in the illustration is part of an event. The different items are tracked to verify the uniqueness of the event.
Figure 25-1
Components of the Event Structure

Identity Vault
User A Identity Manager Driver
Connected Application
User A
Identity
Target
Originator Sub-Target Entitlement
Initiator
Approver (Person/Service)
Table 25-1 contains the general event structure. The defined events are in the dirxml_custom.lsc file that is on the Identity Manager 3.6 media.
Table 25-1
General Event Structure

Descriptive Name Audit Event ID Version Description 1200-1299 Sequential number incremented by one whenever the event structure changes. Always the driver DN. Object (account) in the connected application. Format Int/Hex Int Value 3 (3) Audit Field Name Sample Data
Originator Target
String String
Originator (B) Target (U)
158
Version 1
Descriptive Name Target Type
Description 0=None 1=DN in Slash Notation 2=DN in Dot Notation 3=DN in LDAP Notation 4=Association
Format Int
Audit Field Name targetType (V)
Sample Data
Sub Target Status
Entitlements/attribute name. String Identity Manager status. Int
Sub-Target (Y) value (1) 0=succes s 1=retry 2=warnin g 3=error 4=fatal
IDM Event ID Identity
@event-id from XDS document GUID
String
Text 3 (F)
B64 encoded Text 1 (S) octet string value
The following events are defined:

EventID 00031200 on page 159 EventID 00031201 on page 160 EventID 00031202 on page 161 EventID 00031203 on page 161 EventID 00031230 on page 162 EventID 00031241 on page 163
EventID 00031200
It is the Account Create By Entitlements Grant. The following table contains the fields of this EventID with the proper values.
Fields Originator (B) Title Target (U) Title Subtarget (V) Title Text1 (S) Title Values Driver DN Target account DN or the association Entitlement Source Identity DN or GUID
Version 1
159
Fields Text2 (T) Title Text3 (F) Title Value1 (1) Title Value1 Type Value2 (2) Title Value2 Type Value3 (3) Title Value3 Type Group (G) Title Group Type Data (D) Title Data Type Display Schema
Values Detail Identity Manager EventID Status N
Version N
XML Document S [$TC] $SO: Account $SU created by entitlement $SV; Status:$N1 Driver:$SB from $iR\n
EventID 00031201
This is the Account Delete By Entitlements Revoke. The following table contains the fields of this EventID, with the proper values.
Fields Originator (B) Title Target (U) Title Subtarget (V) Title Text1 (S) Title Text2 (T) Title Text3 (F) Title Value1 (1) Title Value1 Type Value2 (2) Title Value2 Type Value3 (3) Title Value3 Type Group (G) Title Group Type Version N Values Driver DN Target account DN or the association Entitlement Source Identity DN or GUID Detail Identity Manager EventID Status N
160
Version 1
Fields Data (D) Title Data Type Display Schema
Values XML Document S [$TC] $SO: Account $SU deleted by entitlement $SV; Status:$N1 Driver:$SB from $iR\n
EventID 00031202
This is the Account Disabled By Entitlements Revoke. The following table contains the fields of this EventID with the proper values.
Fields Originator (B) Title Target (U) Title Subtarget (V) Title Text1 (S) Title Text2 (T) Title Text3 (F) Title Value1 (1) Title Value1 Type Value2 (2) Title Value2 Type Value3 (3) Title Value3 Type Group (G) Title Group Type Data (D) Title Data Type Display Schema XML Document S [$TC] $SO: Account $SU disabled by entitlement $SV; Status:$N1 Driver:$SB from $iR\n Version N Values Driver DN Target account DN or the association Entitlement Source Identity DN or GUID Detail Identity Manager EventID Status N
EventID 00031203
This is the Account Enable By Entitlements Grant. The following table contains the fields of this EventID with the proper values.
Fields Originator (B) Title Values Driver DN
Version 1
161
Fields Target (U) Title Subtarget (V) Title Text1 (S) Title Text2 (T) Title Text3 (F) Title Value1 (1) Title Value1 Type Value2 (2) Title Value2 Type Value3 (3) Title Value3 Type Group (G) Title Group Type Data (D) Title Data Type Display Schema
Values Target account DN or the association Entitlement Source Identity DN or GUID Detail Identity Manager EventID Status N
Version N
XML Document S [$TC] $SO: Account $SU enabled by entitlement $SV; Status:$N1 Driver:$SB from $iR\n
EventID 00031230
This is the Driver Health State Change. The following table contains the fields of this EventID with the proper values.
Fields Originator (B) Title Target (U) Title Subtarget (V) Title Text1 (S) Title Text2 (T) Title Text3 (F) Title Value1 (1) Title Value1 Type Value2 (2) Title Value2 Type Value3 (3) Title Version Status N Values Driver DN
162
Version 1
Fields Value3 Type Group (G) Title Group Type Data (D) Title Data Type Display Schema
Values N
[$TC] $SO: Account $SU enabled by entitlement $SV; Status:$N1 Driver:$SB from $iR\n
EventID 00031241
This is a Generic Event. The following table contains the fields of this EventID with the proper values.
Fields Originator (B) Title Target (U) Title Subtarget (V) Title Text1 (S) Title Text2 (T) Title Text3 (F) Title Value1 (1) Title Value1 Type Value2 (2) Title Value2 Type Value3 (3) Title Value3 Type Group (G) Title Group Type Data (D) Title Data Type Display Schema XML Document S [$TC] $SO: Event: $ST; Src DN: $SS; Object: $SU Version N Values Driver DN Target Object DN Object Class Source Identity DN Detail Identity Manager EventID Status N
Version 1
163
164
Version 1
Reporting when Terminated Users Accessing Company Resources
SECTION 26
This solution requires SentinelTM and Identity Manager. Industry research shows that the biggest threat of data breach is from former employees who attempt to access resources after their employment has ended. This solution allows you to track terminated employees for a set amount of time. If the terminated employee tries to access a resource, then an alert is issued (e-mail or workflow).
Version 1
165
Exercise 26-1
Installing the Identity Tracking Solution Pack

If you have already installed the Identity Tracking Solution Pack, skip this section and proceed directly to Configuring Global Setup.
1.
Start the Sentinel Control Center and log in as a user with rights to manage Solutions Packs. The Solution Manager option must be checked for the user under Permissions > Solution Pack.
2. 3.
Select Tools > Solution Pack from the menu to start the Solution Pack Manager. Click Add to start the import wizard.
4. 5.
Select Import a solution Pack plugin file (.zip), then click Next. Browse to and select the Identity Tracking Solution Pack in c:\Class Files\Solution Packs, then click Open. The filename is Identity-Tracking_6.1r1.spz.zip. Review the solution pack directory, then click Next. Review the solution pack details, then click Finish.
6. 7.
(End of Exercise)
166
Version 1
Exercise 26-2
Configuring the Global Setup

The Identity Tracking Solution Pack requires some global configuration that must be completed. This configuration needs to be completed before any additional configuration. If you have completed these global configuration task for another use case, you can skip this section. The Sentinel data field must be able to hold Identity Manager attribute data.
1.
Start the Sentinel Control Center, then click the Admin tab.
2. 3.
Select Admin > Event Configuration from the toolbar. In the left pane, browse to and select ReservedVar43. The tag is rv43. In the Label field in the right pane, change the display label to Data, then click Apply. Click Save, the close the Event Configuration window and reopen it to see the changes take place.
4. 5.
(End of Exercise)
Version 1
167
Exercise 26-3
Installing the Identity De-Provisioning Control

The Identity De-Provisioning Control contains a set of reports and rules to monitor common identity de-provisioning and access violation actions within the enterprise.
Employee TerminationViolation: A report that lists any attempts to access enterprise resources by terminated employees. IdT - Identity Terminated Employees Rule: A rule that identifies the terminated employees within the enterprise. IdT - Remove Reactivated Employees Rule: A rule that identifies the reactivated employees within the enterprise. IdT - Unauthorized Access By Terminated Employees Rule: A rule that identifies unauthorized access by terminated employees within the enterprise.
This control makes a series of assumptions about how terminated employees are handled in the enterprise.
1.
Terminated employees are simply designated as being no longer employed. CMP enforces this standard by setting the employeeStatus attribute to Inactive for all terminated employees. If other methods are used to identify the terminated employees, the IdT - Identify Terminated Employees Rule needs to be modified if your method does not use the employeeStatus attribute.
2.
Modifying the status of the employee automatically triggers the disabling of all associated accounts to ensure that the user no longer has access to enterprise resources. If this is not the case in your environment, you might need to modify the IdT - Unauthorized Access By Terminated Employees rule to filter out events from those special accounts. For example, if former employees are still allowed to use an e-mail account.
To install the Identity De-Provisioning Collector:

1. 2.
Launch the Solution Manager by selecting Tools > Solution Pack in the toolbar in the Sentinel Control Center. Select Identity Tracking Solution Pack, then click Open with Solution Manager.
3. 4. 5.
Highlight Identity De-Provisioning in the left pane of the Solution Manager, then click Install. Verify that the Identity De-Provisioning Control is listed, then click Next. Select your Correlation Engine from the drop-down list as the location where the Identity De-Provisioning rules are installed.
168
Version 1
6. 7.
Select the IdT-Unauthorized Access By Terminated Employees (Deployment), then click Next. Select whether the Crystal server is local or remote by selecting the following option:
Publish to Crystal Server Server Name: 172.17.5.7. User Name: Administrator Password: Leave this blank (the default password for the Crystal admin).
8.
Specify the following Crystal server information:

9.
Click Next after you have specified the Crystal server information.
10. Review the contents of the Identity De-Provisioning Control, then click Install. 11. Review the installation summary, then click Finish. (End of Exercise)
Version 1
169
Exercise 26-4
Configuring the Identity De-Provisioning Control

There are additional configuration steps required to implement the Identity DeProvisioning Control.

Enabling Audit on All Endpoint Systems on page 170 Configuring the Unauthorized Access by Terminated Employee Rule on page 171
Enabling Audit on All Endpoint Systems

You must enable each endpoint system to audit the desired user events. This process defines which events are sent to Sentinel to track. The endpoint systems are the systems that are part of the Identity Manager solution. For example, eDirectory or Active Directory are endpoint systems. Configuration steps for each endpoint system are different. For example, in eDirectory you set the events to track on the properties of each object. You need to track events that are related to user authentication, such as, when a login or logout occurs. Figure 26-1 is an example of enabling events on the server object.
Figure 26-1
Enabling Audit Events on eDirectory
170
Version 1
Configuring the Unauthorized Access by Terminated Employee Rule

This rule detects unauthorized access to enterprise resources. The rule contains two actions that need to be configured for your enterprise.
Configuring the Alert Unauthorized Access by Terminated Employee by E-mail Action on page 171 Configuring the Report Unauthorized Access by Terminated Employee Action on page 171
Configuring the Alert Unauthorized Access by Terminated Employee by Email Action
The correct alias account that receives the e-mail alerts must be configured.
1. 2.
In the Sentinel Control Center, select Tools > Action Manager. Select Alert unauthorized access by terminated employee by e-mail, then click View/Edit.
3.
Add the correct alias in the To field, then click Save.
Configuring the Report Unauthorized Access by Terminated Employee Action
The Sentinel workflow that reports unauthorized access must contain a valid value for the person that receives the reports.
1. 2.
In the Sentinel Control Center, select Tools > Actions Manager. Select Report unauthorized access by terminated employee, then click View/ Edit.
Version 1
171
3.
Specify the correct user name in the Responsible field, then click Save.
(End of Exercise)
172
Version 1
SECTION 27
This solution requires Identity Manager and SentinelTM. When an identity attribute is changed by an administrator, not by Identity Manager, Sentinel logs the event and then takes the appropriate action. For example, the action can be an e-mail, an alert, or the rogue administrators account is terminated. This solution not only detects the rogue activity, it detects who performed the activity and then takes immediate action against the account. This solution uses the SOAP integrator feature of Sentinel to integrate with the User Application. The SOAP integrator allows Sentinel to call the SOAP endpoints provided by the User Application to initiate User Application workflows. These workflows are usually stored in the User Application's Provisioning Request Definitions stored under the Directory Abstraction Layer (DAL). The Rogue_Administration_Activity workflow is called from Sentinel, sets the users LoginDisabled attribute equal to True, and sends the Default Approver (user or group) a workflow item to notify them that the user might be attempting illicit network activity.
Version 1
173
Exercise 27-1
Installing the Identity Tracking Solution Pack

If you have already installed the Identity Tracking Solution Pack, skip this section and proceed directly toInstalling Rogue Administration Control.
1. 2. 3.
Start the Sentinel Control Center and log in as a user with rights to manage Solutions Packs. Select Tools > Solution Pack from the menu to start the Solution Pack Manager. Click Add to start the import wizard.
4. 5.
Select Import a solution Pack plugin file (.zip), then click Next. Browse to and select the Identity Tracking Solution Pack where you downloaded it, then click Open. The filename is Identity-Tracking_6.1r1.spz.zip. Review the solution pack directory, then click Next. Review the solution pack details, then click Finish.
6. 7.
(End of Exercise)
174
Version 1
Exercise 27-2
Installing the Rogue Administration Control

1.
Select Identity Tracking Solution Pack, then click Open with Solution Manager.
2.
Select Rogue Administration in the left pane of the Solution Manager, then click Install.
3. 4. 5.
Verify that the Rogue Administration Control is listed, then click Next. Select your Correlation Engine from the drop-down list as the location where the Rogue Administration rules are installed. Select IdT-Rogue Administration (Deployment), then click Next.
Version 1
175
6. 7. 8.
Select Publish to Crystal Server. Specify the correct Crystal server information. Click Next after you have specified the Crystal server information.
9.
Review the contents of the Rogue Administration Control, then click Install.
10. Review the installation summary, then click Finish. (End of Exercise)
176
Version 1
Exercise 27-3
Configuring the Rogue Administration Control

There are additional configuration steps required to implement the Rogue Administration Control.
Enabling Audit on All Endpoint Systems

You must enable each endpoint system to audit the desired account management events. This process defines which events are sent to Sentinel to track. The endpoint systems are the systems that are part of the Identity Manager solution. For example, eDirectory or Active Directory are endpoint systems. Configuration steps are different for each endpoint system. For example, in eDirectory you set the events to track on the properties of each object. You need to track events that are related to account management, such as, a user create, a user delete, or a user modify. Figure 26-1 is an example of enabling events on the server object.
Figure 27-1
Enabling Audit Events on eDirectory
Version 1
177
Populating the ApprovedAccountAdmin Map

The ApprovedAccountAdmin map must be populated with an administrator username and the domain of the integrated systems.
1. 2. 3. 4.
Create a test identity and ensure that the account is create in the integrated system. Find the associated event in the Sentinel Active view. Right-click the event, then select the Identity Tracking submenu. Click Add to ApprovedAccountAdmins map.
Populating the IdentityManagedSystems Map

To populate the IdentityManagedSystems map with the CollectorID of the systems that have accounts managed by Identity Manager:
1. 2. 3. 4.
Generate activity on each integrated system. Find the associated events in the Sentinel Active view. Right-click an event, then select the new Identity Tracking submenu. Click Add to IDManagedSystems map.
Configuring the SOAP Integrator

Sentinel contains a SOAP Integrator that allow Sentinel to Integrate with the User Application. The SOAP Integrator must be configured to communicate to the User Application. After the Rogue Administration Control is installed, the SOAP Integrator must be configured to communicate with the User Application server.
1. 2.
In the Sentinel Control Center, click Tools > Integrator Manager from the toolbar. Select the Identity Manager SOAP Integrator from the list on the left.
NOTE: The the SOAP Integrator must be named Identity Manager SOAP.
3.
Click the SOAP Connection Settings tab, then use the following information to configure the connection settings on the Identity Manager SOAP Integrator:
URL: Specify the Web service URL used to get WSDL from the User Application server. The User Application is the SOAP provider for Identity Manager. The correct URL is located in the server.xml file for Tomcat on the User Application server. For example, specify http://172.17.5.100:8444/IDMProv/ provisioning/service?wsdl.
Service Name: Specify ProvisioningService as a SOAP service. Port: Specify ProvisioningPort as the SOAP port. Use SSL: Select Use SSL if the connection to the User Application server is secure.
178
Version 1
Use Authentication: Select Use Authentication to enable authentication to the User Application server. Username: Specify a user with administrative rights to start workflows. Use LDAP notation with the DN of the user. Password: Specify the administrator's password.
4. 5. 6.
Click Refresh Web Service API to regenerate the WSDL API. Click Test, then verify that the Integrator test completes successfully. Click Save to save the changes.
Configuring the LDAP Integrator

Sentinel contains an LDAP Integrator that allows Sentinel to communicate with eDirectory. After the Rogue Administration Control is installed, the LDAP Integrator must be configured to communicate with eDirectory.
1. 2.
In the Sentinel Control Center, click Tools > Integrator Manager in the toolbar. Select the Identity Vault from the list on the left.
NOTE: The LDAP Integrator must be named Identity Vault.
3.
Click the LDAP Connection Settings tab, then use the following information to configure the connections setting on the Identity Vault Integrator:

Server: 172.17.5.100. Port: 389. Use SSL: Select this option to use a secure connection to the eDirectory server. The default port for secure communication is 636. Login: Specify the DN of a user that has administrative rights to eDirectory. Use the LDAP format. Enter, cn=admin,o=services Password: novell
4.
Click Save to save the changes.
(End of Exercise)
Version 1
179
Exercise 27-4
Script Files
Copying Script Files

There are script files that are included in the Rogue Administration Control that must be copied to the ESEC_HOME/config/exec directory. These scripts simplify the addition of entries to the IDMManagedSystems map and the ApprovedAccount Admins map. To copy the scripts:
1.
Select Identity Tracking Solution Pack, then click Open with Solution Manager.
2. 3.
In the left pane, browse to and select the IdTApprovedAccountAdmins. In the right pane, select Add2ApprovedAccountAdmins.bat or Add2ApprovedAccountAdmins.sh if using Linux then click Save. The .bat files is for Windows and the .sh file is for Linux/UNIX.
180
Version 1
4. 5.
In the left pane, browse to and select IDManagedSystems. In the right pane, select Add2IDManagedSystems.bat, then click Save.
(End of Exercise)
Version 1
181
Exercise 27-5
Configuring Right-Click Menu Options

1. 2. 3. 4.
From the Sentinel Control Center, select the Admin tab. Click Admin > Event Menu Configuration. Click Add. Use the following information to complete the configuration:
Name: Specify the name as Identity Tracking/Add to ApprovedAccountAdmins map. Description: Specify the description as Adds InitUserName and InitUserDomain from the current event to the ApprovedAccountAdmins map. Action: Select Execute Command from the drop-down list. File Type: Leave this field blank. Command/URL: Specify Add2ApprovedAccountAdmins.bat as the name of the script file to execute. Parameters: Specify %InitUserName% %InitUserDomain% for the parameters. The delimiter for Windows is a comma - for Linux/UNIX use a space.
5.
Click the Add Action button.
6. 7.
Select Import an Action plugin file (.zip), then click Next. Browse to and select the Rogue Administration Action, then click Open. The Rogue Administration Action filename is Start-Rogue-AdminWorkflow_6.1r1.acz.zip.
8.
In the Action Name field, specify Start Rogue Admin Workflow, then click Save.
182
Version 1
9.
Click OK.
10. Click Add. 11. Use the following information to configure a second option:
Name: Specify the name as Identity Tracking/Add to IDManagedSystems map. Description: Specify the description as Adds Collector from the current event to the IDManagedSystems map. Action: Select Execute Command from the drop-down list. File Type: Leave this field blank. Command/URL: Specify Add2IDManagedSystems.bat Parameters: Specify %CollectorId% for the parameters. The delimiter for Linux/UNIX is a space and the delimiter for Windows is a comma.
12. Click OK to save the changes. (End of Exercise)
Version 1
183
Exercise 27-6
Importing the Rogue Administration Workflow

Use the following procedure if the rogue administration workflow does not exist in the DAL:
1. 2.
In Designer, click Windows > Show View > Provisioning View in the toolbar. In the Provisioning view, right-click the Directory Abstraction layer, then click Import from File.
3. 4. 5. 6.
In the warning message, click OK. Browse to and select the Rogue_Administration_Activity.xml file then click OK. Click OK to import the workflow. Verify that the workflow imported by browsing to it under UserApplication > Provisioning Request Definitions > Accounts > Rogue_Administration_Activity.
7.
Verify that the LoginDisabled attribute exists on the User entity by right-clicking the Rogue_Administration_Activity, then select Validate to run the Project Checker.
a.
If the LoginDisabled attribute does not exist on the User entity, right-click the Directory Abstraction Layer > Entities > User, then select Edit.
184
Version 1
b. c. d. 8. 9.
Right-click the User entity in the left pane, then select Add Attribute. Browse to and select the LoginDisabled attribute in the left pane. Click Add Attribute, then click OK.
Press Ctrl+S to save the changes. Deploy the changes in the Identity Vault. . changes. To restart the User Application server:
10. Restart the User Application and the User Application driver to apply the
Reboot JBoss.
(End of Exercise)
Version 1
185
186
Version 1
novdocx (en) 24 March 2009
28
Sentinel Event Fields
28
Every Sentinel event or correlated event has certain fields that are automatically populated (such as Event Time and Event UUID) and other fields that may or may not be populated, depending on the type of event, the collector parsing, and the mapping service configuration. This event data is visible in Active Views, historical queries, and reports. They are stored in the database and can be accessed via the report views. They can also be used in actions available through the right-click event menu, correlation actions, and iTRAC workflow actions.
28.1 Event Field Labels and Tags

Each field can be referred to by a user-friendly label or a short tag. The user-friendly label is visible throughout the Sentinel Control Center interface, for example:
Column headers for Active Views, historical event queries, and the Active Browser Correlation wizard drop-down menus Active View configuration drop-down menus
Each field has a default label, but that label is user-configurable using the Event Configuration option on the Admin tab. For more information, see Admin Tab section in Sentinel User Guide. InitUserName is the default label to represent the account name of the user who initiated the event, but this can be changed by the administrator. When a user changes the default label, the changes are reflected in most areas of the interface, including any correlation rules, filters, and right-click menu options. WARNING: Changing the default label for any variables other than Customer Variables may cause confusion when working with Novell Technical Services or other parties who are familiar with the default names. In addition, JavaScript Collectors built by Novell refer to the default labels described in this chapter and are not automatically updated to refer to new labels. Each field also has a short tag name that is always used for internal references to the field and is not user-configurable. This short tag name may not correspond exactly to the default label; Sentinel labels have changed over the years, but the underlying short tags remain the same for backward compatibility. (For example, InitUserName is the default label for the account name of the user who initiated the event. The default label was previously SourceUserName, and the underlying short tag is sun.) NOTE: Many of the default labels were updated for clarity in the Sentinel 6.1 release. Because all filters, actions, and correlation rule definitions are defined using the short tags (even though the label may be visible in the interface), there is no change in functionality due to the label renaming. Each field is associated with a specific data type, which corresponds to the data type in the database:
string: limited to 255 characters (unless otherwise specified) integer: 32 bit signed integer UUID: 36 character (with hyphens) or 32 character (without hyphens) hexadecimal string in
the format XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX (For example, 6A5349DA-7CBF-1028-9795-000BCDFFF482)
Sentinel Event Fields 187
date: Collector Variable must be set with date as number of milliseconds from January 1, 1970
00:00:00 GMT. When displayed in Sentinel Control Center, meta-tags of type date are displayed in a regular date format.
IPv4: IP address in dotted decimal notation (that is xxx.xxx.xxx.xxx)
28.1.1 Free-Form Filters and Correlation Rules

Users can use either the tag or the label when they write free-form language in the Sentinel Control Center. The Sentinel interface shows the user-friendly label.
Figure 28-1 Correlation Wizard displaying labels in drop-down and free-form language
188 Sentinel Event Fields
Figure 28-2 Filter Wizard displaying labels in drop-down and free-form language
The representation of fields in the free-form RuleLG language is usually prefaced by e. for example, e.InitUserName or e.sun can refer to the Initiator User Name for the incoming or current event. In special cases, w. may be used to refer to a field in a past event (for example, w.InitUserName).
28.1.2 Actions
Users can use either the tag or the label when they define parameters to be sent to right-click Event Menu actions, correlation actions, and iTRAC workflow actions. To pass a field value to an action, you may use a checklist that shows the labels or type the parameter name directly into the configuration.
Figure 28-3 Configuration Action - Select Event Attributes window
When you type the label or short tag for a field to be used in an action, the name can be enclosed in percent signs (%tag%) or dollar signs ($tag$). For example:
%sun% in a correlation action refers to the value of InitUser in the correlated event $sun$ in a correlation action refers to the value of InitUser in the current, trigger event (the
final event that caused the correlation rule to fire) NOTE: In a right-click menu event operating on a single event, there is no functional difference between %sun% and $sun$. For example, to pass the Initiator User Name to a command line action to look up information from a database about that user, you could use %InitUserName% or %sun%. For more information about Actions, see Actions and Integrators section in Sentinel User Guide.
Figure 28-4 Configuration Action window
28.1.3 Proprietary Collectors

Proprietary Collectors, written in Novells own language, always use variables based on the short tag to refer to event fields. The short tag name must be prefaced by a letter and underscore, where the letter indicates the data type for the field (i_ for integer, s_ for string).
28.1.4 JavaScript Collectors

JavaScript Collectors usually refer to event fields using an e. followed by the same user-friendly label set in Event Configuration in the Sentinel Control Center. For a Sentinel system with a default configuration, for example, the Initiator User Name would be referred to as e.InitUserName in the JavaScript Collector. There are some exceptions to this general rule. Refer to the Sentinel Collector SDK (http://developer.novell.com/wiki/index.php?title=Develop_to_Sentinel) for more details.
28.2 List of Fields and Representations

The table on the following pages shows the default labels, descriptions and data types for the Sentinel event fields, along with the proper way to refer to the tags in filters, correlation rules, actions, and proprietary collector scripts. Fields that cannot or should not be manipulated in the Collector parsing do not have a Collector variable.
Table 28-1 Labels and Meta-tags used in Sentinel Control Center and proprietary Collector language
Default Label
Filters and Correlation Rules
Menu and Correlation Actions
Proprietary Collector Language
Data Type
Description
DeviceEventTimeString
e.et
%et%
s_ET
string
The normalized date and time of the event, as reported by the sensor. The normalized date and time of the event, as reported by the sensor. The date and time Sentinel received the event. The date and time the event started occurring (for repeated events). The date and time the event stopped occurring (for repeated events). The number of times the same event occurred if multiple occurrences were consolidated. The normalized date and time of the event, as given by the Collector. Unique identifier for the Sentinel service which generated this event. The normalized severity of the event (0-5). The vulnerability of the asset identified in this event. Set to 1 if Sentinel detects an exploit against a vulnerable system. Requires Advisor. The criticality of the asset identified in this event. IPv4 address of the initiating system. IPv4 address of the target system. Name of the Collector that generated this event.
DeviceEventTime
e.det
%det%
date
SentinelProcessTime
e.spt
%spt%
date
BeginTime
e.bgnt
%bgnt%
s_BGNT
date
EndTime
e.endt
%endt%
s_ENDT
date
RepeatCount
e.rc
%rc%
s_RC
integer
EventTime
e.dt
%dt%
date
SentinelServiceID
e.src
%src%
UUID
Severity Vulnerability
e.sev e.vul
%sev% %vul%
i_Severity s_VULN
integer integer
Criticality InitIP TargetIP Collector
e.crt e.sip e.dip e.port
%crt% %sip% %dip% %port%
s_CRIT s_SIP s_DIP
integer IPv4 IPv4 string
Default Label
Data Type
Description
CollectorScript
e.agent
%agent%
string
The name of the Collector Script used by the Collector to generate this event. Compliance monitoring hierarchy level 1 Subresource name Unqualified hostname of the observer (sensor) of the event. The single character designator for the sensor type (N, H, O, V, C, W, A, I). Protocol used between initiating and target services. Unqualified hostname of the initiating system. Port used by service/ application that initiated the connection. Name of the initiating service that caused the event. Unqualified hostname of the target system. Network port accessed on the target. Name of the target service affected by this event. Initiating user's account name. Example jdoe during an attempt to su. Target user's account name. Example root during a password reset. The name of the program executed or the file accessed, modified or affected.
Resource SubResource ObserverHostName
e.res e.sres e.sn
%res% %sres% %sn%
s_Res s_SubRes s_SN
string string string
SensorType
e.st
%st%
s_ST
string
Protocol
e.prot
%prot%
s_P
string
InitHostName InitServicePort
e.shn e.spint
%shn% %spint%
s_SHN s_SPINT
string integer
InitServicePortName
e.sp
%sp%
s_SP
string
TargetHostName TargetServicePort TargetServicePortName InitUserName
e.dhn e.dpint e.dp e.sun
%dhn% %dpint% %dp% %sun%
s_DHN s_DPINT s_DP s_SUN
string integer string string
TargetUserName
e.dun
%dun%
s_DUN
string
FileName
e.fn
%fn%
s_FN
string
Default Label
Data Type
Description
ExtendedInformation
e.ei
%ei%
s_EI
string
Stores additional collector-processed information. Values within this variable are separated by semi-colons (;). Unqualified hostname of the reporter of the event. Indicates the type, vendor and product code name of the sensor from which the event was generated. Free-form message text for the event. Device specific attack name that matches attack name known by Advisor. Used in Exploit Detection. Reserved by Novell for expansion. Reserved for use by customers for customerspecific data.
ReporterHostName ProductName
e.rn e.pn
%rn% %pn%
s_RN s_PN
string string
Message DeviceAttackName
e.msg e.rt1
%msg% %rt1%
s_BM s_RT1
string string
Rt2 Ct1 thru Ct2
e.rt2 e.ct1 thru e.ct2
%rt2% %ct1% thru %ct2%
s_RT2 s_CT1 and s_CT2
string string
Rt3 Ct3
e.rt3 e.ct3
%rt3% %ct3% s_CT3
integer integer
Reserved by Novell for expansion. Reserved for use by customers for customerspecific data. List of event UUIDs associated with th correlated event. Only relevant for correlated events. Used for MSSPs. Reserved by Novell for expansion.
CorrelatedEventUuids
e.ceu
%ceu%
s_RT3
string
CustomerHierarchyId ReservedVar2 thru ReservedVar10
e.rv1 e.rv2 thru e.rv10
%rv1% %rv2% thru %rv10%
s_RV1 s_RV2 thru s_RV10 s_RV11 thru s_RV20
integer integer
ReservedVar11 thru ReservedVar20
e.rv11 thru %rv11% thru e.rv20 %rv20%
date
Reserved by Novell for expansion.
Default Label
Data Type
Description
CollectorManagerId
e.rv21
%rv21%
s_RV21
UUID
Unique identifier for the Collector Manager which generated this event. Unique identifier for the Collector which generated this event. Unique identifier for the Connector which generated this event. Unique identifier for the Event Source which generated this event. Unique identifier for the Raw Data Record associated with this event. Sentinel control categorization level 1 (for Solution Packs). Class of the eventdependent numeric value. Country where the IPv4 address of the initiating system is located. Country where the IPv4 address of the target system is located. Name of the device generating the event. If this device is supported by Advisor, the name should match the name known by Advisor. Used in Exploit Detection. Device category (FW, IDS, AV, OS, DB). Event context (threat level). Initiator threat level. Domain (namespace) in which the initiating account exists. Data context. Initiator function.
CollectorId
e.rv22
%rv22%
s_RV22
UUID
ConnectorId
e.rv23
%rv23%
S_RV23
UUID
EventSourceId
e.rv24
%rv24%
S_RV24
UUID
RawDataRecordId
e.rv25
%rv25%
S_RV25
UUID
ControlPack
e.rv26
%rv26%
S_RV26
string
EventMetricClass InitIPCountry
e.rv28 e.rv29
%rv28% %rv29%
s_RV28 s_RV29
string string
TargetIPCountry
e.rv30
%rv30%
s_RV30
string
DeviceName
e.rv31
%rv31%
s_RV31
string
DeviceCategory EventContext InitThreatLevel InitUserDomain
e.rv32 e.rv33 e.rv34 e.rv35
%rv32% %rv33% %rv34% %rv35%
s_RV32 s_RV33 s_RV34 s_RV35
string string string string
DataContext InitFunction
e.rv36 e.rv37
%rv36% %rv37%
s_RV36 s_RV37
string string
Default Label
Data Type
Description
InitOperationalContext MSSPCustomerName VendorEventCode TargetHostDomain
e.rv38 e.rv39 e.rv40 e.rv41
%rv38% %rv39% %rv40% %rv41%
s_RV38 s_RV39 s_RV40 s_RV41
string string string string
Initiator operational context. MSSP customer name. Event code reported by device vendor. Domain portion of the target system's fullyqualified hostname. Domain portion of the initiating system's fullyqualified hostname. Reserved by Novell for expansion. Target threat level. Domain (namespace) in which the target account exists.. Virus status. Target function. Target operational context. Sentinel event code categorization - level 4. Customer Hierarchy Level 2 (used by MSSPs). Virus Status. Initiator Mac Address. Part of initiator host asset data. Initiator Network Identity. Part of initiator host asset data. Function of the initiating system (fileserver, webserver, etc.). Initiator Asset Value. Part of initiator host asset data. Criticality of the initiating system (0-5).
InitDomain
e.rv42
%rv42%
s_RV42
string
ReservedVar43 TargetThreatLevel TargetUserDomain
e.rv43 e.rv44 e.rv45
%rv43% %rv44% %rv45%
s_RV43 s_RV44 s_RV45
string string string
VirusStatus TargetFunction TargetOperationalContext TaxonomyLevel4 CustomerHierarchyLevel2 VirusStatus InitMacAddress
e.rv46 e.rv47 e.rv48 e.rv53 e.rv54 e.rv56 e.rv57
%rv46% %rv47% %rv48% %rv53% %rv54% %rv56% %rv57%
s_RV46 s_RV47 s_RV48 s_RV53 s_RV54 s_RV56 s_RV57
string string string string string string string
InitNetworkIdentity
e.rv58
%rv58%
s_RV58
string
InitAssetFunction
e.rv60
%rv60%
s_RV60
string
InitAssetValue InitAssetCriticality
e.rv61 e.rv62
%rv61% %rv62%
s_RV61 s_RV62
string string
Default Label
Data Type
Description
Variables reserved for future e.rv63 thru %rv63% use by Novell e.rv75 thru %rv75% InitAssetDepartment InitAssetId e.rv76 e.rv77 %rv76% %rv77%
s_RV63 string thru s_rv75 s_RV76 s_RV77 string string
Variables not currently in use Department of the initiating system. Internal asset identifier of the initiator. Variables not currently in use Class of the target system (desktop, server, etc.). Function of the target system (fileserver, webserver, etc.). Target Asset Value. Part of target host asset data. Variables not currently in use. Target Department. Part of target host asset data. Internal asset identifier of the target. Customer Hierarchy Level 4 (used by MSSPs) Variables not currently in use Number variable reserved for customer use. Stored in database.
Variables reserved for future e.rv78 thru %rv78% use by Novell e.rv80 thru %rv80% TargetAssetClass TargetAssetFunction e.rv81 e.rv82 %rv81% %rv82%
s_RV78 string thru s_rv80 s_RV81 s_RV82 string string
TargetAssetValue
e.rv83
%rv83%
s_RV83
string
Variables reserved for future e.rv84 thru %rv84% use by Novell e.rv97 thru %rv97% TargetDepartment TargetAssetId CustomerHierarchyLevel4 e.rv98 e.rv99 e.rv100 %rv98% %rv99% %rv100% %rv101% thru %rv200% %cv1% thru %cv10%
s_RV84 string thru s_rv97 s_RV98 s_RV99 s_RV100 s_rv101 thru s_rv200 s_CV1 thru s_CV10 string string string various
Variables reserved for future e.rv101 use by Novell thru e.rv200 CustomerVar1 thru CustomerVar10 CustomerVar11 thru CustomerVar20 e.cv1 thru e.cv10
integer
e.cv11 thru %cv11% thru e.cv20 %cv20% e.cv21 thru %cv21% thru e.cv89 %cv89%
s_CV11 thru s_CV20 s_CV21 thru s_CV29
date
Date variable reserved for customer use. Stored in database.
CustomerVar21 thru CustomerVar89
string
String variable reserved for customer use. Stored in database.
Default Label
Data Type
Description
SARBOX
e.cv90
%cv90%
s_CV90
string
Set to 1 if the asset is governed by SarbanesOxley. Set to 1 if the asset is governed by the Health Insurance Portability and Accountability Act (HIPAA) regulation. Set to 1 if the asset is governed by the GrammLeach Bliley Act (GLBA) regulation. Set to 1 if the asset is governed by the Federal Information Security Management Act (FISMA) regulation. Set to 1 via an asset map if the target asset is governed by the National Industrial Security Program Operating Manual (NISPOM) String variable reserved for customer use. Stored in database. Integer variable reserved for customer use. Stored in database. Date variable reserved for customer use. Stored in database. UUID variable reserved for customer use. Stored in database. IPv4 variable reserved for customer use. Stored in database. String variable reserved for customer use. Stored in database. Integer variable reserved for customer use. Not stored in database.
HIPAA
e.cv91
%cv91%
s_CV91
string
GLBA
e.cv92
%cv92%
s_CV92
string
FISMA
e.cv93
%cv93%
s_CV93
string
NISPOM
e.cv94
%cv94%
s_CV94
string
CustomerVar95 thru CustomerVar100 CustomerVar101 thru CustomerVar110 CustomerVar111 thru CustomerVar120 CustomerVar121 thru CustomerVar130 CustomerVar131 thru CustomerVar140 CustomerVar141 thru CustomerVar150 CustomerVar151 thru CustomerVar160
e.cv95 thru %cv95% e.cv100 thru %cv100% e.cv101 thru e.cv110 e.cv111 thru e.cv120 e.cv121 thru e.cv130 e.cv131 thru e.cv140 e.cv141 thru e.cv150 e.cv151 thru e.cv160 %cv101% thru %cv110% %cv111% thru %cv120% %cv121% thru %cv130% %cv131% thru %cv140% %cv141% thru %cv150% %cv151% thru %cv160%
s_CV95 thru s_CV100 s_CV101 thru s_CV110 s_CV111 thru s_CV120 s_CV121 thru s_CV130 s_CV131 thru s_CV140 s_CV141 thru s_CV150 s_CV151 thru s_CV160
string
string
string
string
string
string
string
Default Label
Data Type
Description
CustomerVar161 thru CustomerVar170 CustomerVar171 thru CustomerVar180 CustomerVar181 thru CustomerVar190 CustomerVar191 thru CustomerVar200
e.cv161 thru e.cv170 e.cv171 thru e.cv180 e.cv181 thru e.cv190 e.cv191 thru e.cv200
%cv161% thru %cv170% %cv171% thru %cv180% %cv181% thru %cv190% %cv191% thru %cv200%
s_CV161 thru s_CV170 s_CV171 thru s_CV180 s_CV181 thru s_CV190 s_CV191 thru s_CV200
string
Date variable reserved for customer use. Not stored in database. UUID variable reserved for customer use. Not stored in database. IPv4 variable reserved for customer use. Not stored in database. String variable reserved for customer use. Not stored in database.
string
string
string

Sent61 Lab 11 12 09

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Sent61 Lab 11 12 09

Uploaded by

Copyright:

Available Formats

Advanced Technical Training

Lab Manual November 12, 2009

Novell Training Services (en) 15 April 2009

Novell Training Services (en) 15 April 2009

Labs for Chapter 2 - Active Views

Labs for Chapter 3 - Filters

Creating an iTRAC workflow. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34

Creating Global Filters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 40 Creating New Users . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 42

Installing and Configuring Business Objects

Check Configuration Requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 46 Configure Crystal Reports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 47

Create a correlation that will find any port scan . . . . . . . . . . . . . . . . . . . . . . . . . . . 52

Novell Training Services (en) 15 April 2009

Correlation - RuleLG II Answers

Data Injection - Business Relevance

Audit Platform Agents

Configuring Platform Agents . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 86

Event Source Management

Configuring for Novell Events . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 88 Further Testing the Environment . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 104

Novell Training Services (en) 15 April 2009

Configuring the Audit Event Source

Installing the Sentinel Driver

Using Designer to Create and Configure the Driver

Create the Driver. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 144

Configuring Account Tracking

Configure Account Tracking . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 146

Creating Connections to the JMS Message Bus

Connecting the Queue Factories . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 148 Configure the Queues . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 150

Installing and Configuring the Identity Vault Collector

Custom Audit Events (Informational - NOT a lab)

Reporting when Terminated Users Accessing Company Resources165

Sending Alerts when Rogue Administration Occurs

Novell Training Services (en) 15 April 2009

Exercise 27-4 Exercise 27-5 Exercise 27-6

177 178 178 178 179 180 180 182 184

188 189 191 191

Novell Training Services (en) 15 April 2009

There are no labs for this section

Novell Training Services (en) 15 April 2009

Novell Training Services (en) 15 April 2009

Labs for Chapter 2 - Active Views

Labs for Chapter 2 - Active Views

Novell Training Services (en) 15 April 2009

Labs for Chapter 2 - Active Views

Step 1 of creating a filter

Display Events ? = Yes

Novell Training Services (en) 15 April 2009

Labs for Chapter 2 - Active Views

After making the selection, click Next.

Novell Training Services (en) 15 April 2009

Labs for Chapter 2 - Active Views

Event Attribute = SourceIP Filter = PUBLIC:Chicago Display Events = Yes

Novell Training Services (en) 15 April 2009

Labs for Chapter 2 - Active Views

Severity EventTime EventName Resource SubResource InitIP TargetIP OS City

Novell Training Services (en) 15 April 2009

Labs for Chapter 2 - Active Views

Novell Training Services (en) 15 April 2009

Labs for Chapter 3 - Filters

Labs for Chapter 3 - Filters

Novell Training Services (en) 15 April 2009

Labs for Chapter 3 - Filters

Novell Training Services (en) 15 April 2009

Labs for Chapter 3 - Filters