Professional Documents
Culture Documents
Sent61 Lab 11 12 09
Sent61 Lab 11 12 09
Sentinel 6.1
Part Number
SENTINEL LABS
Legal Notices
Novell, Inc. makes no representations or warranties with respect to the contents or use of this documentation, and specifically disclaims any express or implied warranties of merchantability or fitness for any particular purpose. Further, Novell, Inc. reserves the right to revise this publication and to make changes to its content, at any time, without obligation to notify any person or entity of such revisions or changes. Further, Novell, Inc. makes no representations or warranties with respect to any software, and specifically disclaims any express or implied warranties of merchantability or fitness for any particular purpose. Further, Novell, Inc. reserves the right to make changes to any and all parts of Novell software, at any time, without any obligation to notify any person or entity of such changes. Any products or technical information provided under this Agreement may be subject to U.S. export controls and the trade laws of other countries. You agree to comply with all export control regulations and to obtain any required licenses or classification to export, re-export or import deliverables. You agree not to export or re-export to entities on the current U.S. export exclusion lists or to any embargoed or terrorist countries as specified in the U.S. export laws. You agree to not use deliverables for prohibited nuclear, missile, or chemical biological weaponry end uses. See the Novell International Trade Services Web page (http:/ /www.novell.com/info/exports/) for more information on exporting Novell software. Novell assumes no responsibility for your failure to obtain any necessary export approvals. Copyright 2006 Novell, Inc. All rights reserved. No part of this publication may be reproduced, photocopied, stored on a retrieval system, or transmitted without the express written consent of the publisher. Novell, Inc. has intellectual property rights relating to technology embodied in the product that is described in this document. In particular, and without limitation, these intellectual property rights may include one or more of the U.S. patents listed on theNovell Legal Patents Web page (http://www.novell.com/ company/legal/patents/) and one or more additional patents or pending patent applications in the U.S. and in other countries. Novell, Inc. 404 Wyman Street, Suite 500 Waltham, MA 02451 U.S.A. www.novell.com Online Documentation: To access the latest online documentation for this and other Novell products, see the Novell Documentation Web page (http://www.novell.com/documentation).
Novell Trademarks
For Novell trademarks, see the Novell Trademark and Service Mark list (http:// www.novell.com/company/legal/trademarks/tmlist.html).
Third-Party Materials
All third-party trademarks are the property of their respective owners.
Contents
SECTION 1
Exercise 1-1
Introduction
Introduction. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8
SECTION 2
Exercise 2-1
Active Views. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10
SECTION 3
Exercise 3-1
15
Filters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16
SECTION 4
Exercise 4-1 Exercise 4-2 Exercise 4-3 Exercise 4-4 Exercise 4-5 Exercise 4-6 Exercise 4-7
Analysis
Event Table . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Investigating a Series of Events . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Attack - Severity . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Investigating Vulnerabilities. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Events Table Snapshots . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Chart Snapshot . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Event Queries . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
21
22 23 24 25 26 27 28
SECTION 5
Exercise 5-1
Incidents
29
Incident creation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30
SECTION 6
Exercise 6-1
iTRAC
33
SECTION 7
Exercise 7-1 Exercise 7-2
Administration
39
SECTION 8
Exercise 8-1 Exercise 8-2
45
SECTION 9
Exercise 9-1
Database
49
Jobs Exercise. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 50
SECTION 10
Exercise 10-1
Correlation Workshop 1
51
Version 1
Copying all or part of this manual, or distributing such copies, is strictly prohibited. To report suspected copying, please call 1-800-PIRATES.
Sentinel 6.1
Exercise 10-2 Exercise 10-3 Exercise 10-4 Exercise 10-5 Exercise 10-6 Exercise 10-7 Exercise 10-8
IDS Critical Events . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Create a Correlated Event with Conditions. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Adding an Action . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Repeat the Steps 4a-4d Using the Rule NIDS Critical Events . . . . . . . . . . . . . . Change the Active View Screen to Reveal Different Information . . . . . . . . . . . . . Firewall Correlated Event with a Discriminator . . . . . . . . . . . . . . . . . . . . . . . . . . . A Simple Aggragate . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
54 55 56 58 59 60 61
SECTION 11
Exercise 11-1 Exercise 11-2 Exercise 11-3
Correlation - RuleLG II
63
A Spreading Attack . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 64 IDS Attack comes from the Outside . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 65 Using an Intersection to narrow events . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 66
SECTION 12
Exercise 12-1 Exercise 12-2 Exercise 12-3
67
A Spreading Attack . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 68 IDS Attack comes from the Outside . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 69 Using an Intersection to narrow events . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 70
Exercise Answers 70
SECTION 13
Exercise 13-1
Correlation Actions
71
Correlation Actions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 72
SECTION 14
Objective 1
Troubleshooting
There are No labs for this section.
73
74
SECTION 15
Exercise 15-1
Collectors
75
Collectors . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 76
SECTION 16
Exercise 16-1 Exercise 16-2 Exercise 16-3 Exercise 16-4
77
78 79 81 83
SECTION 17
Exercise 17-1
85
SECTION 18
Exercise 18-1 Exercise 18-2
87
Copying all or part of this manual, or distributing such copies, is strictly prohibited. To report suspected copying, please call 1-800-PIRATES.
Version 1
SECTION 19
Exercise 19-1 Exercise 19-2 Exercise 19-3 Exercise 19-4
111
112 115 136 137
SECTION 20
Exercise 20-1
139
Installing the Driver . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 140 Installing the Driver Files on the Metadirectory Engine . . . . . . . . . . . . . . . . . . . 140 Placing Prerequisite Files . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 140
SECTION 21
Exercise 21-1
143
SECTION 22
Exercise 22-1
145
SECTION 23
Exercise 23-1 Exercise 23-2
147
SECTION 24
Exercise 24-1 Exercise 24-2 Exercise 24-3
151
Install the Identity Vault Collector . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 152 Configuring the Identity Vault Collector . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 153 Starting the Collector . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 155
SECTION 25
Objective 1
157
158
SECTION 26
Exercise 26-1 Exercise 26-2 Exercise 26-3 Exercise 26-4
SECTION 27
Exercise 27-1 Exercise 27-2 Exercise 27-3
173
Installing the Identity Tracking Solution Pack . . . . . . . . . . . . . . . . . . . . . . . . . . . 174 Installing the Rogue Administration Control . . . . . . . . . . . . . . . . . . . . . . . . . . . . 175 Configuring the Rogue Administration Control . . . . . . . . . . . . . . . . . . . . . . . . . . 177
Version 1
Copying all or part of this manual, or distributing such copies, is strictly prohibited. To report suspected copying, please call 1-800-PIRATES.
Sentinel 6.1
Enabling Audit on All Endpoint Systems . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Populating the ApprovedAccountAdmin Map . . . . . . . . . . . . . . . . . . . . . . . . . . . Populating the IdentityManagedSystems Map . . . . . . . . . . . . . . . . . . . . . . . . . . . Configuring the SOAP Integrator . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Configuring the LDAP Integrator . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Script Files. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Copying Script Files . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Configuring Right-Click Menu Options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Importing the Rogue Administration Workflow. . . . . . . . . . . . . . . . . . . . . . . . . .
Event Field Labels and Tags
Free-Form Filters and Correlation Rules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Actions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Proprietary Collectors . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . JavaScript Collectors. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
List of Fields and Representations
Copying all or part of this manual, or distributing such copies, is strictly prohibited. To report suspected copying, please call 1-800-PIRATES.
Version 1
Introduction
SECTION 1
Introduction
Version 1
Copying all or part of this manual, or distributing such copies, is strictly prohibited. To report suspected copying, please call 1-800-PIRATES.
Introduction
Exercise 1-1
Introduction
There are no Labs for this section
(End of Exercise)
Copying all or part of this manual, or distributing such copies, is strictly prohibited. To report suspected copying, please call 1-800-PIRATES.
Version 1
SECTION 2
In the Active Views tab, you have the ability to monitor events as they are happening (near real time) and perform queries on these events. You can monitor them in a table form or though 3D bar, 2D stacked, Line or ribbon chart representation. Don't read anything more into this lab than it isit is intended as a get-to-know-the-interface lab. By the end of this lab, the student will be able to create new Active Views and manipulate the tables and graphs to display different timeframes and modify existing views. All Active Views use a filter to display events; the filters can be broad, such as the ALL filter, which allows events of all severity levels into the view. The following workshop includes different filters which relate to the events generated by the demonstration collectors on the instructor machine. Complete the following steps:
Version 1
Copying all or part of this manual, or distributing such copies, is strictly prohibited. To report suspected copying, please call 1-800-PIRATES.
Exercise 2-1
Active Views
1.
Create a new Active View with the ALL filter and the Severity attribute.
a. b.
Select the Active Views tab. From the Active Views menu, select Create Active View to open the Active Views.
Select Create Active View from the graphical menu bar.
Figure 2-1
c.
In the Active Views Wizard window, Step 1, click the down arrows to select your Z-axis, Filter and Displayed Events settings:
Select Event Attribute (Z-axis) = Severity Filter 1. Click on Filter Selection and a dialog will pop up 2. Click on the Filter Name column header to sort by that column 3. Single-click filter Owner = PUBLIC, Filter Name = ALL from list
NOTE: We call this filter the Public-all or the Public: All filter. Meaning that it passes all events.
Figure 2-2
4.
10
Copying all or part of this manual, or distributing such copies, is strictly prohibited. To report suspected copying, please call 1-800-PIRATES.
Version 1
d. e.
After making the selections, click Next. In the next window, Step 2, click the down arrows to select:
Display interval = 5 Minutes Refresh rate = 30 Seconds Total display time = 15 Minutes Axis Values = Event Count
Step 2 of creating a filter; statistical parameters
Figure 2-3
f.
Figure 2-4
g. h.
Select the chart type = Stacked Bar 2D (default) and click Finish. Notice it will take a few seconds to update the data in the chart and event table.
Version 1
Copying all or part of this manual, or distributing such copies, is strictly prohibited. To report suspected copying, please call 1-800-PIRATES.
11
2.
Using the Active View you just created, review the following:
a. b. c.
The display interval is set to 5 minutes; look at the x-axis and notice how each charted bar is labeled. Using the graph buttons (yellow feet), decrease the display interval notice how the legend at the top and the data in the chart change as you do this. Using the graph buttons (stopwatch with green arrow), increase the display time from 15 minutes to 20 minutes notice the legend at the top and the data changing as you do this.. Leave the graph with a 15 minute display time and 30 second display interval.
d.
3.
Follow the instructions above to create a new Active View, but instead of London, receive Sydney events. You will create a Private Filter named Chicago that accepts all events from the Sydney resource regardless of severity. In this example, we are using a filter that uses an asset category that applies to all Collectors regardless of the source device.
a. b. c.
Select the Active Views tab. Click on the Create Active View button (black oscilloscope screen) to bring up the Active View Wizard. In the Active Views Wizard window, Step 1, click the down arrows to select your Z-axis, Filter and Displayed Events settings:
d. e.
After making the selection, click Next. In the next window, Step 2, click the down arrows to select:
Display interval = 1 Minute Refresh rate = 30 Seconds Total display time = 20 Minutes Axis Values = Event Count
f.
After making the selection, click Finish and your Active View will open. Notice it will take a few seconds to update the data in the chart and event table, and (depending on configuration) once data appears the entire chart will not be full. Right-click on the chart and select Line Chart from the menu.
g.
4.
Create a new Active View with the Attack filter and the Severity attribute. This view will display data based on severity level for events that have been
12
Copying all or part of this manual, or distributing such copies, is strictly prohibited. To report suspected copying, please call 1-800-PIRATES.
Version 1
categorized as Attack; the categorization is done at the Collector or Collector Manager level based on messages produced by the source devices.
a. b. c.
Select the Active Views tab. From the Active Views menu, select Create Active View to open the Active Views Wizard. In the Active Views Wizard window, Step 1, click the down arrows to select your Z-axis, Filter and Displayed Events settings:
Event Attribute = Severity Filter = Attack Display Events = Yes After making the selection, click Finish and your Active View will open. Notice it will take a few seconds to update the data in the chart and event table.
5.
Using the same Active View, modify the order of the columns:
a. b. c.
Click the Manage Columns button on the toolbar. The Manage Columns window will open. You will see a list of event tags in the right-hand pane. Multi-select all the meta-tags and click the Remove button to clear the list. Select the following meta-tags on the left, Add, and then use the up/down arrows to place in the listed order:
1. 2. 3. 4. 5. 6. 7. 8. 9.
10. TaxonomyLevel1 11. TaxonomyLevel2 12. TaxonomyLevel3 13. TaxonomyLevel4 (End of Exercise)
Version 1
Copying all or part of this manual, or distributing such copies, is strictly prohibited. To report suspected copying, please call 1-800-PIRATES.
13
14
Copying all or part of this manual, or distributing such copies, is strictly prohibited. To report suspected copying, please call 1-800-PIRATES.
Version 1
SECTION 3
By the end of this lecture, the student will be able to create public and private filters through the graphical Builder and free-form editor. This exercise will teach you how to create filters that are used to manage event viewing in Active Views and for various other filtering purposes throughout the course. Complete the following steps:
Version 1
Copying all or part of this manual, or distributing such copies, is strictly prohibited. To report suspected copying, please call 1-800-PIRATES.
15
Exercise 3-1
Filters
1.
Select the Admin tab on the Sentinel Console. The Navigator pane on the left has a list of all the administrative functions; click on Filter Configuration, then Filter Manager. Notice the Filter Manager window opens on the right pane. The Filter Manager window has a list of all Public and Private filters. New filters created through the workshop will appear on this window. You will create both PRIVATE and PUBLIC filters; the option is determined through the owner of the filter when it is first created. When you click on the Add button on the Filter Manager, the Filter Details window will open
IMPORTANT: Private filters are simply filters created by users defined using the Admin console. These filters will appear as (for instance) esecadm:attack. Notice the prefic for each private filter lists the name of the user who created the filter. Private defines filters owned by individual users rather than Public, which are useable by everyone.
2.
3.
In step 3 you will create a Private Filter named Lon that accepts all events from the London resource regardless of severity.
a.
By default, the Owner ID is set to PUBLIC; the drop-down list displays other users in the system, if one of them is selected, the filter becomes Private for that user. For this exercise, select esecadm from the drop-down list as the owner. In this step you will name the Filter: Enter the name London on the Filter Name box. The filter will accept all events from the London resource so, on the Property box, select Resource from the drop-down box. On the Operator box select match regex (regular expressions)you will have to scroll-down. On the Value box type London (note that this regex will match any string which contains the substring London, such as LondonHeathrow).
b. c. d. e.
16
Copying all or part of this manual, or distributing such copies, is strictly prohibited. To report suspected copying, please call 1-800-PIRATES.
Version 1
Figure 3-1
f. 4.
Click on the Save button. The filter will appear on the Filter Manager window.
Follow the instructions above to create a new Filter, but instead of London, receive Tokyo events. You will create a Private Filter named Sydney that accepts all events from the Sydney resource regardless of severity. You will create a Private Filter named TargetUser that looks for guest destination (target) users.
a. b. c. d.
5.
Click the Add button on the Filter Manager window; the Filter Details window will open. Select btoney as the username from the drop-down list as the owner. Enter the name TargetUser on the Filter Name box. The filter will accept all events that have the TargetUserName meta-tag filled in with the user guest, so on the Property box, select TargetUserName from the drop-down box. On the Operator box select =.
e.
Version 1
Copying all or part of this manual, or distributing such copies, is strictly prohibited. To report suspected copying, please call 1-800-PIRATES.
17
f. g. 6.
On the Value box type guest. Save the filter. Notice it will appear on the Filter Manager window.
You will create a Private filter Severity4orhigher for events with severity higher than four.
a. b. c. d. e. f. g.
On the Filter Manager window, click the Add button. The Filter Details window opens. Select gporter or any other username from the drop-down list as the owner. On the Filter Name box enter the name Severity 4 or higher. The filter will accept all events with Severity higher or equal to 4 so on the Property box, select Severity from the drop-down box. On the Operator box select >=. On the Value box select 4. Save the filter. Notice it will appear on the Filter Manager window.
7.
You will create a filter that accepts events for two subnets
a. b. c. d. e. f. g. h. i. j. k. l.
On the Filter Manager window, click the Add button. The Filter Details window opens. Select a username from the drop-down list as the owner. On the Filter Name box enter the name SubnetWatch. First allow one subnet; select TargetIP from the Property box. On the Operator box select match subnet. On the Value box type 172.17.0.0/16. Click the + button on the right. Repeat the above instructions step d through f, but type 192.168.0.0/16 in Value. Look at the expression that appears in the Expression String box. Switch the Match if section to combine phrases with OR. Note the change. Save the filter. Notice it will appear on the Filter Manager window. You will create a filter named FireWall_Severity5 using the free-form editor that accepts all events generated from a Firewall with Severity 5. Navigator pane. The Filter Manager window opens.
m. Select the Filter Manager under the Filter Configuration folder in the n. o.
Click the Add button. The Filter Details window will open. Select jdasilva as the owner. On the Filter Name box enter the name FireWall_Sev5 .
18
Copying all or part of this manual, or distributing such copies, is strictly prohibited. To report suspected copying, please call 1-800-PIRATES.
Version 1
p.
Click on the Use free-form editor button to type in the definition of the filter. The definition of this filter will be: filter((e.res match regex(FW)) and (e.sev=5))
NOTE: Notice that once you use the free-form editor, you cant go back to the graphical definition window.
q.
Click on the Save button. The filter will appear on the Filter Manager window.
8.
Select the Filter Manager under the Filter Configuration folder in the Navigator pane. The Filter Manager window opens. Click the Add button. The Filter Details window will open. Leave PUBLIC as the owner. Enter the name CorrelatedEvents. On the Property box, select Sensor Type from the drop-down box. On the Operator box select =. In the Value box type C (without quotes). Save the filter.
NOTE: At this point there are no correlated events occurring in your system. We havent written them yet; but this filter will come in handy later in the course when you are testing your correlated events.
(End of Exercise)
Version 1
Copying all or part of this manual, or distributing such copies, is strictly prohibited. To report suspected copying, please call 1-800-PIRATES.
19
20
Copying all or part of this manual, or distributing such copies, is strictly prohibited. To report suspected copying, please call 1-800-PIRATES.
Version 1
Analysis
SECTION 4
Analysis
In the Active Views tab, you have the ability to monitor events as they are happening (near real time) and perform queries on these events. By the end of this lecture, the student should be able to investigate events in various ways, doing further analysis on the event data presented in the Active View.
Version 1
Copying all or part of this manual, or distributing such copies, is strictly prohibited. To report suspected copying, please call 1-800-PIRATES.
21
Analysis
Exercise 4-1
Event Table
1.
b. c. d. e.
Check the option to Show Details; a table will open on the left. Scroll down to review the event tags under the Base heading. There will be four more headings: Custom, Asset, Exploit, Reserved. Open each of them to review the event tags populated under them. Find the Reserved heading, look for four taxonomy levels:
i.
Identify the Event Name and the Product Name and Resource. The relationship between the event type and the categorization is taxonomy.
f.
Now select two events with the same EventName = Successful loginadministrator
i. ii.
If the Event Details table is already opened, you will see only event tags that are the same in both selected events. The commonalities in the event tags can give the user an indication of what possible correlation exists between the two events.
g.
Active Views display events in real-time, so they reflect the last interval for the refresh rate set for that view. Select the first event that appears in the window and wait until the window is refreshed with the next set of events; the selected event will move (selected) as the window refreshes Double-click on the event. You will notice the Event Details window closes. If you double-click again, the Event Details will reopen.
h.
(End of Exercise)
22
Copying all or part of this manual, or distributing such copies, is strictly prohibited. To report suspected copying, please call 1-800-PIRATES.
Version 1
Analysis
Exercise 4-2
Using the same Active View used in the previous exercise, select an event with the EventName=BLASTER variant detected Right-mouse click and under Investigate, select More Events from this Source.
3.
A new window will open with the results of the query. Using these results, select the first 15-20 events in the table and right-mouse click to select Investigate > Show Graph. At the prompt, use the down arrows to select:
a. b.
4.
Notice that a graphical representation of the attacks display in the Graph Mapper. The number indicates the number of attacks to the same TargetIP.
NOTE: In one of the upcoming labs you will be recording information such as this to include in an incident, but for now the point of this lab is for you to know how to obtain this information
(End of Exercise)
Version 1
Copying all or part of this manual, or distributing such copies, is strictly prohibited. To report suspected copying, please call 1-800-PIRATES.
23
Analysis
Exercise 4-3
Attack - Severity
Create a new Active View with the Attack filter and the Severity attribute. This view will display data based on severity level for events that have been categorized as Attack; the categorization is done at the Collector or Collector Manager leve
1. 2.
Select the Active Views tab. From the Active Views menu, select Create Active View to open the Active Views Wizard. In the Active Views Wizard window, Step 1, click the down arrows to select your Z-axis, Filter and Displayed Events settings: After making the selection, click Finish and your Active View will open. Notice it will take a few seconds to update the data in the chart and event table.
a. b. c.
3. (End of Exercise)
24
Copying all or part of this manual, or distributing such copies, is strictly prohibited. To report suspected copying, please call 1-800-PIRATES.
Version 1
Analysis
Exercise 4-4
Investigating Vulnerabilities
Using the Active View you just created, investigate vulnerabilities in your assets. The demo data that we are using contains only a few IP addresses that are also reflected in a vulnerability scan result in the database
IMPORTANT: It is important to note that the image may NOT have Vulnerability data installed. If this is the case, skip this exercise. 1.
2.
Right-mouse click on the event and under Analysis select Event Time Vulnerability. The Vulnerability Results window will open with a summary of the Nessus scan results for the Destination IP address of the selected event.
a. b.
Review the port vulnerabilities under the Vulnerability Report tab. On the left pane, uncheck different ports: 0/TCP, ms-sql-s 1433/TCP
(End of Exercise)
Version 1
Copying all or part of this manual, or distributing such copies, is strictly prohibited. To report suspected copying, please call 1-800-PIRATES.
25
Analysis
Exercise 4-5
Select the Snapshot Event Real Time Table button on the toolbar to open a separate window. Notice the Date/Time stamp at the top of the window. This window will not be updated, so you will be able to sort the columns Select the Resource column and click on the heading to sort by Resource. Review the results. Select the EventName column and click on the heading to sort by EventName Look for HTTP_IIS_ASP_Chunked_Overflow in the EventName sorted column. Right-click on the event and select the menu option WhoIs? A separate window will open with the WhoIs results. Note: you must have an internet connection to view the results.
4.
(End of Exercise)
26
Copying all or part of this manual, or distributing such copies, is strictly prohibited. To report suspected copying, please call 1-800-PIRATES.
Version 1
Analysis
Exercise 4-6
Chart Snapshot
Lock the Active View and create a webpage snapshot
1. 2.
Using the PUBLIC:ALL Active View, click on the chart Lock button to lock the display. Click on the chart Snapshot button (in chart, camera icon) to create a webpage snapshot. Save to your desktop and use a web browser to view.
(End of Exercise)
Version 1
Copying all or part of this manual, or distributing such copies, is strictly prohibited. To report suspected copying, please call 1-800-PIRATES.
27
Analysis
Exercise 4-7
Event Queries
Generate a quick query; click the Launch Event Query button on the toolbar. A Historical Event Query window will open:
1. 2. 3. 4. 5. 6.
Using the drop arrows, select the PUBLIC:IDS_Events filter. Click the Severity icon and deselect Severity 0 and 1 levels. Click OK Select a 15 minute timeframe in the From To time drop boxes. Leave the Batch Size with 100 default. Click on the magnifying glass icon to run the query. Click the blue arrow at the top right to return another 100 events to this view.
(End of Exercise)
28
Copying all or part of this manual, or distributing such copies, is strictly prohibited. To report suspected copying, please call 1-800-PIRATES.
Version 1
Incidents
SECTION 5
Incidents
Using the Active Views and Incidents tabs, you have the ability to create and modify Incidetns, assign related information and iTRAC processes.
Version 1
Copying all or part of this manual, or distributing such copies, is strictly prohibited. To report suspected copying, please call 1-800-PIRATES.
29
Incidents
Exercise 5-1
Incident creation
1.
Using an Active View with the ALL filter, use the Event Table to select an EventName Failed_su. Right-mouse click on the event and select Create Incident.The Incident window will open.
i. ii.
In the Title box, type su_root_Watch For State, use the drop box and select Assigned
iii. For Priority, use the drop box and select Medium (2) iv. In the Category box, Select UNAUTHORIZED ACCESS v.
30
Copying all or part of this manual, or distributing such copies, is strictly prohibited. To report suspected copying, please call 1-800-PIRATES.
Version 1
Incidents
c. d. 2.
The Events tab contains the selected event Click Create to finish the Incident creation. Sort by TargetIP and look for 172.17.11.5 and 172.16.5.102. Locate several events that have an EventName which mentions BLASTER. Select the events (3 or more)and right-mouse click to create an Incident.
i. ii.
In the Title box, BLASTER_Watch For State, use the drop box and select Investigating
iii. For Prioroty, use the drop box and select High (3) iv. By the Category box, click the ... button, and create a new category
sent_servers
v. c. d. e. f. 3.
The Events tab contains the selected events. Select the Vulnerabilty tab and review the known vulnerabilities for these events. (You may not see any) Select the iTRAC tab and use the drop box to select a process. Click Create to finish the Incident creation. In the filter drop box, select the PUBLIC:IDS_Events filter. Leave the defaults and run the query. Select all the ev ents in the results window, right-mouse click and select Add to Incident. Click the Browse button to select an Incident. Click the Search button at the top to display a list of all incidents. Look your BLASTER_Watch and select it. Click OK to finish. Using the Event Table, select three or four events, right-mouse click and create a new Incident. Name the Incident SupplyChain_LinuxSvr. Change the State to Investigating. Save the Incident. Using the Event Table, select two events with the EventName of Object_modified and right-mouse click to create a new Incident. Name the Incident WinSvr_Watch.
4.
Open a new Active View, using the London filter and the Severity attribute.
a. b. c. d.
5.
Open a new Active View, using the Dallas filter and the InitIP attribute.
a. b.
Version 1
Copying all or part of this manual, or distributing such copies, is strictly prohibited. To report suspected copying, please call 1-800-PIRATES.
31
Incidents
c. d. 6.
Switch to the Incidents tab. If the Incident View Manager is not open, select Incident View Manager under Incident Views in the left navigator pane.
a. b. c. d. e.
When the window opens, select the first default view, ALL INCIDENTS, and double-click to open it. Your Incident will be listed here, select su_root_Watch and double-click to open it. Notice that the Severity is automatically calculated as an average of the severities of hte selected events. Change the State from Assigned to Verified and click the save button. Select the History tab and view the listed modifications. Open the ALL INCIDENTS View, and select your SupplyChain_LinuxSrv Incident. Right-click on the Incident and delete it. Fill in the definition for new Attachment Viewer for the Adobe PDF format. Locate Acrobat Viewer on your machine as the application. Specify the subtype as sent. Save your Attachment Viewer definition.
7.
8.
Select the Configure Attachment Viewers button from the main toolbar.
a. b. c.
(End of Exercise)
32
Copying all or part of this manual, or distributing such copies, is strictly prohibited. To report suspected copying, please call 1-800-PIRATES.
Version 1
iTRAC
SECTION 6
iTRAC
In this lab you will create an iTRAC Virus Response using the iTRAC Process Builder, create a manual step to fix a problem, and include any nessessary transitions.
Version 1
Copying all or part of this manual, or distributing such copies, is strictly prohibited. To report suspected copying, please call 1-800-PIRATES.
33
iTRAC
Exercise 6-1
In the following lab you will create iTRAC Virus Response templates using the iTRAC Process Builder.
a.
b.
Name the manual step Investigate and assign it to the Admin role.
34
Copying all or part of this manual, or distributing such copies, is strictly prohibited. To report suspected copying, please call 1-800-PIRATES.
Version 1
iTRAC
c.
Right-mouse click on the start icon and select Add Start Transition.
d. e.
Ensure that the Destination is set to Investigate and click OK. Right-mouse click on the manual process Investigate and select Add End Transition.
f. g. h.
Select File/Save and Exit. In an Active View, select a number of events and create an Incident from them. Assign the Incident to the iTRAC process OneStepManualProcess.
Version 1
Copying all or part of this manual, or distributing such copies, is strictly prohibited. To report suspected copying, please call 1-800-PIRATES.
35
iTRAC
i.
The iTRAC process should appear as a job availible for your group in your worklist. Accept this iTRAC process and view the Details.
j.
Explore the iTRAC process and its option, then select Complete.
k. 2.
Open the Incidents tab and find the Incident that was just marked as complete. Ensure that it was properly closed.
36
Copying all or part of this manual, or distributing such copies, is strictly prohibited. To report suspected copying, please call 1-800-PIRATES.
Version 1
iTRAC
a. b. c. d. e. f. 3.
Create a manual task to gather data. Assign this task to the Analyst role. Create a second manual task and assign this to the Admin role. From the Administration tab, add the user esecadm to the Analyst role in User Manager. In the Active View tab, instantiate a iTrac process by creating an Incident and assigning it to this workflow. From the Work List, accept the Work Item. Mark the Work Item as complete, then check the Incidents tab and view the process from the Process Management screen. In a new iTRAC workflow, create a Manual step in which an Analyst will populate a boolean variable. Next create a Decision step, where the flow direction is determined by the value of the boolean variable. If the value is true, have the Incident move to a Manual step assigned to the Admin role. If the value is false, log the Incident with a Manual step to the Analyst role. (Notice that the Work Item is automatically placed in the users queue, not the Analysts role queue)
(End of Exercise)
Version 1
Copying all or part of this manual, or distributing such copies, is strictly prohibited. To report suspected copying, please call 1-800-PIRATES.
37
iTRAC
38
Copying all or part of this manual, or distributing such copies, is strictly prohibited. To report suspected copying, please call 1-800-PIRATES.
Version 1
Administration
SECTION 7
Administration
By the end of these excercises you will be able to create and manage filters, create and manage new users with different permissions, and populate roles with users.
Version 1
Copying all or part of this manual, or distributing such copies, is strictly prohibited. To report suspected copying, please call 1-800-PIRATES.
39
Administration
Exercise 7-1
1.
From the Admin tab, create a Global filter for all events coming from a firewall resourse using the Public Filter Firewalls.
a. b.
Select the Global Filter icon from the navigation pane. (Looks like a globe with a funnel) The Global Filter Configuration window appears. Click the Add button and a new line will appear in the Global Filter Configuration window. Double-click under the Filter Name heading and the Filter Selection window will pop up. Select the PUBLIC:SubnetWatch Public filter, then check the Active box. In the Action box, select the database option. The filter definition will appear in the Expression box. Click the Save button to complete.
c. d. 2.
Again from the Admin tab create a global filter for all events with Severity 2 using the Pulbic Filter Severity 4 or higher.
a. b.
Select the Global Filter icon from the navigation pane. In the Global Filter COnfiguration window, select Add. in the Filter Sleection window, select the PUBLIC:Severity 4 or higher filter. Check the Active box.
40
Copying all or part of this manual, or distributing such copies, is strictly prohibited. To report suspected copying, please call 1-800-PIRATES.
Version 1
Administration
c. d.
In the Action box, select the drop option. The filter definition will appear in the Expression box. Click the Save button to complete.
After completing this excersice, all events from a firewall resource will go directly to the database, and all events of severity 4 or higher are being dropped. None of these events will show up in the Active View. In order to continue with the excercise you must delete the Global Filters that you just created.
(End of Exercise)
Version 1
Copying all or part of this manual, or distributing such copies, is strictly prohibited. To report suspected copying, please call 1-800-PIRATES.
41
Administration
Exercise 7-2
1.
In the Admin tab, select the User Configuration icon. This will open the User Manager. In the User Manager window click the Add User button. The Add User window will appear with three tabs across the top. Using the default tab, Details, enter the users name esecop and select the local Authentication radial button. In the password and the confirm password fields enter the string novell. Select the drop down in the Security Filter field, the Filter Selection window will open. From this window, select the PUBLIC:ALL filter from the list and click Select. In the bottom half of the Add User window, under Details, enter your First and Last name. From the Add User window, select the Permissions tab.
f. g.
42
Copying all or part of this manual, or distributing such copies, is strictly prohibited. To report suspected copying, please call 1-800-PIRATES.
Version 1
Administration
h. i.
This Operator will only need to access to Active Views, check the Active Views box. In the Add User window, select the Roles tab and select the Analyst check box.
j.
Click the Ok button to save the user. The new user will appear in the User Manager window. Notice that the selected filter is included in the user definition. In the Admin tab, select the User Configuration icon. This will open the User Manager. In the User Manager window click the Add User button. The Add User window will appear with three tabs across the top. Using the default tab, Details, enter the users name esecmgr and select the local Authentication radial button. In the password and the confirm password fields enter the string novell. Select the drop down in the Security Filter field, the Filter Selection window will open. From this window, select the PUBLIC:Internal_Events filter from the list and click Select. From the Add User window, select the Permissions tab.
2.
f.
Version 1
Copying all or part of this manual, or distributing such copies, is strictly prohibited. To report suspected copying, please call 1-800-PIRATES.
43
Administration
g. h. i.
This Operator will only need to access to Active Views, check the Permissions box, then uncheck theIncidents check box. In the Add User window, select the Roles tab and select the Admin check box. Click the Ok button to save the user. The new user will appear in the User Manager window. Notice that the selected filter is included in the user definition. Log out of the Sentinel Control Center, and log in as the user esecmgr. Move through the Control Center tabs and observe what permissions are availible. Select the Admin tab and open up the User Configuration. Click on the Active User Sessions to open the window. Does your new user name appear on the list? Log out of the Sentinel Control Center, and log in as the user esecop. Move through the Control Center tabs and observe what permissions are availible. Select the Admin tab and notice that you cannot access this tab. What do you have access to? Log out of the Sentinel Control Center and log in a esecadm. From the Admin tab, in the left hand side navigation pane, select Role Manager. Select the Add Role button and the Add New Role window will appear. In the name field enter sent_role. Click the Add button and select gporter and add that user to this role. Click Ok to continue. In the left hand navigation pane, select the User Manager. In the User Manager, select the user esecmgr. Right-mouse click on the user, and select User Details. Select the Roles tab and check the box for the new role sent_role. Click ok to complete.
3.
4.
5.
(End of Exercise)
44
Copying all or part of this manual, or distributing such copies, is strictly prohibited. To report suspected copying, please call 1-800-PIRATES.
Version 1
SECTION 8
In this exercise you will configure Crystal Reports to work with Sentinel 6.1. This functionality will be used throughout the rest of the class. Crystal Reports has already been installed on the VMware image named Sentinal Database.
Install Microsoft IIS and ASP.NET Install Microsoft SQL (depending on configuration as Windows authentication or SQL Server authentication) For Chinese (Traditional & Simple) and Japanese users only: Install Asian Fonts (for example, Arial Unicode MS) to view reports in these languages. Install Crystal Reports Server
Configuring Open Database Connectivity (ODBC) for SQL Authentication or Installing and Configuring Oracle Client Software
5. 6. 7. 8. 9.
Configure inetmgr Patch Crystal reports Publish (Importing) Crystal reports Set a Named User account Test connectivity to the Web Server
10. Increase Crystal Reports Server Report Refresh Record Limit (recommended) 11. Configure Sentinel Control Center to integrate with Crystal Reports Server.
Version 1
Copying all or part of this manual, or distributing such copies, is strictly prohibited. To report suspected copying, please call 1-800-PIRATES.
45
Exercise 8-1
Set Data Execution Prevention (DEP) to run on essential Windows programs and services only. This is particularly helpful to avoid Error 1920. Service Crystal Report Cache Server on Windows 2003. DEP is accessed through Control Panel > System > Advanced tab > Performance Settings > Data Execution Prevention. Select Turn on DEP for essential Windows programs and services only.
2.
The installation and configuration instructions for Crystal Reports Server assume that the Sentinel server and database have already been installed. You need to know which authentication mode was chosen for the Sentinel Report User. This user is called esecrpt, if you are using local database authentication. It could be called anything you choose if using Windows Authentication. The authentication mode was set on a screen similar to the one below during the Sentinel installation process.
Video resolution should be set to 1024 x 768 or higher. Ensure Microsoft Internet Information Server (IIS) and ASP.NET are installed.
(End of Exercise)
46
Copying all or part of this manual, or distributing such copies, is strictly prohibited. To report suspected copying, please call 1-800-PIRATES.
Version 1
Exercise 8-2
to c:\Inetpub\wwwroot.
2. 3. 4. 5. 6.
Launch Internet Service Manager by clicking Start > Run. Provide inetmgr and click OK. Expand (local computer) > Web Sites > Default Web Site > businessobjects. On businessobjects, right-click > properties. Under Virtual Directory tab, click Configuration. You should already have the following mappings. If not, add them. If you are going to add a mapping, do not click businessobjects or crystalreportsviewer11 nodes.
Extension Executable
Restart IIS by expanding (local computer) > Web Sites > Default Web Site, high-light Default Web Site and right-click > Stop. Expand (local computer) > Web Sites > Default Web Site, high-light Default Web Site and right-click > Start.
(End of Exercise)
Version 1
Copying all or part of this manual, or distributing such copies, is strictly prohibited. To report suspected copying, please call 1-800-PIRATES.
47
48
Copying all or part of this manual, or distributing such copies, is strictly prohibited. To report suspected copying, please call 1-800-PIRATES.
Version 1
Database
SECTION 9
Database
Jobs can be scheduled and executed inside Sentinel or outside by a dba. The point of this exercise is to demonstrate this ability.You will use the Sentinel Data Manager utility and the Microsoft SQL Server Management Studio for this lab. By the end of this lab, the student will be able to create and manage database partitions. Remember. The primace of this lab is to demonstrate that some functions of Sentinel happen outside the Sentinel and are a built-in function of the database. In this case the Jobs are executed by the database (MS SQL or Oracle).
Version 1
Copying all or part of this manual, or distributing such copies, is strictly prohibited. To report suspected copying, please call 1-800-PIRATES.
49
Database
Exercise 9-1
Jobs Exercise
As the DBA administrator (user = sa, password = novell) you will now schedule automatic partitioning jobs. This lab is as simple as it looks.
1. 2.
Change scheduled time for add partition job for EVENTS table group to a few minutes from current system time. Change Add Min to 3, indicating the minimum number of partitions that exists before the job runs. Change Add Max to 5, which defines the number of partitions to add when the job runs. Save configuration changes. Launch SQL Server Management Studio Expand SQL Server Agent (the last selection). Expand Jobs. Execute SentinelAddPartitions EVENTS job by right mouse clicking and selecting Start Job. From SDM GUI, refresh partition listing Go to Partition Configuration tab, check job messages by clicking HISTORY button
3. 4. 5. 6. 7. 8. 9.
10. You should see the job advanced and appear as executed. (End of Exercise)
50
Copying all or part of this manual, or distributing such copies, is strictly prohibited. To report suspected copying, please call 1-800-PIRATES.
Version 1
Correlation Workshop 1
SECTION 10
Correlation Workshop 1
Correlation allows you to define rules that identify critical threats and complex attack patterns so that you can prioritize events and initiate effective incident management and response. We will begin with simple correlations and progress to more complex scenarios. In this lab you will use the Sentinel Control Center utility utilizing the Correlation Tab.
Version 1
Copying all or part of this manual, or distributing such copies, is strictly prohibited. To report suspected copying, please call 1-800-PIRATES.
51
Sentinel 6.1
Exercise 10-1
2.
52
Copying all or part of this manual, or distributing such copies, is strictly prohibited. To report suspected copying, please call 1-800-PIRATES.
Version 1
Correlation Workshop 1
3. 4.
Name the rule Port scan Select Yes, create another rule
NOTE: We will test this rule in Exercise 10.4 below.
(End of Exercise)
Version 1
Copying all or part of this manual, or distributing such copies, is strictly prohibited. To report suspected copying, please call 1-800-PIRATES.
53
Sentinel 6.1
Exercise 10-2
1.
2. 3. 4.
Select an Update Criteria of 2 minutes. Name the rule NIDS Critical Event. Select Yes, create another rule.
(End of Exercise)
54
Copying all or part of this manual, or distributing such copies, is strictly prohibited. To report suspected copying, please call 1-800-PIRATES.
Version 1
Correlation Workshop 1
Exercise 10-3
1. 2.
This one is slightly different; it utilizes an Aggregate correlation but it is still simple. Create an Aggreate correlation using the filter used in Exercise 10-2. Add a trigger of (5,300) 5 times in 300 seconds (5 minutes.)
3. 4.
Set the Update Criteria to 5 minutes and name the rule - 5 critical NIDS Events in 5 Minutes Save the rule and exit.
(End of Exercise)
Version 1
Copying all or part of this manual, or distributing such copies, is strictly prohibited. To report suspected copying, please call 1-800-PIRATES.
55
Sentinel 6.1
Exercise 10-4
Adding an Action
1. 2.
Deploy the first rule (the one created in step 1) by double-clicking and selecting Deploy Rule. The Action Manager pops-up. Click on Add Action.
3. 4. 5. 6. 7.
Under Action Name is a drop-down list named Action. Select the drop-down list. Select Configure Correlated Event. Leave the Event options as Copy fields from trigger event. Set the Severity as 4 and the EventName as Port Scan. (We will work more with Actions later) Now you must name the action set it to Port scan correlated event.
56
Copying all or part of this manual, or distributing such copies, is strictly prohibited. To report suspected copying, please call 1-800-PIRATES.
Version 1
Correlation Workshop 1
8.
Now, click on the selection box to the left of Port scan correlated event and click on ok.
NOTE: The rule turned green its running.
9.
Open an Active view and select Severity for the Z-Axis, select Correlation as the Filter and leave Display Events to Yes.
Version 1
Copying all or part of this manual, or distributing such copies, is strictly prohibited. To report suspected copying, please call 1-800-PIRATES.
57
Sentinel 6.1
Exercise 10-5
Repeat the Steps 4a-4d Using the Rule NIDS Critical Events
1.
This time Do Not copy fields from the trigger, set the severity to 5, make the EventName critical ids event, and name the action IDS Correlated Event
(End of Exercise)
58
Copying all or part of this manual, or distributing such copies, is strictly prohibited. To report suspected copying, please call 1-800-PIRATES.
Version 1
Correlation Workshop 1
Exercise 10-6
Create another Active View screen Set the Z-axis to EventName Select the Correlation filter Set Display events to Yes
5.
What is the difference between the port scan event and the IDS event? Why?
(End of Exercise)
Version 1
Copying all or part of this manual, or distributing such copies, is strictly prohibited. To report suspected copying, please call 1-800-PIRATES.
59
Sentinel 6.1
Exercise 10-7
This rule is exactly the same as the previous ones; just add a discriminator for the InitIP or the same Init User Name (We used to call this the source user name). Deploy and record.
NOTE: Some of the answers are beginning to become a matter of judgment or preference. As the labs become more vague (human-speak) you will have to make many of these judgment calls.
(End of Exercise)
60
Copying all or part of this manual, or distributing such copies, is strictly prohibited. To report suspected copying, please call 1-800-PIRATES.
Version 1
Correlation Workshop 1
Exercise 10-8
A Simple Aggragate
1.
Create a correlation for major events coming from Network IDSs - going to the same destination host.
(End of Exercise)
Version 1
Copying all or part of this manual, or distributing such copies, is strictly prohibited. To report suspected copying, please call 1-800-PIRATES.
61
Sentinel 6.1
62
Copying all or part of this manual, or distributing such copies, is strictly prohibited. To report suspected copying, please call 1-800-PIRATES.
Version 1
Correlation - RuleLG II
SECTION 11
Correlation - RuleLG II
In this section we will discuss mostly the Window function. It is used much like a trigger but for comparing historic data that sometimes is not the same as one would find using a discriminator. Dont freak out when you first begin working with this function. Many people take several exercises to get it right.
Version 1
Copying all or part of this manual, or distributing such copies, is strictly prohibited. To report suspected copying, please call 1-800-PIRATES.
63
Correlation - RuleLG II
Exercise 11-1
A Spreading Attack
You will use the Sentinel Control Center utility utilizing the Correlation Tab and writing Freeform RuleLG for this lab.
1.
Using the free-form editor, write a correlation rule that generates a correlation when seeing that a source of an attack (TaxonomyLevel1=Attack) was previously the destination of an attack (within 15 minutes).
NOTE: Following is a hint to the solution. filter( e.X) flow window ( e.Y=w.Z, filter ( TaxonomyLevel1=Attack ), 15m)
(End of Exercise)
64
Copying all or part of this manual, or distributing such copies, is strictly prohibited. To report suspected copying, please call 1-800-PIRATES.
Version 1
Correlation - RuleLG II
Exercise 11-2
Write a rule that checks whether an IDS attack event seen inside your network came through your firewall (e.rv32=FW) in the last 10 seconds.
NOTE: The following is a hint toward the answer: filter( e.TaxonomyLevel = Attack ) flow Window (w.X=e.Y, filter (on FireWall), 10s)
(End of Exercise)
Version 1
Copying all or part of this manual, or distributing such copies, is strictly prohibited. To report suspected copying, please call 1-800-PIRATES.
65
Correlation - RuleLG II
Exercise 11-3
Write a rule that generates a correlation when seeing that the source of an attack was previously the destination of an attack and the event name is the same on both. In other words - check that the first attack and the second attack were the same.
(End of Exercise)
66
Copying all or part of this manual, or distributing such copies, is strictly prohibited. To report suspected copying, please call 1-800-PIRATES.
Version 1
SECTION 12
In this section we will discuss mostly the Window function. It is used much like a trigger but for comparing historic data that sometimes is not the same as one would find using a discriminator. Dont freak out when you first begin working with this function. Many people take several exercises to get it right.
Version 1
Copying all or part of this manual, or distributing such copies, is strictly prohibited. To report suspected copying, please call 1-800-PIRATES.
67
Exercise 12-1
A Spreading Attack
You will use the Sentinel Control Center utility utilizing the Correlation Tab and writing Freeform RuleLG for this lab.
1.
Using the free-form editor, write a correlation rule that generates a correlation when seeing that a source of an attack (TaxonomyLevel1=Attack) was previously the destination of an attack (within 15 minutes).
NOTE: Following is a hint to the solution. filter( e.X) flow window ( e.Y=w.Z, filter ( TaxonomyLevel1=Attack ), 15m)
(End of Exercise)
68
Copying all or part of this manual, or distributing such copies, is strictly prohibited. To report suspected copying, please call 1-800-PIRATES.
Version 1
Exercise 12-2
Write a rule that checks whether an IDS attack event seen inside your network came through your firewall (e.rv32=FW) in the last 10 seconds.
NOTE: The following is a hint toward the answer: filter( e.TaxonomyLevel = Attack ) flow Window (w.X=e.Y, filter (on FireWall), 10s)
(End of Exercise)
Version 1
Copying all or part of this manual, or distributing such copies, is strictly prohibited. To report suspected copying, please call 1-800-PIRATES.
69
Exercise 12-3
Write a rule that generates a correlation when seeing that the source of an attack was previously the destination of an attack and the event name is the same on both. In other words - check that the first attack and the second attack were the same.
(End of Exercise)
Exercise Answers
NOTE: Give these some time to work. The first one may not fire for as long as 10 minutes.
Exercise 11-1 filter( e.TaxonomyLevel1=Attack ) flow window( e.sip=w.dip, filter( e.rv51 = Attack ), 3600) Exercise 11-2 filter( e.TaxonomyLevel1=Attack ) flow window( e.sip = w.sip, filter( e.rv32 = FW ), 10) Exercise 11-3 filter(e.TaxonomyLevel1=Attack ) flow (window (e.sip=w.dip, filter (e.TaxonomyLevel1=Attack ), 3600) intersection window ( e.evt=w.evt, filter ( e.TaxonomyLevel1=Attack ), 3600))
70
Copying all or part of this manual, or distributing such copies, is strictly prohibited. To report suspected copying, please call 1-800-PIRATES.
Version 1
Correlation Actions
SECTION 13
Correlation Actions
Version 1
Copying all or part of this manual, or distributing such copies, is strictly prohibited. To report suspected copying, please call 1-800-PIRATES.
71
Correlation Actions
Exercise 13-1
Correlation Actions
There are currently no Labs for this section
(End of Exercise)
72
Copying all or part of this manual, or distributing such copies, is strictly prohibited. To report suspected copying, please call 1-800-PIRATES.
Version 1
Troubleshooting
SECTION 14
Troubleshooting
Version 1
Copying all or part of this manual, or distributing such copies, is strictly prohibited. To report suspected copying, please call 1-800-PIRATES.
73
Troubleshooting
Objective 1
74
Copying all or part of this manual, or distributing such copies, is strictly prohibited. To report suspected copying, please call 1-800-PIRATES.
Version 1
Collectors
SECTION 15
Collectors
Version 1
Copying all or part of this manual, or distributing such copies, is strictly prohibited. To report suspected copying, please call 1-800-PIRATES.
75
Collectors
Exercise 15-1
Collectors
There are currently no Labs for this section
(End of Exercise)
76
Copying all or part of this manual, or distributing such copies, is strictly prohibited. To report suspected copying, please call 1-800-PIRATES.
Version 1
SECTION 16
This exercise will demonstrate adding meta-data to existing collectors. The problem with data collection is in the device; it has the inconvenience of seeing only data that passes it detecting mechanisms. Sometimes that data is not very user friendly. The data is true enough but knowing an IP address is far less telling than knowing the name of the user or the location of the device. In order to correct this problem we must inject information at the Collector based on information collected at the source. That is the premice of this exercise.
Figure 16-1
Map data can be in any order so long as the format is text and it is delimited by comma, pipe, tab, semicolon or some other character that doesnt occur in the data itself. See Figure 1-2 for an example.
Figure 16-2
Version 1
Copying all or part of this manual, or distributing such copies, is strictly prohibited. To report suspected copying, please call 1-800-PIRATES.
77
Exercise 16-1
Prepare a Map
1. 2. 3. 4.
Input and define the map. Open Sentinel Control Center and select the Admin tab. On the left find and select Map Data Configuration. Click Add, name the map RefMap1.
5.
Click Next.
(End of Exercise)
78
Copying all or part of this manual, or distributing such copies, is strictly prohibited. To report suspected copying, please call 1-800-PIRATES.
Version 1
Exercise 16-2
Browse to C:\Class Files\noise makers\WS22map.csv. Select the file and click Next.
2.
Check the box above column 1 named Key. The Key here is the IP address of the source.
NOTE: The Key field is the link between the data collected at the source and the map data just loaded.
Version 1
Copying all or part of this manual, or distributing such copies, is strictly prohibited. To report suspected copying, please call 1-800-PIRATES.
79
3.
Ensure that Comma is selected as the delimiter and in this case, Start at row is set to 0, you will need to change this to 1. If the data file has a header, you can use the Start at row offset to ensure the correct row is used and the header data is ignored. Click on Finish. Next you will name the Remote file that references this data. You can name the file assetip.csv but just to show this is simply a reference, name the file ExtRef1.
4. 5.
(End of Exercise)
80
Copying all or part of this manual, or distributing such copies, is strictly prohibited. To report suspected copying, please call 1-800-PIRATES.
Version 1
Exercise 16-3
Select the Admin tab, find and select Event Configuration. Scroll to ct1 and change the long-name to BusinessUnit. This may be completed already. Leave the Data Source set to External, which means the data is coming from the Collector. Scroll down to ct2 and change the long-name to City. Again leave the Data Source set to External.
3.
4. 5.
Select an available CustomerVariable representing a string; cv21 is what I use for the lab. You may want to start with CV23. Change the long-name of the variable to Owner_Name.
Version 1
Copying all or part of this manual, or distributing such copies, is strictly prohibited. To report suspected copying, please call 1-800-PIRATES.
81
6. 7. 8. 9.
Select Referenced from Map from the Data Source menu. Type ExtRef1 for the map. Select Column 4 as the source of the data. Next, define the key between the Map and the Collector data. The key is field 1 or InitIP (SourceIP).
(End of Exercise)
82
Copying all or part of this manual, or distributing such copies, is strictly prohibited. To report suspected copying, please call 1-800-PIRATES.
Version 1
Exercise 16-4
Manage Columns
1.
Change the CustomerVariable used in the instructions above so it is seen as one of the first listed items.
2.
Finally, wait. It will take aout 30 seconds for new data to begin populating.
(End of Exercise)
Version 1
Copying all or part of this manual, or distributing such copies, is strictly prohibited. To report suspected copying, please call 1-800-PIRATES.
83
84
Copying all or part of this manual, or distributing such copies, is strictly prohibited. To report suspected copying, please call 1-800-PIRATES.
Version 1
SECTION 17
The Platform Agent is not configured through eDirectory. Instead, the Platform Agents configuration settings are stored in a simple, text-based configuration file (logevent). The location of this file depends on the platform. This makes the Platform Agent small, unobtrusive, and self-containedthat is, it has no external dependencies so it is always available to receive logged events. Storing the Platform Agents configuration in a text-based file also allows the Platform Agent to eventually run on platforms that do not have eDirectory support. The logevent file stores the host name or IP address of the logging server, the Disconnected Mode Cache directory, port assignments, and other related information. For more information on Platform Agent configuration settings, including a sample logevent file.
Version 1
Copying all or part of this manual, or distributing such copies, is strictly prohibited. To report suspected copying, please call 1-800-PIRATES.
85
Exercise 17-1
Find the IDM 3.6.1 SLES VM . Login as Root and the password novell. If you are familar with the Linux environment, preceed to edit /etc/ logevent.conf with any tool you like (f below). For those of you who need some help, right mouse-click and open a Terminal session. Type su and enter novell for the password. Type vi /etc/logevent.conf and press Enter. Manuver the cursor over the 1 in the 1289 of the line LogEnginePort = 1289, and press x.
d. e. f.
g.
On the first line, LogHost=172.17.5.100, place the cursor on the 1 of the 100. Press x three times, deleting the 100. Press a (for append) type in a 5, reflecting the LogHost entry above. Press <ESC> to exit the append mode, press the colon then wq. [ :wq ] The log server is now pointed to the correct log server using the correct port.
h. i.
(End of Exercise)
86
Copying all or part of this manual, or distributing such copies, is strictly prohibited. To report suspected copying, please call 1-800-PIRATES.
Version 1
SECTION 18
This exercise will teach you how to extend the eDirectory schema for the Novell Audit product, install the eDirectory Instrumentation, and install the Platform Agent for Novell eDirectory. Each piece of the afore mentioned are critical for Sentinel, and Compliance Management.
Version 1
Copying all or part of this manual, or distributing such copies, is strictly prohibited. To report suspected copying, please call 1-800-PIRATES.
87
Exercise 18-1
1. 2. 3. 4.
Launch Event Source Management from the Control Center Stop the DemoAgent, DemoAgent2 and the BlasterIDS Collectors Go to eDirectory Services control (in the quick-launch area). When this series of controls are available, find nauditds.dlm. Start this process. On the left under Collectors click the + to add a new collector. It is okay to install audit over the current one if it is already there.
a.
88
Copying all or part of this manual, or distributing such copies, is strictly prohibited. To report suspected copying, please call 1-800-PIRATES.
Version 1
b. c.
Version 1
Copying all or part of this manual, or distributing such copies, is strictly prohibited. To report suspected copying, please call 1-800-PIRATES.
89
d.
90
Copying all or part of this manual, or distributing such copies, is strictly prohibited. To report suspected copying, please call 1-800-PIRATES.
Version 1
e.
Version 1
Copying all or part of this manual, or distributing such copies, is strictly prohibited. To report suspected copying, please call 1-800-PIRATES.
91
f.
Add the Novell eDirectory 8.8 Collector in the same way as you added the Audit plugin.
92
Copying all or part of this manual, or distributing such copies, is strictly prohibited. To report suspected copying, please call 1-800-PIRATES.
Version 1
g.
Follow the next series of graphics exactly - most of them are default values.
NOTE: New software has been released since the lab manual was written always choose the latest Collector. In this case choose Novell_eDirectory_6.1r2.clz.zip.
Version 1
Copying all or part of this manual, or distributing such copies, is strictly prohibited. To report suspected copying, please call 1-800-PIRATES.
93
94
Copying all or part of this manual, or distributing such copies, is strictly prohibited. To report suspected copying, please call 1-800-PIRATES.
Version 1
Version 1
Copying all or part of this manual, or distributing such copies, is strictly prohibited. To report suspected copying, please call 1-800-PIRATES.
95
96
Copying all or part of this manual, or distributing such copies, is strictly prohibited. To report suspected copying, please call 1-800-PIRATES.
Version 1
Version 1
Copying all or part of this manual, or distributing such copies, is strictly prohibited. To report suspected copying, please call 1-800-PIRATES.
97
98
Copying all or part of this manual, or distributing such copies, is strictly prohibited. To report suspected copying, please call 1-800-PIRATES.
Version 1
Version 1
Copying all or part of this manual, or distributing such copies, is strictly prohibited. To report suspected copying, please call 1-800-PIRATES.
99
100
Copying all or part of this manual, or distributing such copies, is strictly prohibited. To report suspected copying, please call 1-800-PIRATES.
Version 1
Version 1
Copying all or part of this manual, or distributing such copies, is strictly prohibited. To report suspected copying, please call 1-800-PIRATES.
101
102
Copying all or part of this manual, or distributing such copies, is strictly prohibited. To report suspected copying, please call 1-800-PIRATES.
Version 1
h.
At this point you should click on Test Connection. Go to Novell iManager https:\\172.17.5.5:8443\nps. When the system begins to come up, it will complain about the security certificate. Click on the Continue to website button. Login as admin.services password novell. Use the Tree name of 172.17.5.5. The first time you login, it will take a long time to initialize the components. Go to Directory Administration and create a user (any username you like) in Users.Vault. The creation even may take a little time to process but will then be visable the raw data screen. Click Finish
i.
(End of Exercise)
Version 1
Copying all or part of this manual, or distributing such copies, is strictly prohibited. To report suspected copying, please call 1-800-PIRATES.
103
Exercise 18-2
NOTE: In the example above you will need to edit the freeform (Edit RuleLG) and change the logic slightly. The changes are displayed below. Make sure to use the correct Collector by entering the name you selecgted in number 9 (Novell_eDirectory_6.1r2.clz.zip).
104
Copying all or part of this manual, or distributing such copies, is strictly prohibited. To report suspected copying, please call 1-800-PIRATES.
Version 1
Version 1
Copying all or part of this manual, or distributing such copies, is strictly prohibited. To report suspected copying, please call 1-800-PIRATES.
105
106
Copying all or part of this manual, or distributing such copies, is strictly prohibited. To report suspected copying, please call 1-800-PIRATES.
Version 1
Version 1
Copying all or part of this manual, or distributing such copies, is strictly prohibited. To report suspected copying, please call 1-800-PIRATES.
107
108
Copying all or part of this manual, or distributing such copies, is strictly prohibited. To report suspected copying, please call 1-800-PIRATES.
Version 1
Version 1
Copying all or part of this manual, or distributing such copies, is strictly prohibited. To report suspected copying, please call 1-800-PIRATES.
109
(End of Exercise)
110
Copying all or part of this manual, or distributing such copies, is strictly prohibited. To report suspected copying, please call 1-800-PIRATES.
Version 1
SECTION 19
This exercise is a repeat of Exercise 16. Instead of deleting it, I have included it. You can use it as a test or overview to check you selections in the previous lab or you can skip it. In this exercise you will first install the Novell Audit Connector and then the Novell eDirectory Collector. Finally you will configure the server event source. The following graphic demonstrates a deployment of the Audit Connector and eDirectoty Collector, as well as 3 demo collectors which provide a cache of events for the environment.
Version 1
Copying all or part of this manual, or distributing such copies, is strictly prohibited. To report suspected copying, please call 1-800-PIRATES.
111
Exercise 19-1
Launch Event Source Management from the Control Center Stop any Collectors currently running. On the left under Connectors click the + to add a new collector
4.
5. 6.
112
Copying all or part of this manual, or distributing such copies, is strictly prohibited. To report suspected copying, please call 1-800-PIRATES.
Version 1
7.
Version 1
Copying all or part of this manual, or distributing such copies, is strictly prohibited. To report suspected copying, please call 1-800-PIRATES.
113
IMPORTANT: Do not close this window. There will be more instructions to follow in the next exercise from this point. (End of Exercise)
114
Copying all or part of this manual, or distributing such copies, is strictly prohibited. To report suspected copying, please call 1-800-PIRATES.
Version 1
Exercise 19-2
Above the Supported Event Sources click on Add More. You should see the graphic displayed below.
2.
Add the Novell eDirectory 8.8 Collector in the same way as you added the Audit plugin. Browse to the Class Files folder and select Novell_eDirectory_6.1r2.clz.zip.
Version 1
Copying all or part of this manual, or distributing such copies, is strictly prohibited. To report suspected copying, please call 1-800-PIRATES.
115
3.
116
Copying all or part of this manual, or distributing such copies, is strictly prohibited. To report suspected copying, please call 1-800-PIRATES.
Version 1
4.
Repeat the process for Novell_Identity-Manager_6.1r2.clz.zip and Novell_Access_Manager_3_LOG_600.zip. We dont have the supporting hardware in this class to work further with these collectors but it will be good experience to install them just the same.
Version 1
Copying all or part of this manual, or distributing such copies, is strictly prohibited. To report suspected copying, please call 1-800-PIRATES.
117
5.
After you have added all the scripts to the list of Collectors, click on Next.
118
Copying all or part of this manual, or distributing such copies, is strictly prohibited. To report suspected copying, please call 1-800-PIRATES.
Version 1
6.
Select Audit as the connector and click on Next. At this point, all we need is the Audit Connector otherwise we could have installed more Connectors with the Install more Connectors... button just above Version. Click Next until you see the Configure Collector Property page.
Version 1
Copying all or part of this manual, or distributing such copies, is strictly prohibited. To report suspected copying, please call 1-800-PIRATES.
119
7.
120
Copying all or part of this manual, or distributing such copies, is strictly prohibited. To report suspected copying, please call 1-800-PIRATES.
Version 1
8.
This is the Collector configuration screen where you would select such things as data rates and filters and trusting the source time. However, at this point simply click on the box next to Run and select Next.
Version 1
Copying all or part of this manual, or distributing such copies, is strictly prohibited. To report suspected copying, please call 1-800-PIRATES.
121
9.
122
Copying all or part of this manual, or distributing such copies, is strictly prohibited. To report suspected copying, please call 1-800-PIRATES.
Version 1
11. Ensure the Port Number is set to 289 ( the port used by Audit) 12. For our purposes here we will not select security. We will select and configure
Version 1
Copying all or part of this manual, or distributing such copies, is strictly prohibited. To report suspected copying, please call 1-800-PIRATES.
123
124
Copying all or part of this manual, or distributing such copies, is strictly prohibited. To report suspected copying, please call 1-800-PIRATES.
Version 1
14. On the Advanced Settings screen accept the defaults and click on Next.
Version 1
Copying all or part of this manual, or distributing such copies, is strictly prohibited. To report suspected copying, please call 1-800-PIRATES.
125
15. Click on the box just beside Run and then click Finish.
126
Copying all or part of this manual, or distributing such copies, is strictly prohibited. To report suspected copying, please call 1-800-PIRATES.
Version 1
Version 1
Copying all or part of this manual, or distributing such copies, is strictly prohibited. To report suspected copying, please call 1-800-PIRATES.
127
17. This is where you you would install filters. Click Next.
128
Copying all or part of this manual, or distributing such copies, is strictly prohibited. To report suspected copying, please call 1-800-PIRATES.
Version 1
18. Select Run and Click Next. By selecting Run, you are saying you want the
connector or collector to automatically run when started. Notice this is again where you can insert a filter.
Version 1
Copying all or part of this manual, or distributing such copies, is strictly prohibited. To report suspected copying, please call 1-800-PIRATES.
129
19. Click Next until you see the screen above, The new Audit server is the IDM
130
Copying all or part of this manual, or distributing such copies, is strictly prohibited. To report suspected copying, please call 1-800-PIRATES.
Version 1
Version 1
Copying all or part of this manual, or distributing such copies, is strictly prohibited. To report suspected copying, please call 1-800-PIRATES.
131
132
Copying all or part of this manual, or distributing such copies, is strictly prohibited. To report suspected copying, please call 1-800-PIRATES.
Version 1
22. Since we took the defaults it shouldnt be necessary to test the connection. Our
next step is to re-direct audit traffic to the audit server-the Sentinel server (172.17.5.5). This will produce traffic we can test later.
Version 1
Copying all or part of this manual, or distributing such copies, is strictly prohibited. To report suspected copying, please call 1-800-PIRATES.
133
23. Finally accept the default selection to create a new collector and connector and
click on Next.
134
Copying all or part of this manual, or distributing such copies, is strictly prohibited. To report suspected copying, please call 1-800-PIRATES.
Version 1
24. Click Next to connect to the existing Collector Manager. 25. Click Next until you see the Finish line, then click on it. 26. At this point you should click on Test Connection. Go to Novell iManager and
create a user (any username you like) in Users.Vault. The creation even may take a little time to process but will then be visable the raw data screen.
(End of Exercise)
Version 1
Copying all or part of this manual, or distributing such copies, is strictly prohibited. To report suspected copying, please call 1-800-PIRATES.
135
Exercise 19-3
Real-World
At this point lets go real world. In the field you will have only the documentation given you by Novell. Under Class files there is a documentation directory. Find the Microsoft_Active-Directory_6.1r3.pdf file and the wms_connector.pdf file and use the information inside to connect the local AD to Sentinel.
(End of Exercise)
136
Copying all or part of this manual, or distributing such copies, is strictly prohibited. To report suspected copying, please call 1-800-PIRATES.
Version 1
Exercise 19-4
(End of Exercise)
Version 1
Copying all or part of this manual, or distributing such copies, is strictly prohibited. To report suspected copying, please call 1-800-PIRATES.
137
138
Copying all or part of this manual, or distributing such copies, is strictly prohibited. To report suspected copying, please call 1-800-PIRATES.
Version 1
SECTION 20
The SentinelTM driver is not included with base Identity Manager product, and therefore has a separate installation program. The following sections explain how to install one or more drivers.
Version 1
Copying all or part of this manual, or distributing such copies, is strictly prohibited. To report suspected copying, please call 1-800-PIRATES.
139
Exercise 20-1
Installing the Driver Files on the Metadirectory Engine on page 140 Placing Prerequisite Files on page 140
Installation Programs
Platform Windows Linux Solaris* AIX* File sentinel_driver_install.exe ./sentinel_driver_install_linux.bin ./sentinel_driver_install_solaris.bin ./sentinel_driver_install_aix.bin
1.
Open a terminal window. Type cd /home/userapp/Class files/IdM Integration Module Mount the disk by typing mount -o loop NIdM_Integration_Module_3_6_for_Sentinel.iso Find the installation program listed in Table 1-1 for Linux and cd into the appropriate directory. execute the command ./sentinel_driver_install_linix.bin
The installation program detects the installation location of Metadirectory engine and places the driver files in this location. No information is required during the installation.
mfcontext.jar sonic_Client.jar
140
Copying all or part of this manual, or distributing such copies, is strictly prohibited. To report suspected copying, please call 1-800-PIRATES.
Version 1
2.
Copy these files to the IDM/RBPS VM - 172.17.5.100 - these files should be located on the server already. Check to make sure.
Platform Windows Location Local Installation: c:\Novell\NDS\lib Remote Installation: c:\Novell\RemoteLoader\lib Linux/UNIX Location Installation: /opt/novell/eDirectory/lib/dirxml/ classes Remote Installation: /opt/novell/eDirectory/lib/dirxml/ classes
3.
To restart eDirectory on Linux, enter: ndsmanage stopall then enter: ndsmanage startall
(End of Exercise)
Version 1
Copying all or part of this manual, or distributing such copies, is strictly prohibited. To report suspected copying, please call 1-800-PIRATES.
141
142
Copying all or part of this manual, or distributing such copies, is strictly prohibited. To report suspected copying, please call 1-800-PIRATES.
Version 1
SECTION 21
Importing the Sentinel driver configuration file creates the driver in the Identity Vault. Designer can then use and configure this driver to be exported back into the vault. First though you must read the existing vault into designer. This reads the existing information in the eDirectory Vault and adds the policies needed to make the driver work properly.
Version 1
Copying all or part of this manual, or distributing such copies, is strictly prohibited. To report suspected copying, please call 1-800-PIRATES.
143
Exercise 21-1
In Designer, select create project from Identity vault. Put in the credentials for the IDM image. (you should know them by now) Select Browse and in the left hand pane select Services, in the right side pane select driverset and then click OK. It will take some time to import the environment. In the Modeler, right-click the driver set where you want to create the driver (there is only one), then select New > Driver to display the Driver Configuration Wizard. In the Driver Configuration list, select Sentinel v2, then click Run. On the Import Information Requested page, fill in the following fields:
6. 7.
Driver Name: Specify a name that is unique within the driver set. Broker URL: Specify the IP address of the SonicMQ message queue with the default port of 10012. For example: tcp://localhost:10012
8. 9.
Click Next to import the driver configuration. Click Configure to make additional configuration changes, or click Close to finish. for the excluded user. After the SentinelTM driver files are deployed to the server where you want to run the driver, you can run the driver in the Identity Vault.
10. Deploy the driver.making the security eq. Admin.services. Use this same entity
(End of Exercise)
144
Copying all or part of this manual, or distributing such copies, is strictly prohibited. To report suspected copying, please call 1-800-PIRATES.
Version 1
SECTION 22
Enable account tracking GCV on each driver used with the Sentinel driver. Not all drivers can be enabled for account tracking. If a driver does not have the Account Tracking GCV, then account tracking cannot be enabled.
These steps to enable account tracking are the same for each driver.
Version 1
Copying all or part of this manual, or distributing such copies, is strictly prohibited. To report suspected copying, please call 1-800-PIRATES.
145
Exercise 22-1
In Designer: Right -click the driver icon, then select Properties > GCVs. In iManager: Edit the driver properties, then click the Global Config Vaules tab.
2. 3. 4.
Set the Account Tracking > Show Account Tracking Configuration option to show. Use the information in Table 22-1 to correctly enable account tracking. Click OK to save the changes. If the driver is running, it must be restarted for the changes to take effect.
Table 22-1
The value of the status attribute that represents an active state. By default, the value is false. The value of the status attribute that represents an inactive state. By default, the value is true.
Subscription default status The default status the policies assume when an object is subscribed to the application and the status attribute is not set in the Identity Vault. By default, the status is Active. Publication default status The default status the policies assume when an object is published to the Identity Vault and the status attribute is not set in the application. By default, the status is Uninitialized.
(End of Exercise)
146
Copying all or part of this manual, or distributing such copies, is strictly prohibited. To report suspected copying, please call 1-800-PIRATES.
Version 1
SECTION 23
In traditional Sentinel configuration, there is a connector and a collector. The connector establishes a connection to the JMS message bus. There is no connector for the Identity Vault Collector. The Sentinel driver connects directly to the JMS message bus through connection factories and queues. The connection factories and the queues must be created for the Sentinel driver. To create the connection factories: There are specific queues that must be created for the Sentinel Driver to work. If you have more than one instance of the Sentinel driver, you must create additional queues for each additional driver..
Version 1
Copying all or part of this manual, or distributing such copies, is strictly prohibited. To report suspected copying, please call 1-800-PIRATES.
147
Exercise 23-1
Linux: /etc/init.d/ sentinel start Windows: Net start sentinel Linux: $ESEC_HOME/3rdparty/SonicMQ/MQ7.0/bin/ startmc.sh Windows: %ESEC_HOME%\3rdparty\SonicMQ\MQ7.0\bin\startmc.bat
2.
3.
Connection Name: By default the value is Connection1. Any value is valid. Domain Name: esecDomain Connection URL: tcp://localhost:10012 The default Message Bus port is 10012. If you specified a different port during the installation of Sentinel, use that port.
User Name: Specify the administrator for Sentinel. For example esecadm. Password: Specify the password of the administrator.
4. 5.
From the Sonic Management Console toolbar, click Tools > JMS Administered Objects. Click JNDI Naming Service, then use the following information to create the JNDI naming service:
Sonic Storage: Select the Sonic Storage check box. Domain: Specify esecDomain for the domain name. Context Factory: This field is prepopulated and in the value cannot be changed. Provider URL: Specify tcp://localhost:10012 for the provider URL. If you are not using the default port, specify the port you are using.
6. 7. 8. 9.
Click Connect. Select the localhost:10012 entry in the tree on the left, then select the Connection Factories tab. Click New. Specify TopicConnectionFactory in the Lookup Name field. The connection factory name must be the specified name.
10. Specify ConnectionFactory in the Factory Type field. 11. Specify tcp://172.17.5.5:10012 in the Connection URL field. 12. Click Update to save the information.
148
Copying all or part of this manual, or distributing such copies, is strictly prohibited. To report suspected copying, please call 1-800-PIRATES.
Version 1
13. Repeat Step 8 through Step 12, but use QueueConnectionFactory as the
Lookup Name.
14. Close the JMS Administered Objects dialog box. (End of Exercise)
Version 1
Copying all or part of this manual, or distributing such copies, is strictly prohibited. To report suspected copying, please call 1-800-PIRATES.
149
Exercise 23-2
In the Sonic Management Console, select the Configuration tab, then expand the Brokers folder. Expand esecBroker, then select Queues. Right-click Queues in the left pane, then select New Queue. Specify pubReceiveEvent in the Name field. Click OK to create the new queue. Repeat Step 3 through Step 5 twice more. Use the names of pubReceiveEventResponse and subReceiveResponse for each of the new queues. Close the Management Console after the queues are created.
7.
(End of Exercise)
150
Copying all or part of this manual, or distributing such copies, is strictly prohibited. To report suspected copying, please call 1-800-PIRATES.
Version 1
SECTION 24
Use the information in the following sections to install and configure the Identity Vault Collector. The Identity Vault Collector must be added to the Event Source Manager to be installed. This step is only done once. The Identity Vault Collector is then displayed as a collector to select during configuration. To install the Identity Vault Collector:
Version 1
Copying all or part of this manual, or distributing such copies, is strictly prohibited. To report suspected copying, please call 1-800-PIRATES.
151
Exercise 24-1
Locate the Identity Vault Collector (Novell_IdentityVault_6.1r1.clz.zip) in the collector section of the Class Files. Log in to the Sentinel Control Center. Select the Event Source Management > Live View, then select Tools > Import plugin. Browse to and select the Novell_Identity-Vault_6.1r1.clz.zip file, then click Next. Follow the remaining prompts, then click Finish.
(End of Exercise)
152
Copying all or part of this manual, or distributing such copies, is strictly prohibited. To report suspected copying, please call 1-800-PIRATES.
Version 1
Exercise 24-2
In the Event Source Management live view, right-click the Collection Manager, then click Add Collector. Select Novell in the Vendor column. Select Identity Value in the Name column, then click Next. In the Installed Scripts column, select Novell_Identity_Manager_6.1r1, then click Next. Configure the Identity Vault Collector for your needs by using the following information:
Configuration Parameter Event Source Time Zone Default Value +0000 Description Sets the time zone offset UTC (+0000) of the event source data time stamps. This is used if the source data is reported only in local time with no time zone indicated. The format is + or followed by a two-digit hour and minute offset. Sets the execution mode for the collector. There are three options:
Execution Mode
release
release: Use this mode for normal operation. custom: Use this mode if the Identity Manager Collector is customized. debug: Use this mode when troubleshooting issues. It generates debug trace files.
MSSP Customer Name Script Error Severity Send Script Error Message 5 Severe (5) yes Sets the severity for a script error event. Sends a script error event when there is an error with the collector script.
Version 1
Copying all or part of this manual, or distributing such copies, is strictly prohibited. To report suspected copying, please call 1-800-PIRATES.
153
Default Value
Description Enables multiple Sentinel drivers. Each Sentinel driver is paired with a specific Identity Vault Collector. This instance ID is synchronized between the Sentinel driver and the Identity Vault Collector. By default, there is no value. Use letters and numbers only.
localhost:10012
The URL that the Identity Vault Collector uses to retrieve identity events stored in the SonicMQ message queue.
6. 7.
Click Next. Complete the configuration of the Identity Manager Collector with the following information:
Name: Specify a name for this connector. Run: Select whether the connector is started whenever the Collector Manager is started. Alert if no data received in specified time period: (Optional) Select this option to send the No Data Alert event to Sentinel if data is not received by the Connector in the specified time period. Limit Data Rate: (Optional) Select this option to set a maximum limit on the rate of data the connector sends to Sentinel. If the data rate limit is reached, Sentinel throttles back on the source in order to limit the flow of data. Set Filter: (Optional) Specify a filter on the raw data passing through the connector. Trust Event Source Time: (Optional) Select this option if you trust the Event Source servers time.
8.
Click Finish.
(End of Exercise)
154
Copying all or part of this manual, or distributing such copies, is strictly prohibited. To report suspected copying, please call 1-800-PIRATES.
Version 1
Exercise 24-3
In the Event Source Management live view, right-click the Identity Vault collector. Click Start to start the Collector.
(End of Exercise)
Version 1
Copying all or part of this manual, or distributing such copies, is strictly prohibited. To report suspected copying, please call 1-800-PIRATES.
155
156
Copying all or part of this manual, or distributing such copies, is strictly prohibited. To report suspected copying, please call 1-800-PIRATES.
Version 1
SECTION 25
This section contains a list of the custom audit events that are generated by polices in each driver. These events are sent to the Identity Vault Collector. It parses the events and stores this information in the SentinelTM data store. These events are use to trace the business logic instead of the raw data events, so you can verify that your business policies and processes are being enforced. For example, in the past Sentinel could only understand that an Add event occurred. It did not know what that meant for the business logic. It did not know if that user was supposed to be added or not. It recorded that the Add occurred, but that was all. Now, if an Add occurs, Sentinel understands what business logic is in place and verifies if that user is entitled to be added or not. If the user is not entitled, Sentinel can then take action to let you know that the business policies are not being carried out.
Version 1
Copying all or part of this manual, or distributing such copies, is strictly prohibited. To report suspected copying, please call 1-800-PIRATES.
157
Objective 1
Figure 25-1
Connected Application
User A
Identity
Target
Initiator
Approver (Person/Service)
Table 25-1 contains the general event structure. The defined events are in the dirxml_custom.lsc file that is on the Identity Manager 3.6 media.
Table 25-1
Originator Target
String String
158
Copying all or part of this manual, or distributing such copies, is strictly prohibited. To report suspected copying, please call 1-800-PIRATES.
Version 1
Description 0=None 1=DN in Slash Notation 2=DN in Dot Notation 3=DN in LDAP Notation 4=Association
Format Int
Sample Data
String
Text 3 (F)
EventID 00031200 on page 159 EventID 00031201 on page 160 EventID 00031202 on page 161 EventID 00031203 on page 161 EventID 00031230 on page 162 EventID 00031241 on page 163
EventID 00031200
It is the Account Create By Entitlements Grant. The following table contains the fields of this EventID with the proper values.
Fields Originator (B) Title Target (U) Title Subtarget (V) Title Text1 (S) Title Values Driver DN Target account DN or the association Entitlement Source Identity DN or GUID
Version 1
Copying all or part of this manual, or distributing such copies, is strictly prohibited. To report suspected copying, please call 1-800-PIRATES.
159
Fields Text2 (T) Title Text3 (F) Title Value1 (1) Title Value1 Type Value2 (2) Title Value2 Type Value3 (3) Title Value3 Type Group (G) Title Group Type Data (D) Title Data Type Display Schema
Version N
XML Document S [$TC] $SO: Account $SU created by entitlement $SV; Status:$N1 Driver:$SB from $iR\n
EventID 00031201
This is the Account Delete By Entitlements Revoke. The following table contains the fields of this EventID, with the proper values.
Fields Originator (B) Title Target (U) Title Subtarget (V) Title Text1 (S) Title Text2 (T) Title Text3 (F) Title Value1 (1) Title Value1 Type Value2 (2) Title Value2 Type Value3 (3) Title Value3 Type Group (G) Title Group Type Version N Values Driver DN Target account DN or the association Entitlement Source Identity DN or GUID Detail Identity Manager EventID Status N
160
Copying all or part of this manual, or distributing such copies, is strictly prohibited. To report suspected copying, please call 1-800-PIRATES.
Version 1
Values XML Document S [$TC] $SO: Account $SU deleted by entitlement $SV; Status:$N1 Driver:$SB from $iR\n
EventID 00031202
This is the Account Disabled By Entitlements Revoke. The following table contains the fields of this EventID with the proper values.
Fields Originator (B) Title Target (U) Title Subtarget (V) Title Text1 (S) Title Text2 (T) Title Text3 (F) Title Value1 (1) Title Value1 Type Value2 (2) Title Value2 Type Value3 (3) Title Value3 Type Group (G) Title Group Type Data (D) Title Data Type Display Schema XML Document S [$TC] $SO: Account $SU disabled by entitlement $SV; Status:$N1 Driver:$SB from $iR\n Version N Values Driver DN Target account DN or the association Entitlement Source Identity DN or GUID Detail Identity Manager EventID Status N
EventID 00031203
This is the Account Enable By Entitlements Grant. The following table contains the fields of this EventID with the proper values.
Fields Originator (B) Title Values Driver DN
Version 1
Copying all or part of this manual, or distributing such copies, is strictly prohibited. To report suspected copying, please call 1-800-PIRATES.
161
Fields Target (U) Title Subtarget (V) Title Text1 (S) Title Text2 (T) Title Text3 (F) Title Value1 (1) Title Value1 Type Value2 (2) Title Value2 Type Value3 (3) Title Value3 Type Group (G) Title Group Type Data (D) Title Data Type Display Schema
Values Target account DN or the association Entitlement Source Identity DN or GUID Detail Identity Manager EventID Status N
Version N
XML Document S [$TC] $SO: Account $SU enabled by entitlement $SV; Status:$N1 Driver:$SB from $iR\n
EventID 00031230
This is the Driver Health State Change. The following table contains the fields of this EventID with the proper values.
Fields Originator (B) Title Target (U) Title Subtarget (V) Title Text1 (S) Title Text2 (T) Title Text3 (F) Title Value1 (1) Title Value1 Type Value2 (2) Title Value2 Type Value3 (3) Title Version Status N Values Driver DN
162
Copying all or part of this manual, or distributing such copies, is strictly prohibited. To report suspected copying, please call 1-800-PIRATES.
Version 1
Fields Value3 Type Group (G) Title Group Type Data (D) Title Data Type Display Schema
Values N
[$TC] $SO: Account $SU enabled by entitlement $SV; Status:$N1 Driver:$SB from $iR\n
EventID 00031241
This is a Generic Event. The following table contains the fields of this EventID with the proper values.
Fields Originator (B) Title Target (U) Title Subtarget (V) Title Text1 (S) Title Text2 (T) Title Text3 (F) Title Value1 (1) Title Value1 Type Value2 (2) Title Value2 Type Value3 (3) Title Value3 Type Group (G) Title Group Type Data (D) Title Data Type Display Schema XML Document S [$TC] $SO: Event: $ST; Src DN: $SS; Object: $SU Version N Values Driver DN Target Object DN Object Class Source Identity DN Detail Identity Manager EventID Status N
Version 1
Copying all or part of this manual, or distributing such copies, is strictly prohibited. To report suspected copying, please call 1-800-PIRATES.
163
164
Copying all or part of this manual, or distributing such copies, is strictly prohibited. To report suspected copying, please call 1-800-PIRATES.
Version 1
SECTION 26
This solution requires SentinelTM and Identity Manager. Industry research shows that the biggest threat of data breach is from former employees who attempt to access resources after their employment has ended. This solution allows you to track terminated employees for a set amount of time. If the terminated employee tries to access a resource, then an alert is issued (e-mail or workflow).
Version 1
Copying all or part of this manual, or distributing such copies, is strictly prohibited. To report suspected copying, please call 1-800-PIRATES.
165
Exercise 26-1
Start the Sentinel Control Center and log in as a user with rights to manage Solutions Packs. The Solution Manager option must be checked for the user under Permissions > Solution Pack.
2. 3.
Select Tools > Solution Pack from the menu to start the Solution Pack Manager. Click Add to start the import wizard.
4. 5.
Select Import a solution Pack plugin file (.zip), then click Next. Browse to and select the Identity Tracking Solution Pack in c:\Class Files\Solution Packs, then click Open. The filename is Identity-Tracking_6.1r1.spz.zip. Review the solution pack directory, then click Next. Review the solution pack details, then click Finish.
6. 7.
(End of Exercise)
166
Copying all or part of this manual, or distributing such copies, is strictly prohibited. To report suspected copying, please call 1-800-PIRATES.
Version 1
Exercise 26-2
Start the Sentinel Control Center, then click the Admin tab.
2. 3.
Select Admin > Event Configuration from the toolbar. In the left pane, browse to and select ReservedVar43. The tag is rv43. In the Label field in the right pane, change the display label to Data, then click Apply. Click Save, the close the Event Configuration window and reopen it to see the changes take place.
4. 5.
(End of Exercise)
Version 1
Copying all or part of this manual, or distributing such copies, is strictly prohibited. To report suspected copying, please call 1-800-PIRATES.
167
Exercise 26-3
Employee TerminationViolation: A report that lists any attempts to access enterprise resources by terminated employees. IdT - Identity Terminated Employees Rule: A rule that identifies the terminated employees within the enterprise. IdT - Remove Reactivated Employees Rule: A rule that identifies the reactivated employees within the enterprise. IdT - Unauthorized Access By Terminated Employees Rule: A rule that identifies unauthorized access by terminated employees within the enterprise.
This control makes a series of assumptions about how terminated employees are handled in the enterprise.
1.
Terminated employees are simply designated as being no longer employed. CMP enforces this standard by setting the employeeStatus attribute to Inactive for all terminated employees. If other methods are used to identify the terminated employees, the IdT - Identify Terminated Employees Rule needs to be modified if your method does not use the employeeStatus attribute.
2.
Modifying the status of the employee automatically triggers the disabling of all associated accounts to ensure that the user no longer has access to enterprise resources. If this is not the case in your environment, you might need to modify the IdT - Unauthorized Access By Terminated Employees rule to filter out events from those special accounts. For example, if former employees are still allowed to use an e-mail account.
Launch the Solution Manager by selecting Tools > Solution Pack in the toolbar in the Sentinel Control Center. Select Identity Tracking Solution Pack, then click Open with Solution Manager.
3. 4. 5.
Highlight Identity De-Provisioning in the left pane of the Solution Manager, then click Install. Verify that the Identity De-Provisioning Control is listed, then click Next. Select your Correlation Engine from the drop-down list as the location where the Identity De-Provisioning rules are installed.
168
Copying all or part of this manual, or distributing such copies, is strictly prohibited. To report suspected copying, please call 1-800-PIRATES.
Version 1
6. 7.
Select the IdT-Unauthorized Access By Terminated Employees (Deployment), then click Next. Select whether the Crystal server is local or remote by selecting the following option:
Publish to Crystal Server Server Name: 172.17.5.7. User Name: Administrator Password: Leave this blank (the default password for the Crystal admin).
8.
9.
Click Next after you have specified the Crystal server information.
10. Review the contents of the Identity De-Provisioning Control, then click Install. 11. Review the installation summary, then click Finish. (End of Exercise)
Version 1
Copying all or part of this manual, or distributing such copies, is strictly prohibited. To report suspected copying, please call 1-800-PIRATES.
169
Exercise 26-4
Enabling Audit on All Endpoint Systems on page 170 Configuring the Unauthorized Access by Terminated Employee Rule on page 171
170
Copying all or part of this manual, or distributing such copies, is strictly prohibited. To report suspected copying, please call 1-800-PIRATES.
Version 1
Configuring the Alert Unauthorized Access by Terminated Employee by E-mail Action on page 171 Configuring the Report Unauthorized Access by Terminated Employee Action on page 171
The correct alias account that receives the e-mail alerts must be configured.
1. 2.
In the Sentinel Control Center, select Tools > Action Manager. Select Alert unauthorized access by terminated employee by e-mail, then click View/Edit.
3.
The Sentinel workflow that reports unauthorized access must contain a valid value for the person that receives the reports.
1. 2.
In the Sentinel Control Center, select Tools > Actions Manager. Select Report unauthorized access by terminated employee, then click View/ Edit.
Version 1
Copying all or part of this manual, or distributing such copies, is strictly prohibited. To report suspected copying, please call 1-800-PIRATES.
171
3.
Specify the correct user name in the Responsible field, then click Save.
(End of Exercise)
172
Copying all or part of this manual, or distributing such copies, is strictly prohibited. To report suspected copying, please call 1-800-PIRATES.
Version 1
SECTION 27
This solution requires Identity Manager and SentinelTM. When an identity attribute is changed by an administrator, not by Identity Manager, Sentinel logs the event and then takes the appropriate action. For example, the action can be an e-mail, an alert, or the rogue administrators account is terminated. This solution not only detects the rogue activity, it detects who performed the activity and then takes immediate action against the account. This solution uses the SOAP integrator feature of Sentinel to integrate with the User Application. The SOAP integrator allows Sentinel to call the SOAP endpoints provided by the User Application to initiate User Application workflows. These workflows are usually stored in the User Application's Provisioning Request Definitions stored under the Directory Abstraction Layer (DAL). The Rogue_Administration_Activity workflow is called from Sentinel, sets the users LoginDisabled attribute equal to True, and sends the Default Approver (user or group) a workflow item to notify them that the user might be attempting illicit network activity.
Version 1
Copying all or part of this manual, or distributing such copies, is strictly prohibited. To report suspected copying, please call 1-800-PIRATES.
173
Exercise 27-1
Start the Sentinel Control Center and log in as a user with rights to manage Solutions Packs. Select Tools > Solution Pack from the menu to start the Solution Pack Manager. Click Add to start the import wizard.
4. 5.
Select Import a solution Pack plugin file (.zip), then click Next. Browse to and select the Identity Tracking Solution Pack where you downloaded it, then click Open. The filename is Identity-Tracking_6.1r1.spz.zip. Review the solution pack directory, then click Next. Review the solution pack details, then click Finish.
6. 7.
(End of Exercise)
174
Copying all or part of this manual, or distributing such copies, is strictly prohibited. To report suspected copying, please call 1-800-PIRATES.
Version 1
Exercise 27-2
Select Identity Tracking Solution Pack, then click Open with Solution Manager.
2.
Select Rogue Administration in the left pane of the Solution Manager, then click Install.
3. 4. 5.
Verify that the Rogue Administration Control is listed, then click Next. Select your Correlation Engine from the drop-down list as the location where the Rogue Administration rules are installed. Select IdT-Rogue Administration (Deployment), then click Next.
Version 1
Copying all or part of this manual, or distributing such copies, is strictly prohibited. To report suspected copying, please call 1-800-PIRATES.
175
6. 7. 8.
Select Publish to Crystal Server. Specify the correct Crystal server information. Click Next after you have specified the Crystal server information.
9.
Review the contents of the Rogue Administration Control, then click Install.
10. Review the installation summary, then click Finish. (End of Exercise)
176
Copying all or part of this manual, or distributing such copies, is strictly prohibited. To report suspected copying, please call 1-800-PIRATES.
Version 1
Exercise 27-3
Version 1
Copying all or part of this manual, or distributing such copies, is strictly prohibited. To report suspected copying, please call 1-800-PIRATES.
177
Create a test identity and ensure that the account is create in the integrated system. Find the associated event in the Sentinel Active view. Right-click the event, then select the Identity Tracking submenu. Click Add to ApprovedAccountAdmins map.
Generate activity on each integrated system. Find the associated events in the Sentinel Active view. Right-click an event, then select the new Identity Tracking submenu. Click Add to IDManagedSystems map.
In the Sentinel Control Center, click Tools > Integrator Manager from the toolbar. Select the Identity Manager SOAP Integrator from the list on the left.
NOTE: The the SOAP Integrator must be named Identity Manager SOAP.
3.
Click the SOAP Connection Settings tab, then use the following information to configure the connection settings on the Identity Manager SOAP Integrator:
URL: Specify the Web service URL used to get WSDL from the User Application server. The User Application is the SOAP provider for Identity Manager. The correct URL is located in the server.xml file for Tomcat on the User Application server. For example, specify http://172.17.5.100:8444/IDMProv/ provisioning/service?wsdl.
Service Name: Specify ProvisioningService as a SOAP service. Port: Specify ProvisioningPort as the SOAP port. Use SSL: Select Use SSL if the connection to the User Application server is secure.
178
Copying all or part of this manual, or distributing such copies, is strictly prohibited. To report suspected copying, please call 1-800-PIRATES.
Version 1
Use Authentication: Select Use Authentication to enable authentication to the User Application server. Username: Specify a user with administrative rights to start workflows. Use LDAP notation with the DN of the user. Password: Specify the administrator's password.
4. 5. 6.
Click Refresh Web Service API to regenerate the WSDL API. Click Test, then verify that the Integrator test completes successfully. Click Save to save the changes.
In the Sentinel Control Center, click Tools > Integrator Manager in the toolbar. Select the Identity Vault from the list on the left.
NOTE: The LDAP Integrator must be named Identity Vault.
3.
Click the LDAP Connection Settings tab, then use the following information to configure the connections setting on the Identity Vault Integrator:
Server: 172.17.5.100. Port: 389. Use SSL: Select this option to use a secure connection to the eDirectory server. The default port for secure communication is 636. Login: Specify the DN of a user that has administrative rights to eDirectory. Use the LDAP format. Enter, cn=admin,o=services Password: novell
4.
(End of Exercise)
Version 1
Copying all or part of this manual, or distributing such copies, is strictly prohibited. To report suspected copying, please call 1-800-PIRATES.
179
Exercise 27-4
Script Files
Select Identity Tracking Solution Pack, then click Open with Solution Manager.
2. 3.
In the left pane, browse to and select the IdTApprovedAccountAdmins. In the right pane, select Add2ApprovedAccountAdmins.bat or Add2ApprovedAccountAdmins.sh if using Linux then click Save. The .bat files is for Windows and the .sh file is for Linux/UNIX.
180
Copying all or part of this manual, or distributing such copies, is strictly prohibited. To report suspected copying, please call 1-800-PIRATES.
Version 1
4. 5.
In the left pane, browse to and select IDManagedSystems. In the right pane, select Add2IDManagedSystems.bat, then click Save.
(End of Exercise)
Version 1
Copying all or part of this manual, or distributing such copies, is strictly prohibited. To report suspected copying, please call 1-800-PIRATES.
181
Exercise 27-5
From the Sentinel Control Center, select the Admin tab. Click Admin > Event Menu Configuration. Click Add. Use the following information to complete the configuration:
Name: Specify the name as Identity Tracking/Add to ApprovedAccountAdmins map. Description: Specify the description as Adds InitUserName and InitUserDomain from the current event to the ApprovedAccountAdmins map. Action: Select Execute Command from the drop-down list. File Type: Leave this field blank. Command/URL: Specify Add2ApprovedAccountAdmins.bat as the name of the script file to execute. Parameters: Specify %InitUserName% %InitUserDomain% for the parameters. The delimiter for Windows is a comma - for Linux/UNIX use a space.
5.
6. 7.
Select Import an Action plugin file (.zip), then click Next. Browse to and select the Rogue Administration Action, then click Open. The Rogue Administration Action filename is Start-Rogue-AdminWorkflow_6.1r1.acz.zip.
8.
In the Action Name field, specify Start Rogue Admin Workflow, then click Save.
182
Copying all or part of this manual, or distributing such copies, is strictly prohibited. To report suspected copying, please call 1-800-PIRATES.
Version 1
9.
Click OK.
10. Click Add. 11. Use the following information to configure a second option:
Name: Specify the name as Identity Tracking/Add to IDManagedSystems map. Description: Specify the description as Adds Collector from the current event to the IDManagedSystems map. Action: Select Execute Command from the drop-down list. File Type: Leave this field blank. Command/URL: Specify Add2IDManagedSystems.bat Parameters: Specify %CollectorId% for the parameters. The delimiter for Linux/UNIX is a space and the delimiter for Windows is a comma.
Version 1
Copying all or part of this manual, or distributing such copies, is strictly prohibited. To report suspected copying, please call 1-800-PIRATES.
183
Exercise 27-6
In Designer, click Windows > Show View > Provisioning View in the toolbar. In the Provisioning view, right-click the Directory Abstraction layer, then click Import from File.
3. 4. 5. 6.
In the warning message, click OK. Browse to and select the Rogue_Administration_Activity.xml file then click OK. Click OK to import the workflow. Verify that the workflow imported by browsing to it under UserApplication > Provisioning Request Definitions > Accounts > Rogue_Administration_Activity.
7.
Verify that the LoginDisabled attribute exists on the User entity by right-clicking the Rogue_Administration_Activity, then select Validate to run the Project Checker.
a.
If the LoginDisabled attribute does not exist on the User entity, right-click the Directory Abstraction Layer > Entities > User, then select Edit.
184
Copying all or part of this manual, or distributing such copies, is strictly prohibited. To report suspected copying, please call 1-800-PIRATES.
Version 1
b. c. d. 8. 9.
Right-click the User entity in the left pane, then select Add Attribute. Browse to and select the LoginDisabled attribute in the left pane. Click Add Attribute, then click OK.
Press Ctrl+S to save the changes. Deploy the changes in the Identity Vault. . changes. To restart the User Application server:
10. Restart the User Application and the User Application driver to apply the
Reboot JBoss.
(End of Exercise)
Version 1
Copying all or part of this manual, or distributing such copies, is strictly prohibited. To report suspected copying, please call 1-800-PIRATES.
185
186
Copying all or part of this manual, or distributing such copies, is strictly prohibited. To report suspected copying, please call 1-800-PIRATES.
Version 1
28
28
Every Sentinel event or correlated event has certain fields that are automatically populated (such as Event Time and Event UUID) and other fields that may or may not be populated, depending on the type of event, the collector parsing, and the mapping service configuration. This event data is visible in Active Views, historical queries, and reports. They are stored in the database and can be accessed via the report views. They can also be used in actions available through the right-click event menu, correlation actions, and iTRAC workflow actions.
Each field has a default label, but that label is user-configurable using the Event Configuration option on the Admin tab. For more information, see Admin Tab section in Sentinel User Guide. InitUserName is the default label to represent the account name of the user who initiated the event, but this can be changed by the administrator. When a user changes the default label, the changes are reflected in most areas of the interface, including any correlation rules, filters, and right-click menu options. WARNING: Changing the default label for any variables other than Customer Variables may cause confusion when working with Novell Technical Services or other parties who are familiar with the default names. In addition, JavaScript Collectors built by Novell refer to the default labels described in this chapter and are not automatically updated to refer to new labels. Each field also has a short tag name that is always used for internal references to the field and is not user-configurable. This short tag name may not correspond exactly to the default label; Sentinel labels have changed over the years, but the underlying short tags remain the same for backward compatibility. (For example, InitUserName is the default label for the account name of the user who initiated the event. The default label was previously SourceUserName, and the underlying short tag is sun.) NOTE: Many of the default labels were updated for clarity in the Sentinel 6.1 release. Because all filters, actions, and correlation rule definitions are defined using the short tags (even though the label may be visible in the interface), there is no change in functionality due to the label renaming. Each field is associated with a specific data type, which corresponds to the data type in the database:
string: limited to 255 characters (unless otherwise specified) integer: 32 bit signed integer UUID: 36 character (with hyphens) or 32 character (without hyphens) hexadecimal string in
date: Collector Variable must be set with date as number of milliseconds from January 1, 1970
00:00:00 GMT. When displayed in Sentinel Control Center, meta-tags of type date are displayed in a regular date format.
IPv4: IP address in dotted decimal notation (that is xxx.xxx.xxx.xxx)
Figure 28-2 Filter Wizard displaying labels in drop-down and free-form language
The representation of fields in the free-form RuleLG language is usually prefaced by e. for example, e.InitUserName or e.sun can refer to the Initiator User Name for the incoming or current event. In special cases, w. may be used to refer to a field in a past event (for example, w.InitUserName).
28.1.2 Actions
Users can use either the tag or the label when they define parameters to be sent to right-click Event Menu actions, correlation actions, and iTRAC workflow actions. To pass a field value to an action, you may use a checklist that shows the labels or type the parameter name directly into the configuration.
When you type the label or short tag for a field to be used in an action, the name can be enclosed in percent signs (%tag%) or dollar signs ($tag$). For example:
%sun% in a correlation action refers to the value of InitUser in the correlated event $sun$ in a correlation action refers to the value of InitUser in the current, trigger event (the
final event that caused the correlation rule to fire) NOTE: In a right-click menu event operating on a single event, there is no functional difference between %sun% and $sun$. For example, to pass the Initiator User Name to a command line action to look up information from a database about that user, you could use %InitUserName% or %sun%. For more information about Actions, see Actions and Integrators section in Sentinel User Guide.
Table 28-1 Labels and Meta-tags used in Sentinel Control Center and proprietary Collector language
Default Label
Data Type
Description
DeviceEventTimeString
e.et
%et%
s_ET
string
The normalized date and time of the event, as reported by the sensor. The normalized date and time of the event, as reported by the sensor. The date and time Sentinel received the event. The date and time the event started occurring (for repeated events). The date and time the event stopped occurring (for repeated events). The number of times the same event occurred if multiple occurrences were consolidated. The normalized date and time of the event, as given by the Collector. Unique identifier for the Sentinel service which generated this event. The normalized severity of the event (0-5). The vulnerability of the asset identified in this event. Set to 1 if Sentinel detects an exploit against a vulnerable system. Requires Advisor. The criticality of the asset identified in this event. IPv4 address of the initiating system. IPv4 address of the target system. Name of the Collector that generated this event.
DeviceEventTime
e.det
%det%
date
SentinelProcessTime
e.spt
%spt%
date
BeginTime
e.bgnt
%bgnt%
s_BGNT
date
EndTime
e.endt
%endt%
s_ENDT
date
RepeatCount
e.rc
%rc%
s_RC
integer
EventTime
e.dt
%dt%
date
SentinelServiceID
e.src
%src%
UUID
Severity Vulnerability
e.sev e.vul
%sev% %vul%
i_Severity s_VULN
integer integer
Default Label
Data Type
Description
CollectorScript
e.agent
%agent%
string
The name of the Collector Script used by the Collector to generate this event. Compliance monitoring hierarchy level 1 Subresource name Unqualified hostname of the observer (sensor) of the event. The single character designator for the sensor type (N, H, O, V, C, W, A, I). Protocol used between initiating and target services. Unqualified hostname of the initiating system. Port used by service/ application that initiated the connection. Name of the initiating service that caused the event. Unqualified hostname of the target system. Network port accessed on the target. Name of the target service affected by this event. Initiating user's account name. Example jdoe during an attempt to su. Target user's account name. Example root during a password reset. The name of the program executed or the file accessed, modified or affected.
SensorType
e.st
%st%
s_ST
string
Protocol
e.prot
%prot%
s_P
string
InitHostName InitServicePort
e.shn e.spint
%shn% %spint%
s_SHN s_SPINT
string integer
InitServicePortName
e.sp
%sp%
s_SP
string
TargetUserName
e.dun
%dun%
s_DUN
string
FileName
e.fn
%fn%
s_FN
string
Default Label
Data Type
Description
ExtendedInformation
e.ei
%ei%
s_EI
string
Stores additional collector-processed information. Values within this variable are separated by semi-colons (;). Unqualified hostname of the reporter of the event. Indicates the type, vendor and product code name of the sensor from which the event was generated. Free-form message text for the event. Device specific attack name that matches attack name known by Advisor. Used in Exploit Detection. Reserved by Novell for expansion. Reserved for use by customers for customerspecific data.
ReporterHostName ProductName
e.rn e.pn
%rn% %pn%
s_RN s_PN
string string
Message DeviceAttackName
e.msg e.rt1
%msg% %rt1%
s_BM s_RT1
string string
string string
Rt3 Ct3
e.rt3 e.ct3
integer integer
Reserved by Novell for expansion. Reserved for use by customers for customerspecific data. List of event UUIDs associated with th correlated event. Only relevant for correlated events. Used for MSSPs. Reserved by Novell for expansion.
CorrelatedEventUuids
e.ceu
%ceu%
s_RT3
string
integer integer
date
Default Label
Data Type
Description
CollectorManagerId
e.rv21
%rv21%
s_RV21
UUID
Unique identifier for the Collector Manager which generated this event. Unique identifier for the Collector which generated this event. Unique identifier for the Connector which generated this event. Unique identifier for the Event Source which generated this event. Unique identifier for the Raw Data Record associated with this event. Sentinel control categorization level 1 (for Solution Packs). Class of the eventdependent numeric value. Country where the IPv4 address of the initiating system is located. Country where the IPv4 address of the target system is located. Name of the device generating the event. If this device is supported by Advisor, the name should match the name known by Advisor. Used in Exploit Detection. Device category (FW, IDS, AV, OS, DB). Event context (threat level). Initiator threat level. Domain (namespace) in which the initiating account exists. Data context. Initiator function.
CollectorId
e.rv22
%rv22%
s_RV22
UUID
ConnectorId
e.rv23
%rv23%
S_RV23
UUID
EventSourceId
e.rv24
%rv24%
S_RV24
UUID
RawDataRecordId
e.rv25
%rv25%
S_RV25
UUID
ControlPack
e.rv26
%rv26%
S_RV26
string
EventMetricClass InitIPCountry
e.rv28 e.rv29
%rv28% %rv29%
s_RV28 s_RV29
string string
TargetIPCountry
e.rv30
%rv30%
s_RV30
string
DeviceName
e.rv31
%rv31%
s_RV31
string
DataContext InitFunction
e.rv36 e.rv37
%rv36% %rv37%
s_RV36 s_RV37
string string
Default Label
Data Type
Description
Initiator operational context. MSSP customer name. Event code reported by device vendor. Domain portion of the target system's fullyqualified hostname. Domain portion of the initiating system's fullyqualified hostname. Reserved by Novell for expansion. Target threat level. Domain (namespace) in which the target account exists.. Virus status. Target function. Target operational context. Sentinel event code categorization - level 4. Customer Hierarchy Level 2 (used by MSSPs). Virus Status. Initiator Mac Address. Part of initiator host asset data. Initiator Network Identity. Part of initiator host asset data. Function of the initiating system (fileserver, webserver, etc.). Initiator Asset Value. Part of initiator host asset data. Criticality of the initiating system (0-5).
InitDomain
e.rv42
%rv42%
s_RV42
string
InitNetworkIdentity
e.rv58
%rv58%
s_RV58
string
InitAssetFunction
e.rv60
%rv60%
s_RV60
string
InitAssetValue InitAssetCriticality
e.rv61 e.rv62
%rv61% %rv62%
s_RV61 s_RV62
string string
Default Label
Data Type
Description
Variables reserved for future e.rv63 thru %rv63% use by Novell e.rv75 thru %rv75% InitAssetDepartment InitAssetId e.rv76 e.rv77 %rv76% %rv77%
Variables not currently in use Department of the initiating system. Internal asset identifier of the initiator. Variables not currently in use Class of the target system (desktop, server, etc.). Function of the target system (fileserver, webserver, etc.). Target Asset Value. Part of target host asset data. Variables not currently in use. Target Department. Part of target host asset data. Internal asset identifier of the target. Customer Hierarchy Level 4 (used by MSSPs) Variables not currently in use Number variable reserved for customer use. Stored in database.
Variables reserved for future e.rv78 thru %rv78% use by Novell e.rv80 thru %rv80% TargetAssetClass TargetAssetFunction e.rv81 e.rv82 %rv81% %rv82%
TargetAssetValue
e.rv83
%rv83%
s_RV83
string
Variables reserved for future e.rv84 thru %rv84% use by Novell e.rv97 thru %rv97% TargetDepartment TargetAssetId CustomerHierarchyLevel4 e.rv98 e.rv99 e.rv100 %rv98% %rv99% %rv100% %rv101% thru %rv200% %cv1% thru %cv10%
s_RV84 string thru s_rv97 s_RV98 s_RV99 s_RV100 s_rv101 thru s_rv200 s_CV1 thru s_CV10 string string string various
Variables reserved for future e.rv101 use by Novell thru e.rv200 CustomerVar1 thru CustomerVar10 CustomerVar11 thru CustomerVar20 e.cv1 thru e.cv10
integer
e.cv11 thru %cv11% thru e.cv20 %cv20% e.cv21 thru %cv21% thru e.cv89 %cv89%
date
string
Default Label
Data Type
Description
SARBOX
e.cv90
%cv90%
s_CV90
string
Set to 1 if the asset is governed by SarbanesOxley. Set to 1 if the asset is governed by the Health Insurance Portability and Accountability Act (HIPAA) regulation. Set to 1 if the asset is governed by the GrammLeach Bliley Act (GLBA) regulation. Set to 1 if the asset is governed by the Federal Information Security Management Act (FISMA) regulation. Set to 1 via an asset map if the target asset is governed by the National Industrial Security Program Operating Manual (NISPOM) String variable reserved for customer use. Stored in database. Integer variable reserved for customer use. Stored in database. Date variable reserved for customer use. Stored in database. UUID variable reserved for customer use. Stored in database. IPv4 variable reserved for customer use. Stored in database. String variable reserved for customer use. Stored in database. Integer variable reserved for customer use. Not stored in database.
HIPAA
e.cv91
%cv91%
s_CV91
string
GLBA
e.cv92
%cv92%
s_CV92
string
FISMA
e.cv93
%cv93%
s_CV93
string
NISPOM
e.cv94
%cv94%
s_CV94
string
CustomerVar95 thru CustomerVar100 CustomerVar101 thru CustomerVar110 CustomerVar111 thru CustomerVar120 CustomerVar121 thru CustomerVar130 CustomerVar131 thru CustomerVar140 CustomerVar141 thru CustomerVar150 CustomerVar151 thru CustomerVar160
e.cv95 thru %cv95% e.cv100 thru %cv100% e.cv101 thru e.cv110 e.cv111 thru e.cv120 e.cv121 thru e.cv130 e.cv131 thru e.cv140 e.cv141 thru e.cv150 e.cv151 thru e.cv160 %cv101% thru %cv110% %cv111% thru %cv120% %cv121% thru %cv130% %cv131% thru %cv140% %cv141% thru %cv150% %cv151% thru %cv160%
s_CV95 thru s_CV100 s_CV101 thru s_CV110 s_CV111 thru s_CV120 s_CV121 thru s_CV130 s_CV131 thru s_CV140 s_CV141 thru s_CV150 s_CV151 thru s_CV160
string
string
string
string
string
string
string
Default Label
Data Type
Description
CustomerVar161 thru CustomerVar170 CustomerVar171 thru CustomerVar180 CustomerVar181 thru CustomerVar190 CustomerVar191 thru CustomerVar200
e.cv161 thru e.cv170 e.cv171 thru e.cv180 e.cv181 thru e.cv190 e.cv191 thru e.cv200
%cv161% thru %cv170% %cv171% thru %cv180% %cv181% thru %cv190% %cv191% thru %cv200%
s_CV161 thru s_CV170 s_CV171 thru s_CV180 s_CV181 thru s_CV190 s_CV191 thru s_CV200
string
Date variable reserved for customer use. Not stored in database. UUID variable reserved for customer use. Not stored in database. IPv4 variable reserved for customer use. Not stored in database. String variable reserved for customer use. Not stored in database.
string
string
string