advertisement
▼
Scroll to page 2
of 232
Reference Guide Novell ® Sentinel TM 6.1 SP2 February 2010 www.novell.com Sentinel 6.1 Reference Guide novdocx (en) 16 April 2010 AUTHORIZED DOCUMENTATION Novell, Inc., makes no representations or warranties with respect to the contents or use of this documentation, and specifically disclaims any express or implied warranties of merchantability or fitness for any particular purpose. Further, Novell, Inc., reserves the right to revise this publication and to make changes to its content, at any time, without obligation to notify any person or entity of such revisions or changes. Further, Novell, Inc., makes no representations or warranties with respect to any software, and specifically disclaims any express or implied warranties of merchantability or fitness for any particular purpose. Further, Novell, Inc., reserves the right to make changes to any and all parts of Novell software, at any time, without any obligation to notify any person or entity of such changes. Any products or technical information provided under this Agreement may be subject to U.S. export controls and the trade laws of other countries. You agree to comply with all export control regulations and to obtain any required licenses or classification to export, re-export or import deliverables. You agree not to export or re-export to entities on the current U.S. export exclusion lists or to any embargoed or terrorist countries as specified in the U.S. export laws. You agree to not use deliverables for prohibited nuclear, missile, or chemical biological weaponry end uses. See the Novell International Trade Services Web page (http://www.novell.com/info/exports/) for more information on exporting Novell software. Novell assumes no responsibility for your failure to obtain any necessary export approvals. Copyright © 1999-2010 Novell, Inc. All rights reserved. No part of this publication may be reproduced, photocopied, stored on a retrieval system, or transmitted without the express written consent of the publisher. Novell, Inc. 404 Wyman Street, Suite 500 Waltham, MA 02451 U.S.A. www.novell.com Online Documentation: To access the latest online documentation for this and other Novell products, see the Novell Documentation Web page (http://www.novell.com/documentation). novdocx (en) 16 April 2010 Legal Notices For Novell trademarks, see the Novell Trademark and Service Mark list (http://www.novell.com/company/legal/ trademarks/tmlist.html). Third-Party Materials All third-party trademarks are the property of their respective owners. novdocx (en) 16 April 2010 Novell Trademarks novdocx (en) 16 April 2010 4 Sentinel 6.1 Reference Guide novdocx (en) 16 April 2010 Contents Preface 13 1 Sentinel User Reference Introduction 15 2 Sentinel Event Fields 17 2.1 2.2 Event Field Labels and Tags . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2.1.1 Free-Form Filters and Correlation Rules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2.1.2 Actions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2.1.3 Proprietary Collectors . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2.1.4 JavaScript Collectors . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . List of Fields and Representations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3 Sentinel Control Center User Permissions 3.1 3.2 3.3 3.4 3.5 3.6 3.7 3.8 3.9 3.10 3.11 3.12 3.13 General . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3.1.1 General – Public Filters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3.1.2 General – Manage Private Filters of Other Users . . . . . . . . . . . . . . . . . . . . . . . . . . . 3.1.3 General – Integration Actions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Active Views . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3.2.1 Active Views – Menu Items . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3.2.2 Active Views – Active Views . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . iTRAC. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3.3.1 iTRAC - Template Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3.3.2 iTRAC - Process Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Incidents . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Integrators . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Actions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Event Source Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Analysis Tab. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Advisor Tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Administration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3.10.1 Administration – Global Filters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3.10.2 Administration – Server Views . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Correlation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Solution Pack . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Identity . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4 Sentinel Correlation Engine RuleLG Language 4.1 4.2 4.3 4.4 Correlation RuleLG Language Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Event Fields . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Event Operations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4.3.1 Filter Operation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4.3.2 Window Operation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4.3.3 Trigger Operation. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Rule Operations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4.4.1 Gate Operation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4.4.2 Sequence Operation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17 18 19 21 21 21 31 33 33 33 34 34 34 34 35 35 35 35 36 36 37 37 37 38 38 38 39 39 39 41 41 41 42 42 44 45 46 46 47 Contents 5 4.6 4.7 Operators . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4.5.1 Flow Operator . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4.5.2 Union Operator . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4.5.3 Intersection Operator . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4.5.4 Discriminator Operator. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Order of Operators . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Differences between Correlation in 5.x and 6.x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5 Sentinel Data Access Service 5.1 DAS Container Files. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5.1.1 Reconfiguring Database Connection Properties . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5.1.2 DAS Logging Properties Configuration Files . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5.1.3 Certificate Management for DAS_Proxy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6 Sentinel Accounts and Password Changes 6.1 6.2 Sentinel Default Users . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6.1.1 Native Database Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6.1.2 Windows Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Password Changes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6.2.1 Changing Password. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6.2.2 Sentinel Updates After a Password Change . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7 Sentinel Database Views for Oracle 7.1 6 Views . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7.1.1 ACTVY_PARM_RPT_V. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7.1.2 ACTVY_REF_PARM_VAL_RPT_V . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7.1.3 ACTVY_REF_RPT_V . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7.1.4 ACTVY_RPT_V . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7.1.5 ADV_NXS_FEED_V . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7.1.6 ADV_NXS_PRODUCTS_V . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7.1.7 ADV_NXS_SIGNATURES_V . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7.1.8 ADV_NXS_MAPPINGS_V. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7.1.9 ADV_OSVDB_DETAILS_V . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7.1.10 ADV_NXS_KB_PATCH_V. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7.1.11 ADV_NXS_KB_PRODUCTSREF_V . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7.1.12 ASSET_CATEGORY_RPT_V . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7.1.13 ASSET_HOSTNAME_RPT_V . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7.1.14 ASSET_IP_RPT_V . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7.1.15 ASSET_LOCATION_RPT_V . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7.1.16 ASSET_RPT_V . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7.1.17 ASSET_VALUE_RPT_V . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7.1.18 ASSET_X_ENTITY_X_ROLE_RPT_V . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7.1.19 ASSOCIATIONS_RPT_V . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7.1.20 ATTACHMENTS_RPT_V . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7.1.21 AUDIT_RECORD_RPT_V . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7.1.22 CONFIGS_RPT_V. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7.1.23 CONTACTS_RPT_V . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7.1.24 CORRELATED_EVENTS_RPT_V (legacy view) . . . . . . . . . . . . . . . . . . . . . . . . . . . 7.1.25 CORRELATED_EVENTS_RPT_V1 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7.1.26 CRITICALITY_RPT_V . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7.1.27 CUST_HIERARCHY_V . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7.1.28 CUST_RPT_V . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7.1.29 ENTITY_TYPE_RPT_V . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7.1.30 ENV_IDENTITY_RPT_V . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Sentinel 6.1 Reference Guide 47 47 48 48 48 48 49 51 51 51 52 54 59 59 59 59 60 60 61 65 65 65 65 66 66 67 68 69 69 70 73 74 74 75 75 75 76 76 77 77 78 78 79 79 80 80 80 81 81 81 82 novdocx (en) 16 April 2010 4.5 novdocx (en) 16 April 2010 7.1.31 7.1.32 7.1.33 7.1.34 7.1.35 7.1.36 7.1.37 7.1.38 7.1.39 7.1.40 7.1.41 7.1.42 7.1.43 7.1.44 7.1.45 7.1.46 7.1.47 7.1.48 7.1.49 7.1.50 7.1.51 7.1.52 7.1.53 7.1.54 7.1.55 7.1.56 7.1.57 7.1.58 7.1.59 7.1.60 7.1.61 7.1.62 7.1.63 7.1.64 7.1.65 7.1.66 7.1.67 7.1.68 7.1.69 7.1.70 7.1.71 7.1.72 7.1.73 7.1.74 7.1.75 7.1.76 7.1.77 7.1.78 7.1.79 7.1.80 7.1.81 7.1.82 7.1.83 7.1.84 7.1.85 7.1.86 7.1.87 7.1.88 7.1.89 ESEC_CONTENT_GRP_CONTENT_RPT_V . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 82 ESEC_CONTENT_GRP_RPT_V . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 83 ESEC_CONTENT_PACK_RPT_V . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 83 ESEC_CONTENT_RPT_V . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 83 ESEC_CTRL_CTGRY_RPT_V . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 84 ESEC_CTRL_RPT_V . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 84 ESEC_DISPLAY_RPT_V . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 85 ESEC_PORT_REFERENCE_RPT_V . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 86 ESEC_PROTOCOL_REFERENCE_RPT_V . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 86 ESEC_SEQUENCE_RPT_V . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 87 ESEC_UUID_UUID_ASSOC_RPT_V . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 87 EVENTS_ALL_RPT_V (legacy view) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 87 EVENTS_ALL_RPT_V1 (legacy view) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 88 EVENTS_RPT_V (legacy view) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 88 EVENTS_RPT_V1 (legacy view) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 88 EVENTS_RPT_V2 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 88 EVENTS_RPT_V3 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 92 EVT_AGENT_RPT_V . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 96 EVT_AGENT_RPT_V3 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 97 EVT_ASSET_RPT_V . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 97 EVT_ASSET_RPT_V3 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 98 EVT_DEST_EVT_NAME_SMRY_1_RPT_V . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 99 EVT_DEST_SMRY_1_RPT_V . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 99 EVT_DEST_TXNMY_SMRY_1_RPT_V . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 100 EVT_NAME_RPT_V . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 100 EVT_PORT_SMRY_1_RPT_V . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 101 EVT_PRTCL_RPT_V . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 101 EVT_PRTCL_RPT_V3 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 102 EVT_RSRC_RPT_V . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 102 EVT_SEV_SMRY_1_RPT_V. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 102 EVT_SRC_COLLECTOR_RPT_V. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 103 EVT_SRC_GRP_RPT_V . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 103 EVT_SRC_MGR_RPT_V . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 104 EVT_SRC_OFFSET_RPT_V . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 104 EVT_SRC_RPT_V. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 104 EVT_SRC_SMRY_1_RPT_V . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 105 EVT_SRC_SRVR_RPT_V. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 106 EVT_TXNMY_RPT_V . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 106 EVT_USR_RPT_V. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 106 EVT_XDAS_TXNMY_RPT_V . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 107 EXTERNAL_DATA_RPT_V. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 107 HIST_CORRELATED_EVENTS_RPT_V (legacy view) . . . . . . . . . . . . . . . . . . . . . 108 HIST_EVENTS_RPT_V (legacy view). . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 108 IMAGES_RPT_V . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 108 INCIDENTS_ASSETS_RPT_V . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 108 INCIDENTS_EVENTS_RPT_V . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 109 INCIDENTS_RPT_V . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 109 INCIDENTS_VULN_RPT_V . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 110 L_STAT_RPT_V . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 110 LOGS_RPT_V . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 110 MSSP_ASSOCIATIONS_V . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 111 NETWORK_IDENTITY_RPT_V . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 111 ORGANIZATION_RPT_V . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 111 PERSON_RPT_V . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 112 PHYSICAL_ASSET_RPT_V . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 112 PRODUCT_RPT_V . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 113 ROLE_RPT_V . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 113 RPT_LABELS_RPT_V . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 113 SENSITIVITY_RPT_V . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 114 Contents 7 8 Sentinel Database Views for Microsoft SQL Server 8.1 8 Views . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8.1.1 ACTVY_PARM_RPT_V. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8.1.2 ACTVY_REF_PARM_VAL_RPT_V . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8.1.3 ACTVY_REF_RPT_V . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8.1.4 ACTVY_RPT_V . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8.1.5 ADV_NXS_FEED_V . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8.1.6 ADV_NXS_PRODUCTS_V . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8.1.7 ADV_NXS_SIGNATURES_V . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8.1.8 ADV_NXS_MAPPINGS_V. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8.1.9 ADV_OSVDB_DETAILS_V . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8.1.10 ADV_NXS_KB_PATCH_V. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8.1.11 ADV_NXS_KB_PRODUCTSREF_V . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8.1.12 ANNOTATIONS_RPT_V . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8.1.13 ASSET_CATEGORY_RPT_V . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8.1.14 ASSET_HOSTNAME_RPT_V . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8.1.15 ASSET_IP_RPT_V . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8.1.16 ASSET_LOCATION_RPT_V . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8.1.17 ASSET_RPT_V . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8.1.18 ASSET_VALUE_RPT_V . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8.1.19 ASSET_X_ENTITY_X_ROLE_RPT_V . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8.1.20 ASSOCIATIONS_RPT_V . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8.1.21 ATTACHMENTS_RPT_V . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8.1.22 AUDIT_RECORD_RPT_V . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8.1.23 CONFIGS_RPT_V. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8.1.24 CONTACTS_RPT_V . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8.1.25 CORRELATED_EVENTS_RPT_V (legacy view) . . . . . . . . . . . . . . . . . . . . . . . . . . 8.1.26 CORRELATED_EVENTS_RPT_V1 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8.1.27 CRITICALITY_RPT_V . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8.1.28 CUST_HIERARCHY_V . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8.1.29 CUST_RPT_V . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8.1.30 ENTITY_TYPE_RPT_V . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8.1.31 ENV_IDENTITY_RPT_V . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8.1.32 ESEC_CONTENT_GRP_CONTENT_RPT_V . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Sentinel 6.1 Reference Guide 114 114 115 115 116 116 117 117 118 118 119 119 120 120 121 122 122 122 123 123 124 124 125 125 125 125 126 126 127 127 128 129 130 132 133 133 134 134 134 135 135 136 136 137 137 138 138 139 139 139 140 140 141 141 141 142 novdocx (en) 16 April 2010 7.2 7.1.90 SENTINEL_HOST_RPT_V . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7.1.91 SENTINEL_PLUGIN_RPT_V . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7.1.92 SENTINEL_RPT_V . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7.1.93 STATES_RPT_V . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7.1.94 UNASSIGNED_INCIDENTS_RPT_V . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7.1.95 USERS_RPT_V . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7.1.96 USR_ACCOUNT_RPT_V . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7.1.97 USR_IDENTITY_EXT_ATTR_RPT_V . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7.1.98 USR_IDENTITY_RPT_V . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7.1.99 VENDOR_RPT_V . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7.1.100 VULN_CALC_SEVERITY_RPT_V . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7.1.101 VULN_CODE_RPT_V . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7.1.102 VULN_INFO_RPT_V . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7.1.103 VULN_RPT_V . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7.1.104 VULN_RSRC_RPT_V . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7.1.105 VULN_RSRC_SCAN_RPT_V . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7.1.106 VULN_SCAN_RPT_V . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7.1.107 VULN_SCAN_VULN_RPT_V . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7.1.108 VULN_SCANNER_RPT_V . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7.1.109 WORKFLOW_DEF_RPT_V . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7.1.110 WORKFLOW_INFO_RPT_V . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Deprecated Views . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ESEC_CONTENT_GRP_RPT_V . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ESEC_CONTENT_PACK_RPT_V . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ESEC_CONTENT_RPT_V . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ESEC_CTRL_CTGRY_RPT_V . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ESEC_CTRL_RPT_V . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ESEC_DISPLAY_RPT_V . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ESEC_PORT_REFERENCE_RPT_V . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ESEC_PROTOCOL_REFERENCE_RPT_V . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ESEC_SEQUENCE_RPT_V . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ESEC_UUID_UUID_ASSOC_RPT_V . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . EVENTS_ALL_RPT_V (legacy view) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . EVENTS_ALL_RPT_V1 (legacy view) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . EVENTS_ALL_V (legacy view) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . EVENTS_RPT_V (legacy view) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . EVENTS_RPT_V1 (legacy view) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . EVENTS_RPT_V2 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . EVENTS_RPT_V3 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . EVT_AGENT_RPT_V . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . EVT_AGENT_RPT_V3 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . EVT_ASSET_RPT_V . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . EVT_ASSET_RPT_V3 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . EVT_DEST_EVT_NAME_SMRY_1_RPT_V . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . EVT_DEST_SMRY_1_RPT_V . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . EVT_DEST_TXNMY_SMRY_1_RPT_V . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . EVT_NAME_RPT_V . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . EVT_PORT_SMRY_1 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . EVT_PORT_SMRY_1_RPT_V . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . EVT_PRTCL_RPT_V . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . EVT_RSRC_RPT_V . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . EVT_SEV_SMRY_1_RPT_V. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . EVT_SRC_COLLECTOR_RPT_V. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . EVT_SRC_GRP_RPT_V . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . EVT_SRC_MGR_RPT_V . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . EVT_SRC_OFFSET_RPT_V . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . EVT_SRC_RPT_V. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . EVT_SRC_SMRY_1_RPT_V . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . EVT_SRC_SRVR_RPT_V. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . EVT_TXNMY_RPT_V . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . EVT_USR_RPT_V. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . EVT_XDAS_TXNMY_RPT_V . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . EXTERNAL_DATA_RPT_V. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . HIST_CORRELATED_EVENTS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . HIST_CORRELATED_EVENTS_RPT_V (legacy view) . . . . . . . . . . . . . . . . . . . . . HIST_EVENTS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . HIST_EVENTS_RPT_V (legacy view). . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . IMAGES_RPT_V . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . INCIDENTS_ASSETS_RPT_V . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . INCIDENTS_EVENTS_RPT_V . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . INCIDENTS_RPT_V . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . INCIDENTS_VULN_RPT_V . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . L_STAT_RPT_V . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . LOGS_RPT_V . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . MSSP_ASSOCIATIONS_V . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . NETWORK_IDENTITY_RPT_V . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ORGANIZATION_RPT_V . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . PERSON_RPT_V . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . PHYSICAL_ASSET_RPT_V . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . PRODUCT_RPT_V . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ROLE_RPT_V . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . novdocx (en) 16 April 2010 8.1.33 8.1.34 8.1.35 8.1.36 8.1.37 8.1.38 8.1.39 8.1.40 8.1.41 8.1.42 8.1.43 8.1.44 8.1.45 8.1.46 8.1.47 8.1.48 8.1.49 8.1.50 8.1.51 8.1.52 8.1.53 8.1.54 8.1.55 8.1.56 8.1.57 8.1.58 8.1.59 8.1.60 8.1.61 8.1.62 8.1.63 8.1.64 8.1.65 8.1.66 8.1.67 8.1.68 8.1.69 8.1.70 8.1.71 8.1.72 8.1.73 8.1.74 8.1.75 8.1.76 8.1.77 8.1.78 8.1.79 8.1.80 8.1.81 8.1.82 8.1.83 8.1.84 8.1.85 8.1.86 8.1.87 8.1.88 8.1.89 8.1.90 8.1.91 142 143 143 143 144 144 145 146 146 147 147 147 147 147 147 147 152 156 157 157 158 159 159 160 161 161 162 162 162 163 163 164 164 164 165 165 166 166 167 167 168 168 169 169 172 172 172 173 173 174 174 175 175 175 176 176 176 177 177 Contents 9 A Sentinel Troubleshooting Checklist 189 B Sentinel Service Logon Account 193 B.1 B.2 B.3 Sentinel Services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Introduction to Service Logon Accounts. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . B.2.1 Disadvantages of running a service in the context of a user logon . . . . . . . . . . . . . To Setup NT AUTHORITY\NetworkService as the Logon Account for Sentinel Service . . . . B.3.1 Adding Sentinel Service as a Login Account to ESEC and ESEC_WF DB Instances . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . B.3.2 Changing logon account . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . B.3.3 Setting the Sentinel Service to Start Successfully . . . . . . . . . . . . . . . . . . . . . . . . . . C Sentinel Service Permission Tables C.1 C.2 C.3 C.4 C.5 C.6 C.7 Advisor . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Collector Manager . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Correlation Engine . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Data Access Server (DAS) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Sentinel Communication Server. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Sentinel Service . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Reporting Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . D Sentinel Database Users, Roles, and Access Permissions D.1 D.2 10 178 178 178 179 179 179 180 180 181 182 182 182 183 183 184 184 185 186 186 186 187 187 187 188 Sentinel Database Instance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . D.1.1 ESEC . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . D.1.2 ESEC_WF . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Sentinel Database Users . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . D.2.1 Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Sentinel 6.1 Reference Guide 193 193 194 195 195 198 199 201 201 202 203 204 205 206 206 207 207 207 207 207 208 novdocx (en) 16 April 2010 8.2 8.1.92 RPT_LABELS_RPT_V . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8.1.93 SENSITIVITY_RPT_V . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8.1.94 SENTINEL_HOST_RPT_V . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8.1.95 SENTINEL_PLUGIN_RPT_V . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8.1.96 SENTINEL_RPT_V . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8.1.97 STATES_RPT_V . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8.1.98 UNASSIGNED_INCIDENTS_RPT_V . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8.1.99 USERS_RPT_V . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8.1.100 USR_ACCOUNT_RPT_V . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8.1.101 USR_IDENTITY_EXT_ATTR_RPT_V . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8.1.102 USR_IDENTITY_RPT_V . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8.1.103 VENDOR_RPT_V . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8.1.104 VULN_CALC_SEVERITY_RPT_V . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8.1.105 VULN_CODE_RPT_V . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8.1.106 VULN_INFO_RPT_V . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8.1.107 VULN_RPT_V . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8.1.108 VULN_RSRC_RPT_V . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8.1.109 VULN_RSRC_SCAN_RPT_V . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8.1.110 VULN_SCAN_RPT_V . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8.1.111 VULN_SCAN_VULN_RPT_V . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8.1.112 VULN_SCANNER_RPT_V . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8.1.113 WORKFLOW_DEF_RPT_V . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8.1.114 WORKFLOW_INFO_RPT_V . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Deprecated Views . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . D.4 D.5 E Sentinel Log Locations E.1 E.2 E.3 E.4 E.5 E.6 E.7 E.8 E.9 E.10 E.11 E.12 E.13 E.14 Sentinel Data Manager . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . iTRAC. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Advisor . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Event Insertion . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Database Queries . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Active Views . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Aggregation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Wrapper . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Collector Manager . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Correlation Engine . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Sentinel Control Center . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . DAS Proxy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Solution Designer . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Multiple Instances . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . novdocx (en) 16 April 2010 D.3 D.2.2 esecadm . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . D.2.3 esecapp . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . D.2.4 esecdba . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . D.2.5 esecrpt . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Sentinel Database Roles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . D.3.1 Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . D.3.2 ESEC_APP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . D.3.3 ESEC_ETL . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . D.3.4 ESEC_USER . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Sentinel Server Roles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Windows Domain Authentication DB users and permissions. . . . . . . . . . . . . . . . . . . . . . . . . 208 208 209 209 209 209 209 218 224 228 228 229 229 229 230 230 230 230 231 231 231 231 232 232 232 232 Contents 11 novdocx (en) 16 April 2010 12 Sentinel 6.1 Reference Guide novdocx (en) 16 April 2010 Preface Sentinel is a security information and event management solution that receives information from many sources throughout an enterprise, standardizes it, prioritizes it and presents it to you to make threat, risk and policy related decisions. The Sentinel 6.1 Reference Guide is your reference for the following: Chapter 1, “Sentinel User Reference Introduction,” on page 15 Chapter 2, “Sentinel Event Fields,” on page 17 Chapter 3, “Sentinel Control Center User Permissions,” on page 31 Chapter 4, “Sentinel Correlation Engine RuleLG Language,” on page 41 Chapter 5, “Sentinel Data Access Service,” on page 51 Chapter 6, “Sentinel Accounts and Password Changes,” on page 59 Chapter 7, “Sentinel Database Views for Oracle,” on page 65 Chapter 8, “Sentinel Database Views for Microsoft SQL Server,” on page 125 Audience This documentation is intended for Information Security Professionals. Feedback We want to hear your comments and suggestions about this manual and the other documentation included with this product. Please use the User Comments feature at the bottom of each page of the online documentation and enter your comments there. Additional Documentation For information on using Sentinel Control Center, see Sentinel 6.1 User Guide. For information on installing and configuring Sentinel 6.1, see Sentinel 6.1 Installation Guide. For information on developing Collectors (proprietary or JavaScript) and JavaScript Correlation actions, go to the Sentinel SDK Web site: http://developer.novell.com/wiki/ index.php?title=Develop_to_Sentinel (http://developer.novell.com/wiki/ index.php?title=Develop_to_Sentinel). For information on the complete product documentation, see the Sentinel 6.1 Documentation site: http://www.novell.com/documentation/sentinel61/index.html (http://www.novell.com/ documentation/sentinel61/index.html) Contacting Novell Web site: http://www.novell.com (http://www.novell.com) Technical Support: http://support.novell.com/phone.html?sourceidint=suplnav4_phonesup (http://support.novell.com/phone.html?sourceidint=suplnav4_phonesup) Preface 13 support_options.html?sourceidint=suplnav_supportprog (http://support.novell.com/ support_options.html?sourceidint=suplnav_supportprog) Patch Download site: http://download.novell.com/index.jsp (http://download.novell.com/ index.jsp) 24x7 support: http://www.novell.com/company/contact.html (http://www.novell.com/ company/contact.html) Sentinel Community Support Forum: http://forums.novell.com/novell-product-support-forums/ sentinel/ (http://forums.novell.com/novell-product-support-forums/sentinel/) Sentinel TIDs: http://support.novell.com/products/sentinel (http://support.novell.com/products/ sentinel) Sentinel Plug-in Web site: http://support.novell.com/products/sentinel/secure/sentinel61.html (http://support.novell.com/products/sentinel/secure/sentinel61.html) Notification E-mail List: Sign up through the Sentinel Plug-in Web site 14 Sentinel 6.1 Reference Guide novdocx (en) 16 April 2010 Self Support: http://support.novell.com/ The Sentinel User Reference Guide is your reference for: Collector administrator functions Sentinel correlation engine Collector and Sentinel meta tags Sentinel command line options Sentinel console user permissions Sentinel server database views This guide assumes that you are familiar with Network Security, Database Administration and UNIX operating systems. This guide discusses about: Sentinel Meta tags Sentinel User Permissions Correlation Engine RuleLG Language Sentinel Data Access Service Sentinel Accounts and Password Changes Sentinel Database Views for Oracle Sentinel Database Views for Microsoft SQL Server Sentinel User Reference Introduction 15 novdocx (en) 16 April 2010 1 Sentinel User Reference Introduction 1 novdocx (en) 16 April 2010 16 Sentinel 6.1 Reference Guide Every Sentinel event or correlated event has certain fields that are automatically populated (such as Event Time and Event UUID) and other fields that may or may not be populated, depending on the type of event, the collector parsing, and the mapping service configuration. This event data is visible in Active Views, historical queries, and reports. They are stored in the database and can be accessed via the report views. They can also be used in actions available through the right-click event menu, correlation actions, and iTRAC workflow actions. 2.1 Event Field Labels and Tags Each field can be referred to by a user-friendly label or a short tag. The user-friendly label is visible throughout the Sentinel Control Center interface, for example: Column headers for Active Views, historical event queries, and the Active Browser Correlation wizard drop-down menus Active View configuration drop-down menus Each field has a default label, but that label is user-configurable using the Event Configuration option on the Admin tab. For more information, see “Admin Tab” section in Sentinel 6.1 User Guide. InitUserName is the default label to represent the account name of the user who initiated the event, but this can be changed by the administrator. When a user changes the default label, the changes are reflected in most areas of the interface, including any correlation rules, filters, and rightclick menu options. WARNING: Changing the default label for any variables other than Customer Variables may cause confusion when working with Novell Technical Services or other parties who are familiar with the default names. In addition, JavaScript Collectors built by Novell refer to the default labels described in this chapter and are not automatically updated to refer to new labels. Each field also has a short tag name that is always used for internal references to the field and is not user-configurable. This short tag name may not correspond exactly to the default label; Sentinel labels have changed over the years, but the underlying short tags remain the same for backward compatibility. (For example, InitUserName is the default label for the account name of the user who initiated the event. The default label was previously SourceUserName, and the underlying short tag is “sun”.) NOTE: Many of the default labels were updated for clarity in the Sentinel 6.1 release. Because all filters, actions, and correlation rule definitions are defined using the short tags (even though the label may be visible in the interface), there is no change in functionality due to the label renaming. Each field is associated with a specific data type, which corresponds to the data type in the database: string: limited to 255 characters (unless otherwise specified) integer: 32 bit signed integer UUID: 36 character (with hyphens) or 32 character (without hyphens) hexadecimal string in the format XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX (For example, 6A5349DA-7CBF-1028-9795-000BCDFFF482) Sentinel Event Fields 17 novdocx (en) 16 April 2010 2 Sentinel Event Fields 2 00:00:00 GMT. When displayed in Sentinel Control Center, meta-tags of type date are displayed in a regular date format. IPv4: IP address in dotted decimal notation (that is – xxx.xxx.xxx.xxx) 2.1.1 Free-Form Filters and Correlation Rules Users can use either the tag or the label when they write free-form language in the Sentinel Control Center. The Sentinel interface shows the user-friendly label. Figure 2-1 Correlation Wizard displaying labels in drop-down and free-form language 18 Sentinel 6.1 Reference Guide novdocx (en) 16 April 2010 date: Collector Variable must be set with date as number of milliseconds from January 1, 1970 novdocx (en) 16 April 2010 Figure 2-2 Filter Wizard displaying labels in drop-down and free-form language The representation of fields in the free-form RuleLG language is usually prefaced by “e.” for example, “e.InitUserName” or “e.sun” can refer to the Initiator User Name for the incoming or current event. In special cases, “w.” may be used to refer to a field in a past event (for example, “w.InitUserName”). For more information about the RuleLG language, see Chapter 4, “Sentinel Correlation Engine RuleLG Language,” on page 41. 2.1.2 Actions Users can use either the tag or the label when they define parameters to be sent to right-click Event Menu actions, correlation actions, and iTRAC workflow actions. To pass a field value to an action, you may use a checklist that shows the labels or type the parameter name directly into the configuration. Sentinel Event Fields 19 When you type the label or short tag for a field to be used in an action, the name can be enclosed in percent signs (%tag%) or dollar signs ($tag$). For example: %sun% in a correlation action refers to the value of InitUser in the correlated event $sun$ in a correlation action refers to the value of InitUser in the current, “trigger” event (the final event that caused the correlation rule to fire) NOTE: In a right-click menu event operating on a single event, there is no functional difference between %sun% and $sun$. For example, to pass the Initiator User Name to a command line action to look up information from a database about that user, you could use %InitUserName% or %sun%. For more information about Actions, see “Actions and Integrators” section in Sentinel 6.1 User Guide. 20 Sentinel 6.1 Reference Guide novdocx (en) 16 April 2010 Figure 2-3 Configuration Action - Select Event Attributes window novdocx (en) 16 April 2010 Figure 2-4 Configuration Action window 2.1.3 Proprietary Collectors Proprietary Collectors, written in Novell’s own language, always use variables based on the short tag to refer to event fields. The short tag name must be prefaced by a letter and underscore, where the letter indicates the data type for the field (i_ for integer, s_ for string). 2.1.4 JavaScript Collectors JavaScript Collectors usually refer to event fields using an “e.” followed by the same user-friendly label set in Event Configuration in the Sentinel Control Center. For a Sentinel system with a default configuration, for example, the Initiator User Name would be referred to as “e.InitUserName” in the JavaScript Collector. There are some exceptions to this general rule. Refer to the Sentinel Collector SDK (http://developer.novell.com/wiki/index.php?title=Develop_to_Sentinel) for more details. 2.2 List of Fields and Representations The table on the following pages shows the default labels, descriptions and data types for the Sentinel event fields, along with the proper way to refer to the tags in filters, correlation rules, actions, and proprietary collector scripts. Fields that cannot or should not be manipulated in the Collector parsing do not have a Collector variable. Sentinel Event Fields 21 22 Default Label Filters and Correlation Rules Menu and Correlation Actions Proprietary Collector Language Data Type DeviceEventTimeString e.et %et% s_ET string The normalized date and time of the event, as reported by the sensor. DeviceEventTime e.det %det% date The normalized date and time of the event, as reported by the sensor. SentinelProcessTime e.spt %spt% date The date and time Sentinel received the event. BeginTime e.bgnt %bgnt% s_BGNT date The date and time the event started occurring (for repeated events). EndTime e.endt %endt% s_ENDT date The date and time the event stopped occurring (for repeated events). RepeatCount e.rc %rc% s_RC integer The number of times the same event occurred if multiple occurrences were consolidated. EventTime e.dt %dt% date The normalized date and time of the event, as given by the Collector. SentinelServiceID e.src %src% UUID Unique identifier for the Sentinel service which generated this event. Severity e.sev %sev% i_Severity integer The normalized severity of the event (0-5). Vulnerability e.vul %vul% s_VULN integer The vulnerability of the asset identified in this event. Set to 1 if Sentinel detects an exploit against a vulnerable system. Requires Advisor. Criticality e.crt %crt% s_CRIT integer The criticality of the asset identified in this event. InitIP e.sip %sip% s_SIP IPv4 IPv4 address of the initiating system. TargetIP e.dip %dip% s_DIP IPv4 IPv4 address of the target system. Collector e.port %port% string Name of the Collector that generated this event. Sentinel 6.1 Reference Guide Description novdocx (en) 16 April 2010 Table 2-1 Labels and Meta-tags used in Sentinel Control Center and proprietary Collector language Filters and Correlation Rules Menu and Correlation Actions CollectorScript e.agent %agent% Resource e.res %res% SubResource e.sres ObserverHostName SensorType Proprietary Collector Language Data Type novdocx (en) 16 April 2010 Default Label Description string The name of the Collector Script used by the Collector to generate this event. s_Res string Compliance monitoring hierarchy level 1 %sres% s_SubRes string Subresource name e.sn %sn% s_SN string Unqualified hostname of the observer (sensor) of the event. e.st %st% s_ST string The single character designator for the sensor type (N, H, O, V, C, W, A, I, P, T). N: Network events H: Host events O: Other events V: Vulnerability events C: Correlated events W: Watchlist events A: Audit events I: Internal events P: Performance statistics events T: Realtime events Protocol e.prot %prot% s_P string Protocol used between initiating and target services. InitHostName e.shn %shn% s_SHN string Unqualified hostname of the initiating system. InitServicePort e.spint %spint% s_SPINT integer Port used by service/ application that initiated the connection. InitServicePortName e.sp %sp% s_SP string Name of the initiating service that caused the event. TargetHostName e.dhn %dhn% s_DHN string Unqualified hostname of the target system. TargetServicePort e.dpint %dpint% s_DPINT integer Network port accessed on the target. Sentinel Event Fields 23 Filters and Correlation Rules Menu and Correlation Actions Proprietary Collector Language Data Type TargetServicePortName e.dp %dp% s_DP string Name of the target service affected by this event. InitUserName e.sun %sun% s_SUN string Initiating user's account name. Example jdoe during an attempt to su. TargetUserName e.dun %dun% s_DUN string Target user's account name. Example root during a password reset. FileName e.fn %fn% s_FN string The name of the program executed or the file accessed, modified or affected. ExtendedInformation e.ei %ei% s_EI string Stores additional collector-processed information. Values within this variable are separated by semi-colons (;). ReporterHostName e.rn %rn% s_RN string Unqualified hostname of the reporter of the event. ProductName e.pn %pn% s_PN string Indicates the type, vendor and product code name of the sensor from which the event was generated. Message e.msg %msg% s_BM string Free-form message text for the event. DeviceAttackName e.rt1 %rt1% s_RT1 string Device specific attack name that matches attack name known by Advisor. Used in Exploit Detection. Rt2 e.rt2 %rt2% s_RT2 string Reserved by Novell for expansion. Ct1 thru Ct2 e.ct1 thru e.ct2 %ct1% thru %ct2% s_CT1 string Reserved for use by customers for customerspecific data. integer Reserved by Novell for expansion. integer Reserved for use by customers for customerspecific data. and Description s_CT2 24 Rt3 e.rt3 %rt3% Ct3 e.ct3 %ct3% Sentinel 6.1 Reference Guide s_CT3 novdocx (en) 16 April 2010 Default Label Filters and Correlation Rules Menu and Correlation Actions Proprietary Collector Language Data Type CorrelatedEventUuids e.ceu %ceu% s_RT3 string List of event UUIDs associated with th correlated event. Only relevant for correlated events. CustomerHierarchyId e.rv1 %rv1% s_RV1 integer Used for MSSPs. ReservedVar2 thru e.rv2 thru s_RV2 integer ReservedVar10 e.rv10 %rv2% thru Reserved by Novell for expansion. date Reserved by Novell for expansion. %rv10% ReservedVar11 thru thru Description s_RV10 e.rv11 thru %rv11% thru e.rv20 %rv20% s_RV11 CollectorManagerId e.rv21 %rv21% s_RV21 UUID Unique identifier for the Collector Manager which generated this event. CollectorId e.rv22 %rv22% s_RV22 UUID Unique identifier for the Collector which generated this event. ConnectorId e.rv23 %rv23% S_RV23 UUID Unique identifier for the Connector which generated this event. EventSourceId e.rv24 %rv24% S_RV24 UUID Unique identifier for the Event Source which generated this event. RawDataRecordId e.rv25 %rv25% S_RV25 UUID Unique identifier for the Raw Data Record associated with this event. ControlPack e.rv26 %rv26% S_RV26 string Sentinel control categorization level 1 (for Solution Packs). EventMetricClass e.rv28 %rv28% s_RV28 string Class of the eventdependent numeric value. InitIPCountry e.rv29 %rv29% s_RV29 string Country where the IPv4 address of the initiating system is located. TargetIPCountry e.rv30 %rv30% s_RV30 string Country where the IPv4 address of the target system is located. ReservedVar20 novdocx (en) 16 April 2010 Default Label thru s_RV20 Sentinel Event Fields 25 Filters and Correlation Rules Menu and Correlation Actions Proprietary Collector Language Data Type DeviceName e.rv31 %rv31% s_RV31 string Name of the device generating the event. If this device is supported by Advisor, the name should match the name known by Advisor. Used in Exploit Detection. DeviceCategory e.rv32 %rv32% s_RV32 string Device category (FW, IDS, AV, OS, DB). EventContext e.rv33 %rv33% s_RV33 string Event context (threat level). InitThreatLevel e.rv34 %rv34% s_RV34 string Initiator threat level. InitUserDomain e.rv35 %rv35% s_RV35 string Domain (namespace) in which the initiating account exists. DataContext e.rv36 %rv36% s_RV36 string Data context. InitFunction e.rv37 %rv37% s_RV37 string Initiator function. InitOperationalContext e.rv38 %rv38% s_RV38 string Initiator operational context. MSSPCustomerName e.rv39 %rv39% s_RV39 string MSSP customer name. VendorEventCode e.rv40 %rv40% s_RV40 string Event code reported by device vendor. TargetHostDomain e.rv41 %rv41% s_RV41 string Domain portion of the target system's fullyqualified hostname. InitDomain e.rv42 %rv42% s_RV42 string Domain portion of the initiating system's fullyqualified hostname. ReservedVar43 e.rv43 %rv43% s_RV43 string Reserved by Novell for expansion. TargetThreatLevel e.rv44 %rv44% s_RV44 string Target threat level. TargetUserDomain e.rv45 %rv45% s_RV45 string Domain (namespace) in which the target account exists.. VirusStatus e.rv46 %rv46% s_RV46 string Virus status. TargetFunction e.rv47 %rv47% s_RV47 string Target function. TargetOperationalContext e.rv48 %rv48% s_RV48 string Target operational context. TaxonomyLevel4 e.rv53 %rv53% s_RV53 string Sentinel event code categorization - level 4. Sentinel 6.1 Reference Guide Description novdocx (en) 16 April 2010 26 Default Label Filters and Correlation Rules Menu and Correlation Actions Proprietary Collector Language Data Type CustomerHierarchyLevel2 e.rv54 %rv54% s_RV54 string Customer Hierarchy Level 2 (used by MSSPs). VirusStatus e.rv56 %rv56% s_RV56 string Virus Status. InitMacAddress e.rv57 %rv57% s_RV57 string Initiator Mac Address. Part of initiator host asset data. InitNetworkIdentity e.rv58 %rv58% s_RV58 string Initiator Network Identity. Part of initiator host asset data. InitAssetFunction e.rv60 %rv60% s_RV60 string Function of the initiating system (fileserver, webserver, etc.). InitAssetValue e.rv61 %rv61% s_RV61 string Initiator Asset Value. Part of initiator host asset data. InitAssetCriticality e.rv62 %rv62% s_RV62 string Criticality of the initiating system (0-5). Variables reserved for future e.rv63 thru %rv63% use by Novell e.rv75 thru %rv75% s_RV63 string thru s_rv75 Variables not currently in use InitAssetDepartment e.rv76 %rv76% s_RV76 string Department of the initiating system. InitAssetId e.rv77 %rv77% s_RV77 string Internal asset identifier of the initiator. Variables reserved for future e.rv78 thru %rv78% use by Novell e.rv80 thru %rv80% s_RV78 string thru s_rv80 Variables not currently in use TargetAssetClass e.rv81 %rv81% s_RV81 string Class of the target system (desktop, server, etc.). TargetAssetFunction e.rv82 %rv82% s_RV82 string Function of the target system (fileserver, webserver, etc.). TargetAssetValue e.rv83 %rv83% s_RV83 string Target Asset Value. Part of target host asset data. Variables reserved for future e.rv84 thru %rv84% use by Novell e.rv97 thru %rv97% s_RV84 string thru s_rv97 Variables not currently in use. TargetDepartment e.rv98 %rv98% s_RV98 string Target Department. Part of target host asset data. TargetAssetId e.rv99 %rv99% s_RV99 string Internal asset identifier of the target. CustomerHierarchyLevel4 e.rv100 %rv100% s_RV100 string Customer Hierarchy Level 4 (used by MSSPs) novdocx (en) 16 April 2010 Default Label Description Sentinel Event Fields 27 Proprietary Collector Language Variables reserved for future e.rv101 use by Novell thru e.rv200 %rv101% thru %rv200% s_rv101 thru s_rv200 various Variables not currently in use CustomerVar1 %cv1% thru %cv10% s_CV1 integer Number variable reserved for customer use. Stored in database. date Date variable reserved for customer use. Stored in database. string String variable reserved for customer use. Stored in database. thru Filters and Correlation Rules e.cv1 thru e.cv10 CustomerVar10 CustomerVar11 thru thru Description s_CV10 e.cv11 thru %cv11% thru e.cv20 %cv20% s_CV11 e.cv21 thru %cv21% thru e.cv89 %cv89% s_CV21 SARBOX e.cv90 %cv90% s_CV90 string Set to 1 if the asset is governed by SarbanesOxley. HIPAA e.cv91 %cv91% s_CV91 string Set to 1 if the asset is governed by the Health Insurance Portability and Accountability Act (HIPAA) regulation. GLBA e.cv92 %cv92% s_CV92 string Set to 1 if the asset is governed by the GrammLeach Bliley Act (GLBA) regulation. FISMA e.cv93 %cv93% s_CV93 string Set to 1 if the asset is governed by the Federal Information Security Management Act (FISMA) regulation. NISPOM e.cv94 %cv94% s_CV94 string Set to 1 via an asset map if the target asset is governed by the National Industrial Security Program Operating Manual (NISPOM) CustomerVar95 thru CustomerVar100 e.cv95 thru %cv95% e.cv100 thru %cv100% s_CV95 thru s_CV100 string String variable reserved for customer use. Stored in database. CustomerVar101 thru CustomerVar110 e.cv101 thru e.cv110 s_CV101 thru s_CV110 string Integer variable reserved for customer use. Stored in database. CustomerVar20 CustomerVar21 thru CustomerVar89 28 Data Type Sentinel 6.1 Reference Guide %cv101% thru %cv110% thru s_CV20 thru s_CV29 novdocx (en) 16 April 2010 Menu and Correlation Actions Default Label Menu and Correlation Actions Proprietary Collector Language CustomerVar111 thru CustomerVar120 e.cv111 thru e.cv120 %cv111% thru %cv120% s_CV111 thru s_CV120 string Date variable reserved for customer use. Stored in database. CustomerVar121 thru CustomerVar130 e.cv121 thru e.cv130 %cv121% thru %cv130% s_CV121 thru s_CV130 string UUID variable reserved for customer use. Stored in database. CustomerVar131 thru CustomerVar140 e.cv131 thru e.cv140 %cv131% thru %cv140% s_CV131 thru s_CV140 string IPv4 variable reserved for customer use. Stored in database. CustomerVar141 thru CustomerVar150 e.cv141 thru e.cv150 %cv141% thru %cv150% s_CV141 thru s_CV150 string String variable reserved for customer use. Stored in database. CustomerVar151 thru CustomerVar160 e.cv151 thru e.cv160 %cv151% thru %cv160% s_CV151 thru s_CV160 string Integer variable reserved for customer use. Not stored in database. CustomerVar161 thru CustomerVar170 e.cv161 thru e.cv170 %cv161% thru %cv170% s_CV161 thru s_CV170 string Date variable reserved for customer use. Not stored in database. CustomerVar171 thru CustomerVar180 e.cv171 thru e.cv180 %cv171% thru %cv180% s_CV171 thru s_CV180 string UUID variable reserved for customer use. Not stored in database. CustomerVar181 thru CustomerVar190 e.cv181 thru e.cv190 %cv181% thru %cv190% s_CV181 thru s_CV190 string IPv4 variable reserved for customer use. Not stored in database. CustomerVar191 thru CustomerVar200 e.cv191 thru e.cv200 %cv191% thru %cv200% s_CV191 thru s_CV200 string String variable reserved for customer use. Not stored in database. Data Type novdocx (en) 16 April 2010 Filters and Correlation Rules Default Label Description Sentinel Event Fields 29 novdocx (en) 16 April 2010 30 Sentinel 6.1 Reference Guide 3 Sentinel allows administrators to set user permissions in the Sentinel Control Center at a granular level. The only user created by default is the esecadm, or Sentinel Administrator. All other users are created by the Sentinel Administrator, or someone with similar permissions. To change user permissions: 1 Log into the Sentinel Control Center as a user with “User Management” permissions. 2 Click the Admin tab. 3 Select User Configuration from Admin tab. Alternatively, Select User Manager from User Configuration in the Navigator. 4 Right click user and select User Details. 5 Select the Permissions tab. Sentinel Control Center User Permissions 31 novdocx (en) 16 April 2010 Sentinel Control Center User Permissions 3 novdocx (en) 16 April 2010 6 Uncheck the checkboxes for which you want to restrict user. 7 Click OK. The permissions in the User Manager are grouped into several major categories: General (page 33) Active Views (page 34) iTRAC (page 35) Incidents (page 35) Integrators (page 36) Sentinel Control Center User Permissions (page 31) Event Source Management (page 37) Analysis Tab (page 37) Advisor Tab (page 37) Administration (page 38) Correlation (page 39) 32 Sentinel 6.1 Reference Guide novdocx (en) 16 April 2010 Solution Pack (page 39) Identity (page 39) Each of these groups of setting is described in more detail below. 3.1 General Table 3-1 Permissions-General Permission Name Description Save Workspace Allows user to save preferences. If this permission is unavailable, user will never be prompted to save changes to preferences when logging out or exiting the Sentinel Control Center. Column Management Allows user to manage the columns in the Active View tables. Snapshot Allows user to take a snapshot of Active View tables. 3.1.1 General – Public Filters Table 3-2 Permissions-General-Public Filters Permission Name Description Create Public Filters Allows user to create a filter with an owner ID of PUBLIC. If user does not have this permission, then the value PUBLIC will not be listed as one of the owner IDs that user can create a filter for. Modify Public Filters Allows user to modify a public filter. Delete Public Filters Allows user to delete a public filter. 3.1.2 General – Manage Private Filters of Other Users Table 3-3 Permissions-General-Manage Private Filters of Other Users Permission Name Description Create Private Filters for Other Users Allows user to create private filters for themselves or for other users. Modify Private Filters of Other Users Allows user to modify their own private filters and private filters created by other users. Delete Private Filters of Other Users Allows user to delete their own private filters and private filters created by other users. View/Use Private Filters of Other Users Allows user to view/use their own private filters and private filters crated by other users. Sentinel Control Center User Permissions 33 Table 3-4 Permissions-General-Integration Actions Permission Name Description Send to Remedy Help Desk Allows user to send events, incident and associated objects to Remedy. (requires the optional Remedy integration component) 3.2 Active Views Table 3-5 Permissions-Active Views Permission Name Description View Active Views Tab Allows user to see and use the Active Views tab, menu and other related functions associated with the Active Views tab. 3.2.1 Active Views – Menu Items Table 3-6 Permissions-Active Views-Menu Items Permission Name Description Use Assigned Menu Items Allows user to use assigned menu items in the Active Views Events table (the right-click menu). Add to Existing Incident Allows user to add events to existing incidents using the Active Views Events table (the right-click menu). Remove from Incident Allows user to remove events from an existing incident using the Events tab Events table (the right-click menu). Email Events Allows user to e-mail events using the Active Views Events table (the right-click menu). View Advisor Attack Data Allows user to view the Advisor Attack Data stream. View Vulnerability Allows user to view the vulnerabilities present in the Sentinel database 3.2.2 Active Views – Active Views Table 3-7 Permissions-Active Views-Active Views 34 Permission Name Description Use/View Active Views Allows user to access the Active Views charts. Sentinel 6.1 Reference Guide novdocx (en) 16 April 2010 3.1.3 General – Integration Actions novdocx (en) 16 April 2010 3.3 iTRAC Table 3-8 Permissions-iTRAC Permission Name Description View iTRAC Tab Allows user to see and use the iTRAC tab, menu and other related functions associated with the iTRAC tab. Activity Management Allows user to access the Activity Manager. Manage Work Items Of Users Gives user administrative control over all workitems, including those assigned to other users 3.3.1 iTRAC - Template Management Table 3-9 Permissions-iTRAC-Template Management Permission Name Description View/Use Template Manager Allows user to access the Template Manager. Create/Modify Templates Allows user to create and modify templates. 3.3.2 iTRAC - Process Management Table 3-10 Permissions-iTRAC-Process Management Permission Name Description View/Use Process Manager Allows user to access the Process View Manager. Start/Stop Processes Allows user to use the Process View Manager. 3.4 Incidents Table 3-11 Permissions-Incidents Permission Name Description View Incidents Tab Allows user to see and use the Incidents tab, menu and other related functions associated with the View Incidents tab. Incident Administration Allows user to modify an incident. View Incident(s) Allows user to view/modify the details of an incident. If the user does not have this permission, then the Incident Details window will not be displayed when the user either double-clicks an Incident in the Incident View window or right-clicks the incident or selects the Modify option. Sentinel Control Center User Permissions 35 Description Create Incident(s) Allows user to create Incidents in the in the Incident View window or by right clicking on the incident and select Modify option. Alternatively you can select Create Incident menu item in the Incidents menu bar and clicking Create Incident option in the tool bar. Modify Incident(s) Allows user to modify an incident in the Incident Details window. Delete Incident(s) Allows user to delete incidents. Assign Incident(s) Allows user to assign an incident in the Modify and Create Incident window. Email Incidents Allows user to e-mail Incidents of interest. Incident Actions Allows user to view Execute Incident Action menu option in an Incident and to execute actions. Add Notes Allows user to add any number notes to an incident. 3.5 Integrators Table 3-12 Permissions-Integrators Permission Name Description View Integrator Allows user to view Integrators, open Integrator Manager, use update, refresh, help, test buttons and view integrator event details. Manage Integrator Allows user to manage (add/modify/delete) the configured Integrators. Manage Integrator Plugins Allows user to manage (add/modify/delete) the Integrators plugins. 3.6 Actions Table 3-13 Permissions-Action Manager 36 Permission Name Description View Actions Allows user to use Action Manager and view Actions. Manage Actions Allows user to add/edit/delete actions of type "Execute Action Plugins" Manage Action Plugins Allows user to add/edit/delete Action Plugins. Sentinel 6.1 Reference Guide novdocx (en) 16 April 2010 Permission Name novdocx (en) 16 April 2010 3.7 Event Source Management Table 3-14 Permissions-Event Source Management Permission Name Description View Status Allows user to view the status of ESM components. View Scratchpad Allows user to design and configure ESM components. Configure ESM Components Allows you to configure ESM components. Control ESM Components Allows you to control and manage ESM components. Manage Plugins Allows you to manage Collector and Connector Plugins. View Raw Data Allows you to view/parse raw data. Debug Collector Allows you to debug Collector. Command and Control consists of: start/stop individual ports start/stop all ports restart hosts rename hosts 3.8 Analysis Tab Table 3-15 Permissions-Analysis Tab Permission Name Description View Analysis Tab Allows user to see and use the View Analysis tab, menu and other related functions associated with the View System Overview tab. 3.9 Advisor Tab Table 3-16 Permissions-Advisor Tab Permission Name Description View Advisor Tab Allows user to view and use the Advisor tab and the Advisor Status window. Sentinel Control Center User Permissions 37 Table 3-17 Permissions-Administration Permission Name Description View Administration Tab Allows user to see and use the View Administration tab, menu and other related functions associated with the View Administration tab. DAS Statistics Allows user to view DAS activity (DAS binary and query). Event Configuration Allows user to rename columns, set mappings from mapping files. This function is associated with Mapping Configuration. Map Data Configuration Allows user to add, edit and delete mapping files. Event Menu Configuration Allows user to access the Menu Configuration window and add new options that display on the Event menu when you right-click an event. Report Data Configuration Allows user to enable or disable summary tables used in aggregation. User Management Allows user to add, modify and delete user details User Session Management Allows user to view, lock and terminate active users (logins to Sentinel Control Center). iTRAC Role Management Allows user to view and use the role manager in the Admin Tab. Download Manager Allow user to configure download manager in the Admin Tab. Advisor Configuration Allow user to configure Advisor settings. 3.10.1 Administration – Global Filters Table 3-18 Permissions-Administration-Global Filters Permission Name Description View/Use Global Filters Allows user to access the Global Filter Configuration window. Modify Global Filters Allows user to modify the global filters configuration. NOTE: To access this function, View Global Filters permission must also be assigned. 3.10.2 Administration – Server Views Table 3-19 Permissions-Administration-Server Views 38 Permission Name Description View Servers Allows user to monitor the status of all processes. Sentinel 6.1 Reference Guide novdocx (en) 16 April 2010 3.10 Administration Description Control Servers Allows user to start, restart and stop processes. novdocx (en) 16 April 2010 Permission Name 3.11 Correlation Table 3-20 Permissions-Correlation Permission Name Description View Correlation Tab Allows user to use the Correlation functions. View/Use Correlation Rule Manager Allows user to start or stop the Correlation Rules. View/Use Correlation Engine Manager Allows user to deploy/undeploy the Correlation Rules. View/Use Dynamic Lists Allows user to Create, use, view, modify the Dynamic Lists. 3.12 Solution Pack Table 3-21 TPermissions-Solution Pack Permission Name Description Solution Designer Allows user to access Solution Designer. Solution Manager Allows user to access Solution Manager. 3.13 Identity Table 3-22 Permissions-Action Manager Permission Name Description View/Use Identity Address Book Allows user to view and use Identity Browser. Sentinel Control Center User Permissions 39 novdocx (en) 16 April 2010 40 Sentinel 6.1 Reference Guide 4 This section is about Sentinel correlation engine Rule LG language. 4.1 Correlation RuleLG Language Overview The Sentinel Correlation Engine runs rules that are written in the Correlation RuleLg language. Rules are created in the Sentinel Control Center. Users can create rules using a wizard for the following rule types: Simple Rule Composite Rule Aggregate Rule Sequence Rule These rules are converted to the Correlation RuleLg language when the rules are saved. The same rule types, plus even more complex rules, can be created in the Sentinel Control Center using the Custom/Freeform option. To use the Custom/Freeform option, the user must have a good understanding of the Correlation RuleLg language. RuleLg uses several operations, operators, and event field short tags to define a rule. The Correlation Engine loads the rule definition and uses the rules to evaluate, filter, and store in memory events that meet the criteria specified by the rule. Depending on the rule definition, a correlation rule might fire based on the value of one field or multiple fields the comparison of an incoming event to past events the number of occurrences of similar events within a defined time period one or more subrules firing one or more subrules firing in a particular order Each of these constructs is represented by an operation in RuleLg. 4.2 Event Fields All operations function on event fields, which can be referred to by their labels or by their short tags within the correlation rule language. For a full list of labels and short tags, see “Sentinel Event Fields” section. The label or metatag must also be combined with a prefix to designate whether the event field is part of the incoming event or a past event that is stored in memory. Examples: e.DestinationIP (Destination IP for the current event) e.dip (Destination IP for the current event) w.dip (Destination IP for any stored event) Sentinel Correlation Engine RuleLG Language 41 novdocx (en) 16 April 2010 Sentinel Correlation Engine RuleLG Language 4 4.3 Event Operations Event operations evaluate, compare, and count events. They include the following operations: Filter: Evaluates the current to determine whether they could potentially trigger a rule to fire Window: Compares the current event to past events that have been stored in memory Trigger: Counts events to determine whether enough events have occurred to trigger a rule Each operation works on a set of events, receiving a set of events as input and returning a set of events as output. The current event processed by a rule often has a special meaning for the semantic of the language. The current event is always part of the set of events in and out of an operation unless the set is empty. If an input set of an operation is empty, then the operation is not evaluated. 4.3.1 Filter Operation Filter consists of a Boolean expression that evaluates the current event from the real-time event stream. It compares event attributes to user-specified values using a wide set of operators The Boolean expression is a composite of comparison and match instructions. The syntax for filter is: Filter <Boolean expression 1> [NOT|AND|OR <Boolean expression 2] […] [NOT|AND|OR <Boolean expression n>] Where <Boolean expressions 1…n> are expressions using one or more event field names and filter operators For example, this rule detects whether the current event has a severity of 4 and the resource event field contains either “FW” or “Comm.” filter(e.sev = 4 and (e.res match regex ("FW") or e.res match regex ("Comm"))) Boolean Operators Filter expressions can be combined using the Boolean operators AND, OR and NOT. The filter boolean operator precedence (from highest [top] to lowest [bottom] precedence) is: Table 4-1 Boolean Operators 42 Operator Meaning Operator Type Associativity Not logical not unary None And logical and binary left to right Or logical or binary left to right Sentinel 6.1 Reference Guide novdocx (en) 16 April 2010 WARNING: If you rename the label of a metatag, do not use the original label name when creating a correlation rule. novdocx (en) 16 April 2010 In addition to Boolean operators, filter supports the following operators. Standard Arithmetic Operators Standard arithmetic operators can be used to build a condition that compares the value of a Sentinel metatag and a user-specified value (either a numeric value or a string field). The standard arithmetic operators in Sentinel are =, <, >, !=, <=, and >=. Examples: filter(e.Severity > 3) filter(e.BeginTime < 1179217665) filter(e.SourceUserName != “Administrator”) Match Regex Operators The match regex operator can be used to build a condition where the value of a metatag matches a user-specified regular expression value specified in the rule. This operator is used only for string tags, and the user-specified values for this operator are case-sensitive. Examples: filter(e.Collector match regex ("IBM")) filter(e.EventName match regex ("Attack")) Match Subnet Operators The match subnet operator can be used to build a condition where the value of a metatag maches a user-specified subnet specified in the rule in CIDR notation. This operator is used only for IP address fields. Example: filter(e.DestinationIP match subnet (10.0.0.1/22)) Inlist Operator The inlist operator is used to perform a lookup on an existing dynamic list of string values, returning true if the value is present in the list. For more information on Dynamic Lists, see “Correlation Tab” in Sentinel 6.1 User Guide. For example, this filter expression is used to evaluate whether the Source IP of the current event is present on a dynamic list called MailServerList. If the Source IP is present in this list, the expression evaluates to TRUE. filter(e.sip inlist MailServerList) As another example, this filter expression combines the NOT and the INLIST operator. This expression evaluates to TRUE if the Source IP is not present in the dynamic list called MailServerList. filter(not (e.sip inlist MailServerList)) This filter expression is used to evaluate whether the event name of the current event equals “File Access” and the Source User Name is also not present on a dynamic list called AuthorizedUsers. If both conditions are true for the current event, the expression evaluates to TRUE. Sentinel Correlation Engine RuleLG Language 43 ISNULL Operator The isnull operator returns true if the metatag value is equal to NULL. Example: Filter(isnull(e.SIP)) Output Sets The output of a filter is either the empty set (if the Boolean expression evaluates to false) or a set containing the current event and all of the other events from the incoming set (if the Boolean expression evaluates to true). If filter is the last or only operation of a correlation rule, then the output set of the filter is used to construct a correlated event. The trigger events are the filter operation output set of events with the current event first. If filter is not the last operation of a correlation rule (that is, filter is followed by a flow operatior), then the output set of a filter is used as the input set to other operations (through the flow operator). Additional Information The filter operator can be used to compare metatag values with other metatag values, for example: e.SourceIP=e.DestinationIP 4.3.2 Window Operation Window compares the current event to a set of past events that are stored in a “window.” The events in the window can be all past events for a certain time period, or they can be filtered. The Boolean expression is a composite of comparison instructions and match instructions with the Boolean operators AND, OR and NOT. The syntax for window is: Window (<Boolean expression>[, <filter expression>, <evaluation period>) Where <Boolean expression> is an expression comparing a metatag value from the current event to a metatag value from a past event (or a user-specified constant) <filter expression> is optional and specifies filter criteria for the past events <evaluation period> specifies the duration for which past events matching the filter expression are maintained, specified in seconds (s), minutes (m), or hours (h). If no letter is specified, seconds are assumed. For example, this rule detects whether the current event has a source IP address in the specified subnet (10.0.0.10/22) and matches an event(s) that happened within the past 60 seconds. window(e.sip = w.sip, filter(e.sip match subnet (10.0.0.10/22),60) 44 Sentinel 6.1 Reference Guide novdocx (en) 16 April 2010 filter(e.evt="File Access" and not(e.sun inlist AuthorizedUsers)) novdocx (en) 16 April 2010 As another example, this rule is a domino type of rule. An attacker exploits a vulnerable system and uses it as an attack platform. window((e.sip = w.dip AND e.dp = w.dp AND e.evt = w.evt), 1h) This rule identifies a potential security breach after a denial of service attack. The rule fires if the destination of a denial of service attack has a service stopped within 60 seconds of the attack. filter(e.rv51="Service" and e.rv52="Stop" and e.st = "H") flow window (e.sip = w.dip, filter(e.rv52="Dos"), 60s) flow trigger(1,0)) Output Sets If any past event evaluates to true with the current event for the simple boolean expression, the output set is the incoming event plus all matching past events. If no events in the window match the current event for the simple boolean expression, the output set is empty. If a window is the last or only operation of a correlation rule, then the output set of the window is used to construct a correlated event (the correlated events being the window operation output set of events with the current event first). Additional Information You must prepend a metatag name with "e." to specify the current event or with "w." to specify the past events All window simple Boolean expressions must include a metatag in the form w.[metatag]. For more information about valid filter expressions, see Section 4.3.1, “Filter Operation,” on page 42. Every event coming in to the Correlation Engine that passes this filter is put into the window of past events If no filter expression exists, then all events coming into the Correlation Engine are maintained by the window. With extremely high event rates or long durations, this might require a large amount of memory. The current event is not placed into the window until after the current event window evaluation is complete To minimize memory usage, only the relevant parts of the past events, not all metatag values, are maintained in memory. 4.3.3 Trigger Operation Trigger is used to specify a number of events for a user-specified duration. The syntax for trigger is: Trigger (<number of events>, <evaluation period>[, discriminator (<list of tags>)) Where Sentinel Correlation Engine RuleLG Language 45 For example, this rule detects if 5 events with the same source IP address happen within 10 seconds. trigger(5,10,discriminator(e.sip)) Output Sets If the specified count is reached within the specified duration, then a set of events containing all of the events maintained by the trigger is output; if not, the empty set is output. When receiving a new input set of events, a trigger first discards the outdated events (events that have been maintained for more than the duration) and then inserts the current event. If the number of resulting events is greater than or equal to the specified count, then the trigger outputs a set containing all of the events. If a trigger is the last operation (or the only operation) of a correlation rule, then the output set of the trigger is used to construct a correlated event (the correlated events being the trigger operation output set of events with the current event first). If a trigger is not the last operation of a correlation rule (that is, it is followed by a flow operator), then the output set of a trigger is used as the input set to other operations (through the flow operator). The discriminator (meta-tag list) is a comma-delimited list of meta-tags. A trigger operation keeps different counts for each distinct combination of the discriminator meta-tags. 4.4 Rule Operations Rule operations work on subrules that have been combined into a compound rule. They include: Gate Sequence 4.4.1 Gate Operation The gate operation is used to create a composite rule which is used in identifying complex situations from the occurrence of simple situations. The composite rule is made up of one or more nested subrules and can be configured to fire if some, any or all of the subrules fire within a specified time window. The subrules can be a simple rule or another composite rule. For more information on Composite Rule, see “Correlation Tab” in Sentinel 6.1 User Guide. The syntax for gate is: Gate(<subrule 1 rulelg>, <subrule 2 rulelg>…<subrule n ruleLg>, <evaluation period>, discriminator(<list of tags>)) Where 46 Sentinel 6.1 Reference Guide <mode>, novdocx (en) 16 April 2010 <number of events> is an integer value specifying the number of matching events that are necessary for the rule to fire <evaluation period> specifies the duration for which past events matching the filter expression are maintained, specified in seconds (s), minutes (m), or hours (h). If no letter is specified, seconds are assumed. discriminator is a field to group by novdocx (en) 16 April 2010 Subrule Rulelgs are the rulelg definitions for 1 to n subrules mode = all | any | 1 | 2 | … | n, which is the number of subrules that must be triggered in order for the gate rule to trigger <evaluation period> specifies the duration for which past events matching the filter expression are maintained, specified in seconds (s), minutes (m), or hours (h). If no letter is specified, seconds are assumed. discriminator is a field to group by For example, this rule is a typical perimeter security IDS inside/outside rule filter(e.sev > 3) flow gate(filter(e.sn = "in"), filter(e.sn = "out"), all, 60s, discriminator(e.dip, e.evt)) 4.4.2 Sequence Operation Sequence rules are similar to gate rules, except that all child rules must fire in time order for the sequenced rule to evaluate to true. The subrules can be a simple rule or another composite rule. The syntax for sequence is: Sequence(<subrule 1 rulelg>, <subrule 2 rulelg>…<subrule n ruleLg>, <evaluation period>, discriminator(<list of tags>)) Where Subrule Rulelgs are the rulelg definitions for 1 to n subrules <evaluation period> is a time period expressed in seconds (s), minutes (m), or hours (h) discriminator is a field to group by For example, this rule detects three failed logins by a particular user in 10 minutes followed by a successful login by same user. sequence (filter(e.evt="failed logins") flow trigger(3, 600, discriminator(e.sun,e.dip)), filter(e.evt="goodlogin"), 600, discriminator(e.sun, e.dip)) 4.5 Operators Operators are used to transition between operations or expressions. The fundamental operators used between operations are: Flow operator Union operator Intersection operator Discriminator operator 4.5.1 Flow Operator The output set of events of the left-hand side operation is the input set of events for the right-hand side operation. Flow is typically used to transition from one correlation operation to the next. For example: Sentinel Correlation Engine RuleLG Language 47 The output of the filter operation is the input of the trigger operation. The trigger only counts events with severity equal to 5. 4.5.2 Union Operator The union of the left side operation output set and the right side operation output set. The resulting output set contains events from either the left-hand side operation output set or the right-hand side operation output set without duplicates. For example: filter(e.sev = 5) union filter(e.sip = 10.0.0.1) is equivalent to filter(e.sev = 5 or e.sip = 10.0.0.1) 4.5.3 Intersection Operator The intersection of the left side operation output set and the right side operation output set. The resulting output set contains events that are common in both the left-hand side operation output set and the right-hand side operation output set without duplicates. For example: filter(e.sev = 5) intersection filter(e.sip = 10.0.0.1) is equivalent to filter(e.sev = 5 and e.sip = 10.0.0.1) 4.5.4 Discriminator Operator The discriminator operator allows users to group by event fields within other event operations. Discriminator can be used within the trigger, gate, or sequence operations. This is the last operation when executing a condition. The input for this operator will generally be the output of other operations, if any. For example, this filter expression is used to identify five severity 5 events within 60s that all have the same Source IP. Note that the attribute (SIP in this example) can be any value, even a NULL, but it must be the same for all five events in order for the rule to fire. filter(e.sev=5 ) flow trigger(5, 60s, discriminator(e.sip) 4.6 Order of Operators The operator precedence (from highest (top) to lowest (bottom)) are: 48 Sentinel 6.1 Reference Guide novdocx (en) 16 April 2010 filter(e.sev = 5) flow trigger(3, 60) novdocx (en) 16 April 2010 Table 4-2 Operator Precedence Operator Meaning Operator Type Associativity flow Output set becomes input set binary left to right intersection Set intersection (remove duplicates) binary left to right union Set union (remove duplicates) binary left to right 4.7 Differences between Correlation in 5.x and 6.x There are several new functionalities updated / included in 6.0 to widen the usage of Correlation to meet user’s requirements and for the ease-of-use. Gate Operation: This is new in 6.0. Sequence Operation: This is new in 6.0. Inlist Operator and Dynamic Lists: These are new in 6.0. Isnull Operator: This is new in 6.0. For metatag values equal to null, Sentinel 5.x supported the following syntax which is replaced by the ISNull operator in Sentinel 6.0 e.SIP= “ ” Update Window: This is new in Sentinel 6.0 Sentinel 6.0 merges the C (Correlated Events) and W (watchlist events) SensorTypes. All events generated by the Correlation Engine are now labeled C in the SensorType field. Correlation Actions and Correlation Rules: Correlation Actions and Correlation Rules are decoupled in Sentinel 6.0 Although the filter operation supported AND and OR Boolean expressions in Sentinel 5.x, the window operation supports Boolean expressions for the first time in Sentinel 6.0. For example: OR: window(e.dip=w.dip OR e.sip=w.sip, filter(e.sev>2),60) AND: window(e.evt=w.evt AND e.sun=w.sun, filter(e.sev>2),60) Sentinel 6.0 no longer has the GUI option to create a rule from a PUBLIC filter. The filter criteria must be defined in the correlation wizard or language. The update functionality for a rule that is triggered more than once is configurable in Sentinel 6.0. In Sentinel 5.1.3, updates to a rule were based on a sliding window based on the trigger time period. In Sentinel 6.0, the update functionality can be set when the rule is deployed; the rule actions might happen every time the rule is triggered, or they can be set to occur once and then wait for some period of time before the action occurs again. This prevents multiple notifications on a single, ongoing event. The in, not in, and difference operators are deprecated in Sentinel 6.0. Correlation rules using these operators must be modified before running them in Sentinel 6.0. The e.all metatag has been deprecated. Correlation rules using this operator should be updated to use specific short tags before running them in Sentinel 6.0. Sentinel Correlation Engine RuleLG Language 49 novdocx (en) 16 April 2010 50 Sentinel 6.1 Reference Guide The Data Access Service (DAS) process is Sentinel Server's persistence service and provides a message bus interface to the database. Some of the services it provides are event storage, Historical Query, event drill down, vulnerability and Advisor data retrieval, and configuration manipulation. 5.1 DAS Container Files DAS is a collection of services provided by five different processes. Each process is a container responsible for different types of database operations. These processes are: DAS Query: Performs general Sentinel Service operations including Login and Historical Query. DAS Binary: Performs event database insertion. DAS RT: Provides the server-side functionality for Active Views. DAS Aggregation: Calculates event data summaries that are used in reports. DAS iTRAC: Provides the server-side functionality for the Sentinel iTRAC functionality. DAS CMD: Provides a command line interface to certain DAS services. Used primarily for third-party integration. DAS Proxy: Provides the server-side of the SSL proxy connection to Sentinel Server. DAS Proxy is not directly part of the DAS collection of services. It is part of the Communication Server and does not directly connect to the database. 5.1.1 Reconfiguring Database Connection Properties The primary settings in these configuration files that can be configured using the dbconfig utility are related to the database connection, including: username password hostname port number database (database name) server (oracle, oracle10g, or mssql) If any of these database connection settings need to be changed, they must be changed in every das_*.xml file using the dbconfig utility. Using the –a argument, this utility can update all files at the same time (For example, update all files in the %ESEC_HOME%\config or $ESEC_HOME/ config directory). Alternately, using the –n argument, this utility can update a single file’s contents if only one file need to be updated. Typically, all files should be updated at the same time. WARNING: Do not manually edit the database connection properties. Use the dbconfig utility to change any database connection values within these files. Sentinel Data Access Service 51 novdocx (en) 16 April 2010 5 Sentinel Data Access Service 5 1 Login to the machine where DAS is installed as the esecadm user on UNIX or a user with administrative rights on Windows. 2 Go to: For Windows: %ESEC_HOME%\bin For UNIX: $ESEC_HOME/bin 3 Provide the following command: For Windows: dbconfig –a %ESEC_HOME%\config [[-u username] [-p password] | [-winAuth]] [-h hostname] [-t portnum] [-d database] [-s server] [-help] [-version] For UNIX: dbconfig –a $ESEC_HOME/config [-u username] [-p password] [-h hostname] [t portnum] [-d database] [-s server] [-help] [-version] NOTE: The -winAuth argument is available only on Windows and should be used instead of the –u and –p arguments if the Sentinel Application User is a Windows Authentication user. Other settings in the files can be adjusted manually (without using dbconfig): maxConnections batchSize loadSize Changing these settings might affect database performance and should be done with caution 5.1.2 DAS Logging Properties Configuration Files The following files are used to configure logging of the DAS process. These files are typically changed when troubleshooting the DAS process. das_query_log.prop das_binary_log.prop das_rt_log.prop das_itrac_log.prop das_aggregation_log.prop das_cmd_log.prop das_proxy_log.prop They are located in the following locations: For Windows: %ESEC_HOME%\config 52 Sentinel 6.1 Reference Guide novdocx (en) 16 April 2010 To Reconfigure Database Connection Properties: novdocx (en) 16 April 2010 For UNIX: $ESEC_HOME/config These files contain the configuration that determines how the DAS processes will log messages. The most important part of the configuration is the logging levels, which indicate how verbose the log messages should be. The section of the file to configure these settings is: ###### Configure the logging levels # Logging level rules are read from the top down. # Start with the most general, then get more specific. # # Defaults all loggers to INFO (enabled by default) .level=INFO # # < Set level of specific loggers here > # # Turns off all logging (disabled by default) #.level=OFF ###### NOTE: The logger .level is a wildcard logger name that refers to all loggers. Setting this logger’s level will affect all loggers. The available logging levels are: OFF: disables all logging SEVERE (highest value): indication that a component has malfunctioned or there is a loss/ corruption of critical data WARNING: if an action can cause a component to malfunction in the future or if there is non- critical data loss/corruption INFO: audit information CONFIG: for debugging FINE: for debugging FINER: for debugging FINEST: (lowest value) – for debugging ALL: will log all levels When one specifies a logging level, all log messages of that level and higher (in the above list) will actually be logged. For example, if one specifies the INFO level, then all INFO, WARNING and SEVERE message will be logged. NOTE: At 10 second intervals, the logging properties file will be checked to see if any changes have occurred since it was last read. If the file has changed, the LogManagerRefreshService will reread the logging properties file. Therefore, it is not necessary to restart the processes to begin using the updated logging levels. Log messages are written to ESEC_HOME%\log (for Windows) or $ESEC_HOME/log (for UNIX), in the following files: Sentinel Data Access Service 53 The 0 indicates the unique number to resolve conflicts and the * indicates a generation number to distinguish rotated logs. For example, das_query0.0.log is the log with index 0 (latest) file in a rotated set of log files for the DAS Query process. Log messages are also written to the process’s console (standard output). However, since the processes are running as services, users do not have access to the console output. It is possible, however, to capture the console output in the sentinel0.*.log file. This is useful, for example, if the process is producing an error that is not printed to the process’s own log file. This can be enabled by adding the following line to the sentinel_log.prop file: esecurity.base.process.MonitorableProcess.level=FINEST 5.1.3 Certificate Management for DAS_Proxy The DAS_Proxy SSL Server uses an asymmetric key pair, consisting of a certificate (or public key) and a private key, to encrypt communications. When the Sentinel Communication Server is started for the first time, it automatically creates a self-signed certificate which is used by the DAS_Proxy SSL Server. You can replace the self-signed certificate with a certificate signed by a major Certificate Authority (CA), such as Verisign, Thawte (http://www.thawte.com/), or Entrust (http://www.entrust.com/). You can also replace the self-signed certificate with a certificate signed by a less common CA, such as a CA within your company or organization. This section describes several certificate management tasks that you can perform in Sentinel: Replace the default certificate with a certificate signed by a Certificate Authority (CA) Change default keystore and keyEntry passwords. This is recommended on all Sentinel systems. Change the location of the .proxyServerKeystore file Change the default keyEntry alias to avoid potential conflicts with other keys in the keystore or for simplicity Replacing the default certificate with a CA-signed certificate Novell provides a self-signed certificate for the DAS_Proxy SSL Server to use. To improve security, you can replace the default, self-signed certificate that gets installed with a certificate signed by a Certificate Authority (CA). The CA may be a major CA, such as Verisign, Thawte (http:// www.thawte.com/), or Entrust (http://www.entrust.com/), or it may be a less widely-known CA, such as one that is within your organization. 54 Sentinel 6.1 Reference Guide novdocx (en) 16 April 2010 das_query_0.*.log das_binary_0.*.log das_itrac_0.*.log das_aggregation0.*.log das_rt0.*.log das_cmd0.*.log das_proxy0.*.log novdocx (en) 16 April 2010 The basic steps are to get a CA to sign your certificate and then import that certificate into the keystore for DAS_Proxy to use. To import the certificate, the CA that signed the certificate must be “known” to the keytool utility. Keytool usually recognizes the major certificate authorities, but for other CA’s you may need to import a certificate or chain of certificates for the certificate authority before you can successfully import the certificate that DAS_Proxy uses. NOTE: These instructions are based on the user guide for keytool. For more information, see http:// java.sun.com/j2se/1.5.0/docs/tooldocs/solaris/keytool.html (http://java.sun.com/j2se/1.5.0/docs/ tooldocs/solaris/keytool.html) To use a CA-signed certificate: 1 Execute the following command in the console: $ESEC_HOME/jre/bin/keytool -list -keystore $ESEC_HOME/config/ .proxyServerKeystore 2 Provide the keystore password (star1111 by default). The contents of the keystore file display: Keystore type: jks Keystore provider: SUN Your keystore contains 1 entry 10.0.0.1, Jan 8, 2008, keyEntry, Certificate fingerprint (MD5): 22:B4:19:63:AC:2D:F9:C0:66:7F:7C:64:85:68:89:AB The keyEntry alias, which is used in the following step, is the IP address in the example above. By default, the keyEntry alias can be the IP address or the host name of the local machine. 3 Execute the following command in the console using the keyEntry alias from .proxyServerKeystore: $ESEC_HOME/jre/bin/keytool -certreq -alias <keyEntry alias> -keystore $ESEC_HOME/config/.proxyServerKeystore -file <csr_filename.csr> The .csr file is saved in the specified location. 4 Provide the .csr file to the CA. The CA will return a signed .cer file. (These exact steps will vary based on the Certificate Authority.) 5 If the CA is not well known, you must add the CA's certificate to the "cacerts" keystore using the following steps: 5a Open a command prompt and go to $ESEC_HOME/jre/lib/security. There should be a cacerts file in this directory. 5b Run the following command to import: $ESEC_HOME/jre/bin/keytool -import -trustcacerts -alias <a_ca_cert_alias_of_your_choosing> -keystore $ESEC_HOME/jre/lib/ security/cacerts -file <ca_cert_filename> NOTE: The default password for this keystore file is “changeit”. 5c Execute the preceding steps on the Sentinel Server machine, all Collector Manager systems that are connecting to the Sentinel Server through the SSL Proxy, and all Sentinel Control Center systems. 6 To enable the use of CA signed certificate, edit das_proxy.xml file available on the Sentinel Server. Change the property value to true: <property name="usecacerts">true</property> Sentinel Data Access Service 55 usecacerts="true" For example: <strategy active="yes" id="proxied_client" location="com.esecurity.common.communication.strategy.proxystrategy.Proxi edClientStrategyFactory"> <transport type="ssl"> <ssl host="hostname" keystore=”Path of .proxyClientKeystore” port="10013" usecacerts="true"/> </transport> </strategy> <strategy active="yes" id="proxied_trusted_client" location="com.esecurity.common.communication.strategy.proxystrategy.Proxi edClientStrategyFactory"> <transport type="ssl"> <ssl host="hostname" keystore=”Path of .proxyClientKeystore” port="10014" usecacerts="true"/> </transport> </strategy> NOTE: The default property of usecacerts is false. You must change the property of usecacerts to true. 8 Import the .cer file into keystore file by executing the following command: $ESEC_HOME/jre/bin/keytool -import -trustcacerts -alias <keyEntry alias> keystore $ESEC_HOME/config/.proxyServerKeystore -file <cer_filename.cer> This will replace the self-signed certificate installed with Sentinel. 9 Restart Sentinel Server. Novell also recommends that you change the keystore and keyEntry passwords after replacing the certificate. Changing default keystore and keyEntry passwords By default, the passwords used for keystore and the keyEntry are both set to star1111. It is a good practice to change these to something new. NOTE: DAS_Proxy requires that the keystore and keyEntry passwords to be identical. To change the keystore and the keyEntry password: 1 Execute the following command in the console to change the keystore password: $ESEC_HOME/jre/bin/keytool -storepasswd -keystore $ESEC_HOME/config/ .proxyServerKeystore 2 Enter the old keystore password (star1111 by default) and a new keystore password. The following example depicts this: Enter keystore password: <old_pass> New keystore password: <new_pass> Re-enter new keystore password: <new_pass> 56 Sentinel 6.1 Reference Guide novdocx (en) 16 April 2010 7 Edit the configuration.xml file on all system with Sentinel Control Center and add the following attribute to the “ssl” element of the “proxied_client” and “proxied_trusted_client” strategies: novdocx (en) 16 April 2010 3 Verify the keyEntry alias using the following command: $ESEC_HOME/jre/bin/keytool -list -keystore $ESEC_HOME/config/ .proxyServerKeystore Provide the current keystore password. The contents of the keystore file display: Keystore type: jks Keystore provider: SUN Your keystore contains 1 entry 10.0.0.1, Jan 8, 2008, keyEntry, Certificate fingerprint (MD5): 22:B4:19:63:AC:2D:F9:C0:66:7F:7C:64:85:68:89:AB The keyEntry alias is the IP address in the example above. By default, the keyEntry alias is either set to the IP address or the hostname of the local machine. 4 Execute the following command in the console to change the keyEntry password to the same password as the new keystore password: $ESEC_HOME/jre/bin/keytool -keypasswd -alias <keyEntry alias> -keystore $ESEC_HOME/config/.proxyServerKeystore 5 Enter the existing password and the new password. The following example depicts this: Enter keystore password: <new_pass> Enter key password for <keyEntry alias> <old_pass> New key password for <keyEntry alias>: <new_pass> Re-enter new key password for <keyEntry alias>: <new_pass> NOTE: Remember that the keyEntry password and keystore password must be identical. 6 Get the encrypted, Base64 value of the new password using the following steps: Copy ESEC_HOME/config/das_rt.xml to a file named temp.xml: Execute the following command to add an encrypted, Base 64 form of the password to temp.xml file: $ESEC_HOME/bin/dbconfig -n $ESEC_HOME/config/temp.xml -p <new password for keystore and keyEntry> Open temp.xml file. Copy the value of “password” from the following section of the file: <property name="password">BSEU8ew2JYsxtOt4hYcYNA==</property> Delete the temp.xml file when you are confident that you have successfully copied the encrypted password. 7 Open the das_proxy.xml file. 8 Paste the copied value of the new password to the “keystorePassword” property in the “ProxyService” component property as shown below: <obj-component id="ProxyService"> <class>esecurity.ccs.comp.clientproxy.ClientProxyService</class> <property name="clientports">ssl:10013</property> <property name="certclientports">ssl:10014</property> <property name="keystore"> ../config/.proxyServerKeystore</property> <property name="keystorePassword"> BSEU8ew2JYsxtOt4hYcYNA==</ property> </obj-component> 9 Save the das_proxy.xml file. 10 Restart Sentinel Server. Sentinel Data Access Service 57 By default the certificate and private key are stored in the file .proxyServerKeystore located at $ESEC_HOME/config. To change the location of .proxyServerKeystore file, you can edit the value of the property “keystore” in the file $/ESEC_HOME/config/das_proxy.xml. You must restart Sentinel Server after making changes. Using a new keyEntry alias The default keyEntry alias is either the IP address or the hostname of the local machine. To use a different keyEntry alias, open the das_proxy.xml file and set the value of “certificateAlias” in the component “ProxyService” to the new value. You must restart Sentinel Server after making changes. 58 Sentinel 6.1 Reference Guide novdocx (en) 16 April 2010 Using a new .proxyServerKeystore location 6 This section discusses users that are created or used during Sentinel installation and normal Sentinel operations. Unless you create domain users in advance in order to use Windows Authentication, these users are created by the Sentinel installer. These user accounts are used for Sentinel’s normal operations, such as event inserts into the Sentinel database. The administrator might select to occasionally change the passwords for these accounts. To ensure continued normal Sentinel operations, there are special procedures necessary to update the passwords in all necessary locations. 6.1 Sentinel Default Users This section discusses about Sentinel default users. 6.1.1 Native Database Authentication Installer creates several users during installation if you use native database authentication (Oracle or Microsoft SQL Server). These users are all created as database users in the Oracle or SQL Server database, and the passwords are configurable at install time. The installer will create the users with the following default names: esecdba: Schema owner esecadm: Sentinel administrator esecrpt: Reporter user, same password as the admin user esecapp: Sentinel application user. Used by Sentinel Server to connect to the database In addition to creating a database user for the Sentinel administrator, the installer also creates a Sentinel user with the same username and password for the Sentinel Control Center. For UNIX only, the installer creates an operating system user with no password set. To log in as this user, the UNIX administrator must set a password or su to the user as root. 6.1.2 Windows Authentication If you use Windows authentication, the Windows administrator must create several domain accounts before the installation is started. The credentials for these accounts must be given during the Sentinel installation: Sentinel DB Administrator: Schema owner Sentinel Administrator: Sentinel administrator Sentinel Report User: Reporter user, same password as the admin user. Sentinel Application User: Sentinel application username for connecting to the database. Windows Authentication users are supported only when SQL Server is being used and DAS is running on Windows. Sentinel Accounts and Password Changes 59 novdocx (en) 16 April 2010 Sentinel Accounts and Password Changes 6 Corporate policy might require that passwords be changed on a regular schedule. Sentinel user passwords can be changed using database utilities. After changing a password, some Sentinel components need to be updated to use the new password. 6.2.1 Changing Password This section discusses about changing password SQL Server Accounts On Windows, this procedure can be used to change the password for the Sentinel Application User, the Sentinel Database User, or the Sentinel Report User. To change the password for the Sentinel Administrator or other Sentinel Control Center user, see Section 6.2.1, “Changing Password,” on page 60. To change password in MS SQL Server Management Studio: 1 Open the MS SQL Enterprise Manager/ MS SQL and select Security > Logins. 2 Right-click a username from the right pane and select properties. 3 Change the password. Click OK. Follow the procedures in Sentinel updates after a password change. Oracle Accounts This procedure can be used to change the password for the Sentinel Application User, the Sentinel Database User, or the Sentinel Report User. To change the password for the Sentinel Administrator or other Sentinel Control Center user, see Section 6.2.1, “Changing Password,” on page 60. To change password in Oracle: 1 Connect to Oracle Enterprise Manager with user having sysdba privilege. 2 Select your specific database from the left pane. 3 In Database > Security > Users, select a user for which you want to change the password. 4 Provide new password and confirm the password. Click Apply. Follow the procedures in Sentinel updates after a password Change. Windows Domain Accounts If the Sentinel system uses domain user accounts and Windows Authentication, use the following password change procedures. These procedures can be used for the Sentinel Administrator, the Sentinel Database User, the Sentinel Report User, and the Sentinel Application User. It can also be used for any Sentinel Control Center account that uses Windows Authentication. To change the password for Windows domain accounts: 1 Log into a machine using the account and use standard Windows password change procedures or 60 Sentinel 6.1 Reference Guide novdocx (en) 16 April 2010 6.2 Password Changes novdocx (en) 16 April 2010 Request a password change from a Windows administrator. 2 Follow the procedures in Sentinel updates after a password change. Sentinel Control Center Accounts (Native DB Authentication) This procedure can be used to change the password for the Sentinel Administrator account or any other Sentinel Control Center user. To change the Sentinel Administrator password: 1 Login to the Sentinel Control Center as the Sentinel Administrator or another user with User Management permissions. 2 Click Admin > User Configuration. The User Manager window displays. 3 Double-click esecadm user account or right-click User Details. 4 Modify the account password and confirm password. Click OK. No additional updates are needed in the Sentinel system. Sentinel Control Center Accounts (Windows Authentication) Use standard procedures for changing the password for Windows domain accounts. 6.2.2 Sentinel Updates After a Password Change The passwords for certain Sentinel users, such as the Sentinel Database User and the Sentinel Application User, are encrypted and stored in configuration files and used in normal Sentinel operations. These configuration files must be updated after the passwords are changed. Updating Sentinel Application User Password The Sentinel Application User credentials are stored encrypted in the container xml files. After a password change, these files must be updated for Sentinel to continue working. The procedures are different depending on whether the Sentinel Application User uses Native Database Authentication or Windows Authentication. To update the Sentinel Application User password (Native DB Authentication): 1 Change the password for the Sentinel Application User (esecapp by default) using database utilities as described in Section 6.2.1, “Changing Password,” on page 60. 2 Using the dbconfig utility, update all container xml files. This is required because these xml files store the (encrypted) esecapp password to allow DAS and Advisor to connect to the database. The container xml files are located in the following locations: For Windows: %ESEC_HOME%\config For Oracle: $ESEC_HOME/config Sentinel Accounts and Password Changes 61 dbconfig –a {$ESEC_HOME/config | %ESEC_HOME%\config} -p <password> To update the Sentinel Application User password (Windows Authentication): 1 Change the password for the Sentinel Application User domain account as described in Section 6.2.1, “Changing Password,” on page 60. 2 On your DAS machine, open Windows Services (Control Panel > Administrative Tools > Services). 3 Right-click Sentinel > Properties. Click the Log On tab and update Log on as password. Click Apply and click OK. 4 If you have Advisor installed, you will need to update the Run as property (Control Panel > Scheduled Tasks > right-click Properties) of the Advisor Scheduled task(s). 62 Sentinel 6.1 Reference Guide novdocx (en) 16 April 2010 For more information on usage of the dbconfig utility, see Chapter 5, “Sentinel Data Access Service,” on page 51. novdocx (en) 16 April 2010 5 Click Set password. Provide the new password twice and click OK. Click Apply and click OK. Updating Sentinel Database User Password These password change procedures are only necessary if extra Sentinel Data Manager jobs have been created and scheduled or the Sentinel Data Manager command line interface is being used. To change Sentinel DB Administrator password (Windows Authentication): 1 Use the Windows Operating System to change the password as described in Section 6.2.1, “Changing Password,” on page 60. 2 If you are running any SDM command line scheduled tasks in your environment, you will need to update the Run as property (Control Panel > Scheduled Tasks > right-click Properties). 3 Click Set password. Provide the new password twice and click OK. Click Apply and click OK. To update the Sentinel DB Administrator password (Native DB Authentication): 1 Change the password for the Sentinel DB Administrator User (esec by default) using database utilities password as described in Section 6.2.1, “Changing Password,” on page 60. Sentinel Accounts and Password Changes 63 sdm -action saveConnection -server <oracle/mssql> -host <hostIp/hostName> -port <portnum> -database <databaseName/SID> [-driverProps <propertiesFile>] {-user <dbUser> -password <dbPass>} -connectFile <filenameToSaveConnection> Updating Sentinel Report User Password This procedure is only necessary for Crystal on Windows. For Crystal on Linux, no changes are necessary. To update the Sentinel Report User password for Crystal on Windows: 1 Change the password for the Sentinel Report User (esecrpt by default) using database utilities as described in Section 6.2.1, “Changing Password,” on page 60. 2 Log into the Crystal Server machine. 3 Go to Control Panel > Administrative Tools >Data Sources (ODBC) to update the ODBC Data Source Name (DSN). 4 Under the System DSN tab, highlight sentineldb and click Configure. 5 Click Next. Update the password. 6 Click Next until you get a Finish button. Click Finish. 64 Sentinel 6.1 Reference Guide novdocx (en) 16 April 2010 2 In order for automated SDM command line tasks to continue to work (if applicable in your environment), update the dbPass in the sdm.connect file with the new esecdba password using the SDM GUI or command line. For more information, see “Sentinel Data Manager” in Sentinel 6.1 User Guide. 7 This section lists the Sentinel schema views for Oracle. The views provide information for developing your own reports (Crystal Reports). Sentinel defines an event schema that is used to hold the parsed data received from event sources. For more information on the Sentinel Event schema, see Event schema (http://developer.novell.com/wiki/index.php/Event_schema). 7.1 Views Listed below are the views available with Sentinel. 7.1.1 ACTVY_PARM_RPT_V This view contains information about iTRAC activities. Column Name Datatype Comment ACTVY_PARM_ID varchar2(36) Activity parameter identifier ACTVY_ID varchar2(36) Activity identifier PARM_NAME varchar2(255) Activity Parameter name PARM_TYP_CD varchar2(1) Activity parameter type code DATA_TYP varchar2(50) Activity parameter data type DATA_SUBTYP varchar2(50) Activity parameter data subtype RQRD_F number (1,0) Required flag PARM_DESC varchar2(255) Activity parameter description PARM_VAL varchar2(1000) Activity parameter value FORMATTER varchar2(255) Activity parameter formatter DATE_CREATED date Date the entry was created DATE_MODIFIED date Date the entry was modified CREATED_BY number (38,0) User who created the object MODIFIED_BY number (38,0) User who last modified the object 7.1.2 ACTVY_REF_PARM_VAL_RPT_V This view contains information about iTRAC activities. Sentinel Database Views for Oracle 65 novdocx (en) 16 April 2010 Sentinel Database Views for Oracle 7 Datatype Comment ACTVY_ID varchar2(36) Activity identifier ACTVY_PARM_ID varchar2(36) Activity parameter identifier CREATED_BY number(38,0) User who created the object DATE_CREATED Date Date the entry was created DATE_MODIFIED Date Date the entry was modified MODIFIED_BY number(38,0) User who last modified the object PARM_VAL varchar2(1000) Activity parameter value SEQ_NUM number(38,0) Sequence number 7.1.3 ACTVY_REF_RPT_V This view contains information about iTRAC activities. Column Name Datatype Comment ACTVY_ID varchar2(36) Activity identifier SEQ_NUM number(38,0) Sequence number REFD_ACTVY_ID varchar2(36) Referenced activity identifier DATE_CREATED date Date the entry was created DATE_MODIFIED date Date the entry was modified CREATED_BY number(38,0) User who created object MODIFIED_BY number(38,0) User who last modified object 7.1.4 ACTVY_RPT_V This view contains information about iTRAC activities. 66 Column Name Datatype Comment ACTVY_ID varchar2(36) Activity identifier ACTVY_NAME varchar2(255) Activity name ACTVY_TYP_CD varchar2(1) Activity type code ACCESS_LVL varchar2(50) Access level EXEC_LOC varchar2(50) Execution location ACTVY_DESC varchar2(255) Activity description PROCESSOR varchar2(255) Processor INPUT_FORMATTER varchar2(255) Input formatter Sentinel 6.1 Reference Guide novdocx (en) 16 April 2010 Column Name Datatype Comment OUTPUT_FORMATTER varchar2 (255) Output formatter APP_NAME varchar2 (25) Application name DATE_CREATED date Date the entry was created DATE_MODIFIED date Date the entry was modified CREATED_BY number (38,0) User who created object MODIFIED_BY number (38,0) User who last modified object novdocx (en) 16 April 2010 Column Name 7.1.5 ADV_NXS_FEED_V This view contains information about the Advisor feed files that are processed on a regular schedule. Column Name Datatype Comment FILE_NAME varchar (256) The filename of the Advisor feed file. HASH_VALUE varchar (256) The hash value of the Advisor feed file. RECORDS_INSERTED number (18,0) The number of records inserted into the database. RECORDS_UPDATED number (18,0) The number of records updated into the database. PROCESSING_START_TIME date Time stamp indicating when the processing of the feed files started. PROCESSING_END_TIME date Time stamp indicating when the processing of the feed files ended. GENERATION date The unique ID to which each feed file belongs. DATE_CREATED date Time stamp indicating when the feed file information was entered in the Sentinel database. DATE_MODIFIED date Time stamp indicating when the feed file information was modified in the Sentinel database. CREATED_BY number ID of the user who entered the feed file information in the Sentinel database. MODIFIED_BY number ID of the user who modified the feed file information in the Sentinel database. Sentinel Database Views for Oracle 67 This view contains information about all the products that are supported by Novell for Advisor, which include the Intrusion Detection System (IDS), Vulnerablility Scanners, and Knowledge Base (OSVDB, CVE, and Bugtraq). 68 Column Name Datatype Comment PRODUCT_ID number The unique ID of the product. PRODUCT_NAME varchar2 (256 char) Name of the product. For example, Cisco Secure IDS, Enterasys Dragon Network Sensor, or McAfee IntruShield. INTERNAL_NAME varchar2 (256 char) Short name of the product that is used in generating the exploitdetection.csv file. This name is used by Collectors for exploit detection. For example, if the product name is Cisco Secure IDS, the internal name is Secure. IS_ATTACK number (1,0) This value is 1 if the product is IDS. Otherwise, this value is 0. IS_VULN number (1,0) This value is 1 if the product is Vulnerability Scanner. Otherwise, this value is 0. IS_KB number (1,0) This value is 1 if the product is Knowledge Base. Otherwise, this value is 0. IS_ACTIVE number (1,0) This value is 1 if the product is selected for exploit detection in the Advisor window of Sentinel Control Center. If the value is 0, attacks from this product are not populated in the exploitdetection.csv file. IS_POPULATE_ATTACK_NAME number (1, 0) This value is 1 by default. If the value is 0, the attack name is not populated in the exploitDetection.csv file. IS_POPULATE_ATTACK_CODE number (1, 0) This value is 1 by default. If the value is 0, the attack code is not populated in the exploitDetection.csv file. DATE_CREATED date Time stamp indicating when the product information was entered in the Sentinel database. DATE_MODIFIED date Time stamp indicating when the product information was modified in the Sentinel database. CREATED_BY number ID of the user who entered the product information in the Sentinel database. MODIFIED_BY number ID of the user who modified the product information in the Sentinel database. Sentinel 6.1 Reference Guide novdocx (en) 16 April 2010 7.1.6 ADV_NXS_PRODUCTS_V novdocx (en) 16 April 2010 7.1.7 ADV_NXS_SIGNATURES_V This view contains the information about the list of signatures for each product that is supported by Novell for Advisor. Column Name Datatype Comment PRODUCT_ID number The unique ID of the product. SIGNATURE_ID number The unique ID of the signature. SIGNATURE_NAME varchar2 (256 char) Name of the signature. PUBLISHED date Time stamp indicating when the signature was published for the product by the vendor. INSERTED date Time stamp indicating when the signature information was entered in the vendor database. UPDATED date Time stamp indicating when the signature information was updated in the vendor database. DATE_CREATED date Time stamp indicating when the signature information was entered in the Sentinel database. DATE_MODIFIED date Time stamp indicating when the signature information was modified in the Sentinel database. CREATED_BY number ID of the user who entered the signature information in the Sentinel database. MODIFIED_BY number ID of the user who modified the signature information in the Sentinel database. 7.1.8 ADV_NXS_MAPPINGS_V This view contains the mapping information for the products supported by Novell for Advisor. It provides information about the type of mapping between each product including the IDS product signatures, Vulnerability product signatures, and Knowledge Base product signatures. Column Name Datatype Comment SOURCE_PRODUCT_ID number The unique ID of the source product. SOURCE_SIGNATURE_ID number The unique ID of the source signature. TARGET_PRODUCT_ID number The unique ID of the target product. TARGET_SIGNATURE_ID number The unique ID of the target signature. MAPPING_DIRECT number (1, 0) This value is 1 if the mapping is direct. MAPPING_INDIRECT number (1, 0) This value is 1 if the mapping is indirect. Sentinel Database Views for Oracle 69 Datatype Comment MAPPING_NGRAM number (1, 0) This value is 1 if the mapping is n-gram. INSERTED date Time stamp indicating when the mapping information was entered in the vendor database. UPDATED date Time stamp indicating when the mapping was updated in the vendor database. IS_DELETED number (1, 0) This value is 1 if the mapping is marked as invalid. DELETED date Time stamp indicating when the mapping was marked as invalid. DATE_CREATED date Time stamp indicating when the mapping information was entered in the Sentinel database. DATE_MODIFIED date Time stamp indicating when the mapping information was modified in the Sentinel database. CREATED_BY number ID of the user who entered the mapping information in the Sentinel database. MODIFIED_BY number ID of the user who modified the mapping information in the Sentinel database. 7.1.9 ADV_OSVDB_DETAILS_V This view contains information about the known vulnerablities from the OSVDB for the products supported by Novell for Advisor. It also stores the classifications to which the vulnerability applies. 70 Column Name Datatype Comment OSVDB_ID number The unique ID of the vulnerability in the OSVDB. OSVDB_TITLE clob The normalized name of the vulnerability. DESCRIPTION clob A brief description of the vulnerability. URGENCY number Indicates the urgency of the vulnerability. The rating is 1- 10. The higher the number, the more urgent the vulnerability. SEVERITY number Indicates the severity of the vulnerability. The rating is 1- 10. The higher the number, the more urgent the vulnerability. ATTACK_TYPE_AUTH_MANAGE number (1, 0) This value is 1 if the attack type is authentication management. For example, brute force attack, default password, and cookie poisoning. Sentinel 6.1 Reference Guide novdocx (en) 16 April 2010 Column Name Datatype Comment ATTACK_TYPE_CRYPT number (1, 0) This value is 1 if the attack type is cryptographic. For example, weak encryption (implementation or algorithm), no encryption (plaintext), and sniffing. ATTACK_TYPE_DOS number (1, 0) This value is 1 if the attack type is denial of service. For example, saturation flood, crash, lock up, and forced reboot. ATTACK_TYPE_HIJACK number (1, 0) This value is 1 if the attack type is hijack. For example, man-in-the-middle attacks, IP spoofing, session timeout or take-over, and session replay. ATTACK_TYPE_INFO_DISCLOSE number (1, 0) This value is 1 if the attack type is information disclosure. For example, comments, passwords, fingerprinting, and system information. ATTACK_TYPE_INFRASTRUCT number (1, 0) This value is 1 if the attack type is infrastructure. For example, DNS poisoning and route manipulation. ATTACK_TYPE_INPUT_MANIP number (1, 0) This value is 1 if the attack type is input manipulation. For example, XSS, SQL injection, file retrieval, directory traversal, overflows, and URL encoding. ATTACK_TYPE_MISS_CONFIG number (1, 0) This value is 1 if the attack type is misconfiguration. For example, default files, debugging enabled, and directory indexing. ATTACK_TYPE_RACE number (1, 0) This value is 1 if the attack type is race condition. For example, symlink. ATTACK_TYPE_OTHER number (1, 0) This value is 1 if the attack type does not fall under any of the above attack types. ATTACK_TYPE_UNKNOWN number (1, 0) This value is 1 if the attack type is unknown. IMPACT_CONFIDENTIAL number (1, 0) This value is 1 if the impact of the attack(s) is loss of confidential information. For example, passwords, server information, environment variables, confirmation of file existence, path disclosure, file content access, and SQL injection. IMPACT_INTEGRITY number (1, 0) This value is 1 if the impact of the attack(s) is loss of integrity, which results in data modifications by unauthorized persons. For example, unauthorized file modification, deletion, or creation, remote file inclusion, and arbitrary command execution. Sentinel Database Views for Oracle novdocx (en) 16 April 2010 Column Name 71 Datatype Comment IMPACT_AVAILABLE number (1, 0) This value is 1 if the impact of the attack is loss of availability of a service or information. IMPACT_UNKNOWN number (1, 0) This value is 1 if the impact of the attack is unknown. EXPLOIT_AVAILABLE number (1, 0) This value is 1 if an exploit is available for the vulnerability. EXPLOIT_UNAVAILABLE number (1, 0) This value is 1 if an exploit is not available for the vulnerability. EXPLOIT_RUMORED number (1, 0) This value is 1 if an exploit is rumored to exist for the vulnerability. EXPLOIT_UNKNOWN number (1, 0) This value is 1 if an exploit is unknown for the vulnerability. VULN_VERIFIED number (1, 0) This value is 1 if the existence of the vulnerability has been verified. VULN_MYTH_FAKE number (1, 0) This value is 1 if the vulnerability is a myth or a false alarm. VULN_BEST_PRAC number (1, 0) This value is 1 if the vulnerability is a result of not following the best practices in the configuration or usage of the vulnerable system or software. VULN_CONCERN number (1, 0) This value is 1 if the vulnerability requires additional concern for remediation. VULN_WEB_CHECK number (1, 0) This value is 1 if the vulnerability is a common problem in Web servers or Web applications. ATTACK_SCENARIO clob Description of how a vulnerability can be exploited. SOLUTION_DESCRIPTION clob Description of the solution that is used to fix the vulnerability. FULL_DESCRIPTION clob The complete description of the vulnerability. LOCATION_PHYSICAL number (1, 0) This value is 1 if the vulnerability can be exploited with only physical system access. LOCATION_LOCAL number (1, 0) This value is 1 if the vulnerability can be exploited on a local system. LOCATION_REMOTE number (1, 0) This value is 1 if the vulnerabilitycan be exploited on a remote system. LOCATION_DIALUP number (1, 0) This value is 1 if the vulnerability can be exploited using a dial-up connection. LOCATION_UNKNOWN number (1, 0) This value is 1 if the vulnerability is exploited in an unknown location. Sentinel 6.1 Reference Guide novdocx (en) 16 April 2010 72 Column Name Datatype Comment PUBLISHED date Time stamp indicating when the vulnerability was published in the OSVDB. INSERTED date Time stamp indicating when the vulnerability was inserted in the vendor database. UPDATED date Time stamp indicating when the vulnerability was updated in the vendor database. DATE_CREATED date Time stamp indicating when the vulnerability information was entered in the Sentinel database. DATE_MODIFIED date Time stamp indicating when the vulnerability information was modified in the Sentinel database. CREATED_BY number The ID of the user who entered the vulnerability information in the Sentinel database. MODIFIED_BY number The ID of the user who modified the vulnerability information in the Sentinel database. novdocx (en) 16 April 2010 Column Name 7.1.10 ADV_NXS_KB_PATCH_V This view contains information about the patches that are required to remove the vulnerabilities. Column Name Datatype Comment ID number The unique ID for the row. OSVDB_ID number The ID of the vulnerability in the OSVDB. TYPE_NAME varchar2 (128 char) The type of the patch used to remove the vulnerability. TYPE_ID number The unique ID of the patch. REF_VALUE clob The URL that has the patch information. DATE_CREATED date Time stamp indicating when the patch information was entered in the Sentinel database. DATE_MODIFIED date Time stamp indicating when the patch information was modified in the Sentinel database. CREATED_BY number The ID of the user who entered the patch information in the Sentinel database. MODIFIED_BY number The ID of the user who modified the patch information in the Sentinel database. Sentinel Database Views for Oracle 73 This view contains the information about the products that are affected by the vulnerability. Column Name Datatype Comment ID number The unique ID for the row. OSVDB_ID number The ID of the vulnerability in the OSVDB. VENDOR_NAME varchar2 (128 char) Name of the vendor of the product that is affected by the vulnerability. VERSION_NAME varchar2 (128 char) Version of the product that is affected by the vulnerability. BASE_NAME varchar2 (128 char) Name of the product that is affected by the vulnerability. TYPE_NAME varchar2 (128 char) Indicates whether the product is affected by the vulnerability or not. DATE_CREATED date Time stamp indicating when the product information was entered in the Sentinel database. DATE_MODIFIED date Time stamp indicating when the product information was modified in the Sentinel database. CREATED_BY number The ID of the user who entered the product information in the Sentinel database. MODIFIED_BY number The ID of the user who modified the product information in the Sentinel database. 7.1.12 ASSET_CATEGORY_RPT_V This iew references ASSET_CTGRY table that stores information about asset categories 74 Column Name Datatype Comment ASSET_CATEGORY_ID number(38) Asset category identifier ASSET_CATEGORY_NAME varchar2(100) Asset category name DATE_CREATED date Date the entry was created DATE_MODIFIED date Date the entry was modified CREATED_BY number(38) User who created object MODIFIED_BY number(38) User who last modified object Sentinel 6.1 Reference Guide novdocx (en) 16 April 2010 7.1.11 ADV_NXS_KB_PRODUCTSREF_V novdocx (en) 16 April 2010 7.1.13 ASSET_HOSTNAME_RPT_V This view references ASSET_HOSTNAME table that stores information about alternate host names for assets. Column Name Datatype Comment ASSET_HOSTNAME_ID varchar2(36) Asset alternate hostname identifier PHYSICAL_ASSET_ID varchar2(36) Physical asset identifier HOST_NAME varchar2(255) Host name CUST_ID number(38) Customer identifier DATE_CREATED date Date the entry was created DATE_MODIFIED date Date the entry was modified CREATED_BY number(38) User who created object MODIFIED_BY number(38) User who last modified object 7.1.14 ASSET_IP_RPT_V This view references ASSET_IP table that stores information about alternate IP addresses for assets. Column Name Datatype Comment ASSET_IP_ID varchar2(36) Asset alternate IP identifier PHYSICAL_ASSET_ID varchar2(36) Physical asset identifier IP_ADDRESS number(38) Asset IP address CUST_ID number(38) Customer identifier DATE_CREATED date Date the entry was created DATE_MODIFIED date Date the entry was modified CREATED_BY number(38) User who created object MODIFIED_BY number(38) User who last modified object 7.1.15 ASSET_LOCATION_RPT_V This view references ASSET_LOC table that stores information about asset locations. Column Name Datatype Comment LOCATION_ID number(38) Location identifier CUST_ID number(38) Customer identifier BUILDING_NAME varchar2(255) Building name ADDRESS_LINE_1 varchar2(255) Address line 1 Sentinel Database Views for Oracle 75 Datatype Comment ADDRESS_LINE_2 varchar2(255) Address line 2 CITY varchar2(100) City STATE varchar2(100) State COUNTRY varchar2(100) Country ZIP_CODE varchar2(50) Zip code DATE_CREATED date Date the entry was created DATE_MODIFIED date Date the entry was modified CREATED_BY number(38) User who created object MODIFIED_BY number(38) User who last modified object 7.1.16 ASSET_RPT_V This view references ASSET table that stores information about the physical and soft assets. Column Name Datatype Comment ASSET_ID varchar2(36) Asset identifier CUST_ID number(38) Customer identifier ASSET_NAME varchar2(255) Asset name PHYSICAL_ASSET_ID varchar2(36) Physical asset identifier PRODUCT_ID number(38) Product identifier ASSET_CATEGORY_ID number(38) Asset category identifier ENVIRONMENT_IDENTITY_ID number(38) Environment identify code PHYSICAL_ASSET_IND number(1) Physical asset indicator ASSET_VALUE_ID number(38) Asset value code CRITICALITY_ID number(38) Asset criticality code SENSITIVITY_ID number(38) Asset sensitivity code DATE_CREATED date Date the entry was created DATE_MODIFIED date Date the entry was modified CREATED_BY number(38) User who created object MODIFIED_BY number(38) User who last modified object 7.1.17 ASSET_VALUE_RPT_V This view references ASSET_VAL_LKUP table that stores information about the asset value. 76 Sentinel 6.1 Reference Guide novdocx (en) 16 April 2010 Column Name Datatype Comment ASSET_VALUE_ID number(38) Asset value code ASSET_VALUE_NAME varchar2(50) Asset value name DATE_CREATED date Date the entry was created DATE_MODIFIED date Date the entry was modified CREATED_BY number(38) User who created object MODIFIED_BY number(38) User who last modified object novdocx (en) 16 April 2010 Column Name 7.1.18 ASSET_X_ENTITY_X_ROLE_RPT_V This view references ASSET_X_ENTITY_X_ROLE table that associates a person or an organization to an asset. Column Name Datatype Comment PERSON_ID varchar2(36) Person identifier ORGANIZATION_ID varchar2(36) Organization identifier ROLE_CODE varchar2(5) Role code ASSET_ID varchar2(36) Asset identifier ENTITY_TYPE_CODE varchar2(5) Entity type code PERSON_ROLE_SEQUENCE number(38) Order of persons under a particular role DATE_CREATED date Date the entry was created DATE_MODIFIED date Date the entry was modified CREATED_BY number(38) User who created object MODIFIED_BY number(38) User who last modified object 7.1.19 ASSOCIATIONS_RPT_V This view references ASSOCIATIONS table that associates users to incidents, incidents to annotations and so on. Column Name Datatype Comment TABLE1 varchar2(64) Table name 1. For example, incidents ID1 varchar2(36) ID1. For example, incident ID. TABLE2 varchar2(64) Table name 2. For example, users. ID2 varchar2(36) ID2. For example, user ID. DATE_CREATED date Date the entry was created Sentinel Database Views for Oracle 77 Datatype Comment DATE_MODIFIED date Date the entry was modified CREATED_BY number User who created object MODIFIED_BY number User who last modified object 7.1.20 ATTACHMENTS_RPT_V This view references ATTACHMENTS table that stores attachment data. Column Name Datatype Comment ATTACHMENT_ID number Attachment identifier NAME varchar2(255) Attachment name SOURCE_REFERENCE varchar2(64) Source reference TYPE varchar2(32) Attachment type SUB_TYPE varchar2(32) Attachment subtype FILE_EXTENSION varchar2(32) File extension ATTACHMENT_DESCRIPTION varchar2(255) Attachment description DATA clob Attachment data DATE_CREATED date Date the entry was created DATE_MODIFIED date Date the entry was modified CREATED_BY number User who created object MODIFIED_BY number User who last modified object 7.1.21 AUDIT_RECORD_RPT_V This view references AUDIT_RECORD table that stores Sentinel internal audit data. 78 Column Name Datatype Comment AUDIT_ID varchar2(36) Audit record identifier AUDIT_TYPE varchar2(255) Audit type SRC varchar2(255) Audit source SENDER_HOSTNAME varchar2(255) Sender hostname SENDER_HOST_IP varchar2(255) Sender host IP SENDER_CONTAINER varchar2(255) Sender container name SENDER_ID varchar2(255) Sender Identifier CLIENT varchar2(255) Client application that requested audit Sentinel 6.1 Reference Guide novdocx (en) 16 April 2010 Column Name Datatype Comment EVT_NAME varchar2(255) Event name RES varchar2(255) Event resource SRES varchar2(255) Event sub-resource MSG varchar2(500) Event message CREATED_BY number(0) User who created object MODIFIED_BY number(0) User who last modified object DATE_CREATED date Date the entry was created DATE_MODIFIED date Date the entry was modified novdocx (en) 16 April 2010 Column Name 7.1.22 CONFIGS_RPT_V This view references CONFIGS table that stores general configuration information of the application. Column Name Datatype Comment USR_ID varchar2(32) User name. APPLICATION varchar2(255) Application identifier UNIT varchar2(64) Application unit VALUE varchar2(255) Text value if any DATA clob XML data DATE_CREATED date Date the entry was created DATE_MODIFIED date Date the entry was modified CREATED_BY number User who created object MODIFIED_BY number User who last modified object 7.1.23 CONTACTS_RPT_V This view references CONTACTS table that stores contact information. Column Name Datatype Comment CNT_ID number Contact ID - Sequence number FIRST_NAME varchar2(20) Contact first name. LAST_NAME varchar2(30) Contact last name. TITLE varchar2(128) Contact title DEPARTMENT varchar2(128) Department PHONE varchar2(64) Contact phone Sentinel Database Views for Oracle 79 Datatype Comment EMAIL varchar2(255) Contact e-mail PAGER varchar2(64) Contact pager CELL varchar2(64) Contact cell phone DATE_CREATED date Date the entry was created DATE_MODIFIED date Date the entry was modified CREATED_BY number User who created object MODIFIED_BY number User who last modified object 7.1.24 CORRELATED_EVENTS_RPT_V (legacy view) This view is provided for backward compatibility. New reports should use CORRELATED_EVENTS_RPT_V1. 7.1.25 CORRELATED_EVENTS_RPT_V1 This vew contains current and historical correlated events (correlated events imported from archives). Column Name Datatype Comment PARENT_EVT_ID varchar2(36) Event Universal Unique Identifier (UUID) of parent event CHILD_EVT_ID varchar2(36) Event Universal Unique Identifier (UUID) of child event PARENT_EVT_TIME date Parent event time CHILD_EVT_TIME date Child event time DATE_CREATED date Date the entry was created DATE_MODIFIED date Date the entry was modified CREATED_BY number(38) User who created object MODIFIED_BY number(38) User who last modified object 7.1.26 CRITICALITY_RPT_V This view references CRIT_LKUP table that contains information about asset criticality. 80 Column Name Datatype Comment CRITICALITY_ID number(38) Asset criticality code CRITICALITY_NAME varchar2(50) Asset criticality name DATE_CREATED date Date the entry was created Sentinel 6.1 Reference Guide novdocx (en) 16 April 2010 Column Name Datatype Comment DATE_MODIFIED date Date the entry was modified CREATED_BY number(38) User who created object MODIFIED_BY number(38) User who last modified object novdocx (en) 16 April 2010 Column Name 7.1.27 CUST_HIERARCHY_V This view references CUST_HIERARCHY table that stores information about MSSP customer hierarchy. Column Name Datatype Comment CUST_HIERARCHY_ID number(38) Customer hierarchy ID CUST_NAME varchar2(255) Customer CUST_HIERARCHY_LVL1 varchar2(255) Customer hierarchy level 1 CUST_HIERARCHY_LVL2 varchar2(255) Customer hierarchy level 2 CUST_HIERARCHY_LVL3 varchar2(255) Customer hierarchy level 3 CUST_HIERARCHY_LVL4 varchar2(255) Customer hierarchy level 4 DATE_CREATED date Date the entry was created DATE_MODIFIED date Date the entry was modified CREATED_BY number User who created object MODIFIED_BY number User who last modified object 7.1.28 CUST_RPT_V This view references CUST table that stores customer information for MSSPs. Column Name Datatype Comment CUST_ID number(38) Customer identifier CUSTOMER_NAME varchar2(255) Customer name DATE_CREATED date Date the entry was created DATE_MODIFIED date Date the entry was modified CREATED_BY number(38) User who created object MODIFIED_BY number(38) User who last modified object 7.1.29 ENTITY_TYPE_RPT_V This view references ENTITY_TYP table that stores information about entity types (person, organization). Sentinel Database Views for Oracle 81 Datatype Comment ENTITY_TYPE_CODE varchar2(5) Entity type code ENTITY_TYPE_NAME varchar2(50) Entity type name DATE_CREATED date Date the entry was created DATE_MODIFIED date Date the entry was modified CREATED_BY number(38) User who created object MODIFIED_BY number(38) User who last modified object 7.1.30 ENV_IDENTITY_RPT_V This view references ENV_IDENTITY_LKUP table that stores information about asset environment identity. Column Name Datatype Comment ENVIRONMENT_IDENTITY_ID number(38) Environment identity code ENV_IDENTITY_NAME varchar2(255) Environment identity name DATE_CREATED Date Date the entry was created DATE_MODIFIED Date Date the entry was modified CREATED_BY number(38) User who created object MODIFIED_BY number(38) User who last modified object 7.1.31 ESEC_CONTENT_GRP_CONTENT_RPT_V This view contains information about Solution Packs. 82 Column Name Datatype Comment CONTENT_GRP_ID varchar2(36) Content group identifier CONTENT_ID varchar2(255) Content identifier CONTENT_TYP varchar2(100) Content type CONTENT_HASH varchar2(255) Content hash DATE_CREATED Date Date the entry was created DATE_MODIFIED Date Date the entry was modified CREATED_BY number(38,0) User who created object MODIFIED_BY number(38,0) User who last modified object Sentinel 6.1 Reference Guide novdocx (en) 16 April 2010 Column Name novdocx (en) 16 April 2010 7.1.32 ESEC_CONTENT_GRP_RPT_V This view contains information about Solution Packs. Column Name Datatype Comment CONTENT_GRP_ID varchar2(36) Content group identifier CONTENT_GRP_NAME varchar2(255) Content group name CONTENT_GRP_DESC Clob Content group description CTRL_ID varchar2(36) Control identifier CONTENT_EXTERNAL_ID varchar2(255) Content external identifier DATE_CREATED Date Date the entry was created DATE_MODIFIED Date Date the entry was modified CREATED_BY number(38,0) User who created object MODIFIED_BY number(38,0) User who last modified object 7.1.33 ESEC_CONTENT_PACK_RPT_V This view contains information about Solution Packs. Column Name Datatype Comment CONTENT_PACK_ID varchar2(36) Content pack identifier CONTENT_PACK_DESC Clob Content pack description CONTENT_PACK_NAME varchar2(255) Content pack name CONTENT_EXTERNAL_ID varchar2(255) Content external identifier DATE_MODIFIED Date Date the entry was modified DATE_CREATED Date Date the entry was created CREATED_BY number(38,0) User who created object MODIFIED_BY number(38,0) User who last modified object 7.1.34 ESEC_CONTENT_RPT_V This view contains information about Solution Packs. Column Name Datatype Comment CONTENT_PACK_ID varchar2(36) Content pack identifier CONTENT_ID varchar2(255) Content identifier CONTENT_NAME varchar2(255) Content name CONTENT_STATE number(38,0) Content state Sentinel Database Views for Oracle 83 Datatype Comment CONTENT_TYP varchar2(100) Content type CONTENT_DESC Clob Content description CONTENT_CONTEXT Clob Content context CONTENT_HASH varchar2(255) Content hash DATE_CREATED Date Date the entry was created DATE_MODIFIED Date Date the entry was modified MODIFIED_BY number(38,0) User who last modified object CREATED_BY number(38,0) User who created object 7.1.35 ESEC_CTRL_CTGRY_RPT_V This view contains information about Solution Packs. Column Name Datatype Comment CTRL_CTGRY_ID varchar2(36) Control category identifier CTRL_CTGRY_DESC Clob Control category description CTRL_CTGRY_NAME varchar2(255) Control category name CONTENT_PACK_ID varchar2(36) Content pack identifier CONTENT_EXTERNAL_ID varchar2(255) Content external identifier DATE_CREATED Date Date the entry was created DATE_MODIFIED Date Date the entry was modified CREATED_BY number(38,0) User who created object MODIFIED_BY number(38,0) User who last modified object 7.1.36 ESEC_CTRL_RPT_V This view contains information about Solution Packs. 84 Column Name Datatype Comment CTRL_ID varchar2(36) Control identifier CTRL_NAME varchar2(255) Control name CTRL_DESC clob Control description CTRL_STATE number(38,0) Control state CTRL_NOTES clob Control notes CTRL_CTGRY_ID varchar2(36) Control category identifier Sentinel 6.1 Reference Guide novdocx (en) 16 April 2010 Column Name Datatype Comment CONTENT_EXTERNAL_ID varchar2(255) Content external identifier DATE_CREATED date Date the entry was created DATE_MODIFIED date Date the entry was modified CREATED_BY number(38,0) User who created object MODIFIED_BY number(38,0) User who last modified object novdocx (en) 16 April 2010 Column Name 7.1.37 ESEC_DISPLAY_RPT_V This view references ESEC_DISPLAY table that stores displayable properties of objects. Currently used in renaming meta-tags. Used with Event Configuration (Business Relevance). Column Name Datatype Comment DISPLAY_OBJECT varchar2(32) The parent object of the property TAG varchar2(32) The native tag name of the property LABEL varchar2(32) The display string of tag. POSITION number Position of tag within display. WIDTH number The column width ALIGNMENT number The horizontal alignment FORMAT number The enumerated formatter for displaying the property ENABLED varchar2(1) Indicates if the tag is shown. TYPE number Indicates datatype of tag. 1 = string 2 = ulong 3 = date 4 = uuid 5 = ipv4 DESCRIPTION varchar2(255) Textual description of the tag DATE_CREATED date Date the entry was created DATE_MODIFIED date Date the entry was modified CREATED_BY number User who created object MODIFIED_BY number User who last modified object REF_CONFIG varchar2(4000) Referential data configuration Sentinel Database Views for Oracle 85 This view references ESEC_PORT_REFERENCE table that stores industry standard assigned port numbers. Column Name Datatype Comment PORT_NUMBER number Per http://www.iana.org/assignments/port-numbers (http://www.iana.org/assignments/port-numbers), the numerical representation of the port. This port number is typically associated with the Transport Protocol level in the TCP/IP stack. PROTOCOL_NUMBER number Per http://www.iana.org/assignments/protocolnumbers (http://www.iana.org/assignments/protocolnumbers), the numerical identifiers used to represent protocols that are encapsulated in an IP packet. PORT_KEYWORD varchar2(64) Per http://www.iana.org/assignments/port-numbers (http://www.iana.org/assignments/port-numbers), the keyword representation of the port. PORT_DESCRIPTION varchar2(512) Port description. DATE_CREATED date Date the entry was created DATE_MODIFIED date Date the entry was modified CREATED_BY number User who created object MODIFIED_BY number User who last modified object 7.1.39 ESEC_PROTOCOL_REFERENCE_RPT_V This view references ESEC_PROTOCOL_REFERENCE table that stores industry standard assigned protocol numbers. 86 Column Name Datatype Comment PROTOCOL_NUMBER number Per http://www.iana.org/assignments/protocolnumbers (http://www.iana.org/assignments/ protocol-numbers), the numerical identifiers used to represent protocols that are encapsulated in an IP packet. PROTOCOL_KEYWORD varchar2(64) Per http://www.iana.org/assignments/protocolnumbers (http://www.iana.org/assignments/ protocol-numbers), the keyword used to represent protocols that are encapsulated in an IP packet. PROTOCOL_DESCRIPTION varchar2(512) IP packet protocol description. DATE_CREATED date Date the entry was created DATE_MODIFIED date Date the entry was modified CREATED_BY number User who created object Sentinel 6.1 Reference Guide novdocx (en) 16 April 2010 7.1.38 ESEC_PORT_REFERENCE_RPT_V Datatype Comment MODIFIED_BY number User who last modified object novdocx (en) 16 April 2010 Column Name 7.1.40 ESEC_SEQUENCE_RPT_V This view references ESEC_SEQUENCE table that’s used to generate primary key sequence numbers for Sentinel tables. Column Name Datatype Comment TABLE_NAME varchar2(32) Name of the table. COLUMN_NAME varchar2(255) Name of the column SEED number Current value of primary key field. DATE_CREATED date Date the entry was created DATE_MODIFIED date Date the entry was modified CREATED_BY number User who created object MODIFIED_BY number User who last modified object 7.1.41 ESEC_UUID_UUID_ASSOC_RPT_V This view contains information about object relationships. Used internally by Sentinel and not for reporting purposes. Column Name Datatype Comment OBJECT1 varchar2(64) Object 1 ID1 varchar2(36) UUID for object 1 OBJECT2 varchar2(64) Object 2 ID2 varchar2(36) UUID for object 2 DATE_CREATED date Date the entry was created DATE_MODIFIED date Date the entry was modified CREATED_BY number(38,0) User who created object MODIFIED_BY number(38,0) User who last modified object 7.1.42 EVENTS_ALL_RPT_V (legacy view) This view is provided for backward compatibility. View contains current and historical events (events imported from archives). Sentinel Database Views for Oracle 87 This view is provided for backward compatibility. New reports should use EVENTS_RPT_V2. View contains current events. 7.1.44 EVENTS_RPT_V (legacy view) This view is provided for backward compatibility. New reports should use EVENTS_RPT_V2. View contains current and historical events. 7.1.45 EVENTS_RPT_V1 (legacy view) This view is provided for backward compatibility. New reports should use EVENT_ALL_RPT_V. View contains current events. 7.1.46 EVENTS_RPT_V2 This is the primary reporting view for Sentinel 6.0. This view contains current event and historical events. It is included for legacy reports but has been replaced in Sentinel 6.1 with EVENTS_RPT_V3. 88 Column Name Datatype Comment EVENT_ID varchar2(36) Event identifier RESOURCE_NAME varchar2(255) Resource name SUB_RESOURCE varchar2(255) Subresource name SEVERITY integer Event severity EVENT_PARSE_TIME date Event time EVENT_DATETIME date Event time EVENT_DEVICE_TIME date Event device time SENTINEL_PROCESS_TIME date Sentinel process time BEGIN_TIME date Events begin time END_TIME date Events end time REPEAT_COUNT integer Events repeat count DESTINATION_PORT_INT integer Destination port (integer) SOURCE_PORT_INT integer Source port (integer) BASE_MESSAGE varchar2(4000) Base message EVENT_NAME varchar2(255) Name of the event as reported by the sensor EVENT_TIME varchar2(255) Event time as reported by the sensor CUST_ID integer Customer identifier SOURCE_ASSET_ID integer Source asset identifier Sentinel 6.1 Reference Guide novdocx (en) 16 April 2010 7.1.43 EVENTS_ALL_RPT_V1 (legacy view) Datatype Comment DESTINATION_ASSET_ID integer Destination asset identifier AGENT_ID integer Collector identifier PROTOCOL_ID integer Protocol identifier ARCHIVE_ID integer Archive identifier SOURCE_IP integer Source IP address in numeric format SOURCE_IP_DOTTED varchar2(16) Source IP in dotted format SOURCE_HOST_NAME varchar2(255) Source host name SOURCE_PORT varchar2(32) Source port DESTINATION_IP integer Destination IP address in numeric format DESTINATION_IP_DOTTED varchar2(16) Destination in dotted format DESTINATION_HOST_NAME varchar2(255) Destination host name DESTINATION_PORT varchar2(32) Destination port SOURCE_USER_NAME varchar2(255) Source user name DESTINATION_USER_NAME varchar2(255) Destination user name FILE_NAME varchar2(1000) File name EXTENDED_INFO varchar2(1000) Extended information CUSTOM_TAG_1 varchar2(255) Customer Tag 1 CUSTOM_TAG 2 varchar2(255) Customer Tag 2 CUSTOM_TAG 3 integer Customer Tag 3 RESERVED_TAG_1 varchar2(255) Reserved Tag 1 novdocx (en) 16 April 2010 Column Name Reserved for future use by Novell. This field is used for Advisor information concerning attack descriptions. RESERVED_TAG_2 varchar2(255) Reserved for future use by Novell. Use of this field for any other purpose might result in data being overwritten by future functionality. RESERVED_TAG_3 integer Reserved for future use by Novell. Use of this field for any other purpose might result in data being overwritten by future functionality. VULNERABILITY_RATING integer Vulnerability rating CRITICALITY_RATING integer Criticality rating DATE_CREATED date Date the entry was created DATE_MODIFIED date Date the entry was modified CREATED_BY integer User who created object Sentinel Database Views for Oracle 89 Datatype Comment MODIFIED_BY integer User who last modified object RV01 - 10 integer Reserved Value 1 - 10 Reserved for future use by Novell. Use of this field for any other purpose might result in data being overwritten by future functionality. RV11 - 20 date Reserved Value 1 - 31 Reserved for future use by Novell. Use of this field for any other purpose might result in data being overwritten by future functionality. RV21 - 25 varchar2(36) Reserved Value 21 - 25 Reserved for future use by Novell to store UUIDs. Use of this field for any other purpose might result in data being overwritten by future functionality. RV26 - 31 varchar2(255) Reserved Value 26 - 31 Reserved for future use by Novell. Use of this field for any other purpose might result in data being overwritten by future functionality. RV33 varchar2(255) Reserved Value 33 Reserved for EventContex Use of this field for any other purpose might result in data being overwritten by future functionality. RV34 varchar2(255) Reserved Value 34 Reserved for SourceThreatLevel Use of this field for any other purpose might result in data being overwritten by future functionality. RV35 varchar2(255) Reserved Value 35 Reserved for SourceUserContext. Use of this field for any other purpose might result in data being overwritten by future functionality. RV36 varchar2(255) Reserved Value 36 Reserved for DataContext. Use of this field for any other purpose might result in data being overwritten by future functionality. 90 Sentinel 6.1 Reference Guide novdocx (en) 16 April 2010 Column Name Datatype Comment RV37 varchar2(255) Reserved Value 37 novdocx (en) 16 April 2010 Column Name Reserved for SourceFunction. Use of this field for any other purpose might result in data being overwritten by future functionality. RV38 varchar2(255) Reserved Value 38 Reserved for SourceOperationalContext. Use of this field for any other purpose might result in data being overwritten by future functionality. RV40 - 43 varchar2(255) Reserved Value 40 - 43 Reserved for future use by Novell. Use of this field for any other purpose might result in data being overwritten by future functionality. RV44 varchar2(255) Reserved Value 44 Reserved for DestinationThreatLevel. Use of this field for any other purpose might result in data being overwritten by future functionality. RV45 varchar2(255) Reserved Value 45 Reserved for DestinationUserContext. Use of this field for any other purpose might result in data being overwritten by future functionality. RV46 varchar2(255) Reserved Value 46 Reserved for VirusStatus. Use of this field for any other purpose might result in data being overwritten by future functionality. RV47 varchar2(255) Reserved Value 47 Reserved for future use by Novell. Use of this field for any other purpose might result in data being overwritten by future functionality. Sentinel Database Views for Oracle 91 Datatype Comment RV48 varchar2(255) Reserved Value 48 Reserved for DestinationOperationalContext. Use of this field for any other purpose might result in data being overwritten by future functionality. RV49 varchar2(255) Reserved Value 49 Reserved for future use by Novell. Use of this field for any other purpose might result in data being overwritten by future functionality. TAXONOMY_ID integer REFERENCE_ID_01 - 20 integer Reserved for future use by Novell. Use of this field for any other purpose might result in data being overwritten by future functionality. CV01 - 10 integer Custom Value 1 - 10 Reserved for use by Customer, typically for association of Business relevant data CV11 - 20 date Custom Value 11 - 20 Reserved for use by Customer, typically for association of Business relevant data CV21 - 29 varchar2(255) Custom Value 21 – 100 Reserved for use by Customer, typically for association of Business relevant data CV30 - 34 varchar2(4000) CV35 – 100 varchar2(255) 7.1.47 EVENTS_RPT_V3 This is the primary reporting view for Sentinel 6.1. This view contains current event and historical events. It is included for legacy reports. 92 Column Name Datatype Comment EVENT_ID varchar2(36) Event identifier RESOURCE_NAME varchar2(255) SUB_RESOURCE varchar2(255) Subresource name SEVERITY number(38,0) Event severity EVENT_PARSE_TIME date Event time Sentinel 6.1 Reference Guide novdocx (en) 16 April 2010 Column Name Datatype EVENT_DATETIME date EVENT_DEVICE_TIME date Event device time SENTINEL_PROCESS_TIME date Sentinel process time BEGIN_TIME date Events begin time END_TIME date Events end time REPEAT_COUNT number(38,0) TARGET_SERVICE_PORT number(38,0) INIT_SERVICE_PORT number(38,0) BASE_MESSAGE varchar2(4000) EVENT_NAME varchar2(255) EVENT_TIME varchar2(255) CUST_ID number(38,0) INIT_ASSET_ID number(38,0) Initiator asset identifier TARGET_ASSET_ID number(38,0) Target asset identifier AGENT_ID number(38,0) PROTOCOL_ID number(38,0) ARCHIVE_ID number(38,0) INIT_IP number(38,0) INIT_IP_DOTTED varchar2(4000) INIT_HOST_NAME varchar2(255) INIT_SERVICE_PORT_NAME varchar2(32) TARGET_IP number(38,0) TARGET_IP_DOTTED varchar2(4000) TARGET_HOST_NAME varchar2(255) TARGET_SERVICE_PORT_NAME varchar2(32) INIT_USER_NAME varchar2(255) TARGET_USER_NAME varchar2(255) FILE_NAME varchar2(1000) EXTENDED_INFO varchar2(1000) CUSTOM_TAG_1 varchar2(255) Customer Tag 1 CUSTOM_TAG_2 varchar2(255) Customer Tag 2 CUSTOM_TAG_3 number(38,0) Customer Tag 3 novdocx (en) 16 April 2010 Column Name Comment Target service port Event time The initiating user's account name (SourceUsername). Sentinel Database Views for Oracle 93 Datatype RESERVED_TAG_1 varchar2(255) RESERVED_TAG_2 varchar2(255) RESERVED_TAG_3 number(38,0) VULNERABILITY_RATING number(38,0) CRITICALITY_RATING number(38,0) DATE_CREATED date Date the entry was created DATE_MODIFIED date Date the entry was modified CREATED_BY number(38,0) User who created object MODIFIED_BY number(38,0) User who last modified object RV01 number(38,0) EVENT_METRIC number(38,0) Event metric DATA_TAG_ID number(38,0) Data tag ID RV04-RV10 number(38,0) RV11-RV20 date RV21- RV28 varchar2(255) INIT_IP_COUNTRY varchar2(255) TARGET_IP_COUNTRY varchar2(255) RV31 varchar2(255) RV33 varchar2(255) INIT_THREAT_LEVEL varchar2(255) Initiator threat level INIT_USER_DOMAIN varchar2(255) The domain (namespace) in which the initiating account exists. RV36 varchar2(255) INIT_FUNCTION varchar2(255) Initiator function INIT_OPERATIONAL_CONTEXT varchar2(255) Initiator operational context RV40 varchar2(255) TARGET_HOST_DOMAIN varchar2(255) INIT_HOST_DOMAIN varchar2(255) RV43 varchar2(255) TARGET_THREAT_LEVEL varchar2(255) Target threat level TARGET_USER_DOMAIN varchar2(255) Target user domain RV46 varchar2(255) TARGET_FUNCTION varchar2(255) Sentinel 6.1 Reference Guide Comment Target host domain Target function novdocx (en) 16 April 2010 94 Column Name Datatype Comment TARGET_OPERATIONAL_CONEXT varchar2(255) Target operational context RV49 varchar2(255) TAXONOMY_ID number(38,0) REFERENCE_ID_01REFERENCE_ID_20 number(38,0) CV01-CV10 number(38,0) CV11-CV20 date CV21- CV29 varchar2(255) CV30- CV34 varchar2(4000) CV35- CV100 varchar2(255) INIT_USER_ID varchar2(255) The initiating account's source-specific identifier as determined by the Collector based on raw device data. INIT_USER_IDENTITY varchar2(36) The internal UUID of the identity associated with the initiating account. TARGET_USER_ID varchar2(255) Target user ID TARGET_USER_IDENTITY varchar2(36) Target user identity EFFECTIVE_USER_NAME varchar2(255) Effective user name EFFECTIVE_USER_ID varchar2(255) Effective user ID EFFECTIVE_USER_DOMAIN varchar2(255) Effective user domain TARGET_TRUST_NAME varchar2(255) Target trust name TARGET_TRUST_ID varchar2(255) Target trust ID TARGET_TRUST_DOMAIN varchar2(255) Target trust domain OBSERVER_IP number(38,0) Observer IP address in numeric format REPORTER_IP number(38,0) Reporter IP address in numeric format OBSERVER_HOST_DOMAIN varchar2(255) Observer host domain REPORTER_HOST_DOMAIN varchar2(255) Reporter host domain OBSERVER_ASSET_ID varchar2(255) Observer asset identifier REPORTER_ASSET_ID varchar2(255) Reporter asset identifier INIT_SERVICE_COMP varchar2(255) Initiator service component TARGET_SERVICE_COMP varchar2(255) Target service component EVENT_GROUP_ID varchar2(255) CUSTOMER_VAR_101CUSTOMER_VAR_110 number(38,0) novdocx (en) 16 April 2010 Column Name Taxonomy identifier Sentinel Database Views for Oracle 95 Datatype CUSTOMER_VAR_111CUSTOMER_VAR_120 date CUSTOMER_VAR_121CUSTOMER_VAR_130 varchar2(36) CUSTOMER_VAR_131CUSTOMER_VAR_140 number(38,0) CUSTOMER_VAR_141CUSTOMER_VAR_150 varchar2(255) Comment 7.1.48 EVT_AGENT_RPT_V View references EVT_AGENT table that stores information about Collectors. Column Name Datatype Comment AGENT_ID number(38) Collector identifier CUST_ID number(38) AGENT varchar2(64) Collector name PORT varchar2(64) Collector port REPORT_NAME varchar2(255) Reporter name PRODUCT_NAME varchar2(255) Product name SENSOR_NAME varchar2(255) Sensor name SENSOR_TYPE varchar2(5) Sensor type: H - host-based N - network-based V - virus O – other 96 DEVICE_CATEGORY varchar2(255) Device category SOURCE_UUID varchar2(36) Source component Universal Unique Identifier (UUID) DATE_CREATED date Date the entry was created DATE_MODIFIED date Date the entry was modified CREATED_BY number(38) User who created object MODIFIED_BY number(38) User who last modified object Sentinel 6.1 Reference Guide novdocx (en) 16 April 2010 Column Name novdocx (en) 16 April 2010 7.1.49 EVT_AGENT_RPT_V3 View references EVT_AGENT table that stores information about Collectors. The column names in this view reflects the name change of Sensor to Observer. This view is designed for use in Sentinel 6.1. Column Name Datatype Comment AGENT_ID number(38,0) Collector identifier CUST_ID number(38,0) Customer identifier AGENT varchar2(64) Collector PORT varchar2(64) Port REPORTER_HOST_NAME varchar2(255) Reporter host name PRODUCT_NAME varchar2(255) OBSERVER_HOST_NAME varchar2(255) SENSOR_TYPE varchar2(5) Sensor type: H - host-based N - network-based V - virus O - other DEVICE_CATEGORY varchar2(255) Device category SOURCE_UUID varchar2(36) Source component Universal Unique Identifier (UUID) DATE_CREATED date Date the entry was created DATE_MODIFIED date Date the entry was modified CREATED_BY number(38,0) User who created object MODIFIED_BY number(38,0) User who last modified object 7.1.50 EVT_ASSET_RPT_V View references EVT_ASSET table that stores asset information. Column Name Datatype Comment EVENT_ASSET_ID number(38) Event asset identifier CUST_ID number(38) Customer identifier ASSET_NAME varchar2(255) Asset name PHYSICAL_ASSET_NAME varchar2(255) Physical asset name REFERENCE_ASSET_ID varchar2(100) Reference asset identifier, links to source asset management system. Sentinel Database Views for Oracle 97 Datatype Comment MAC_ADDRESS varchar2(100) MAC address RACK_NUMBER varchar2(50) Rack number ROOM_NAME varchar2(100) Room name BUILDING_NAME varchar2(255) Building name CITY varchar2(100) City STATE varchar2(100) State COUNTRY varchar2(100) Country ZIP_CODE varchar2(50) Zip code ASSET_CATEGORY_NAME varchar2(100) Asset category name NETWORK_IDENTITY_NAME varchar2(255) Asset network identity name ENVIRONMENT_IDENTITY_NAME varchar2(255) Environment name ASSET_VALUE_NAME varchar2(50) Asset value name CRITICALITY_NAME varchar2(50) Asset criticality name SENSITIVITY_NAME varchar2(50) Asset sensitivity name CONTACT_NAME_1 varchar2(255) Name of contact person/organization 1 CONTACT_NAME_2 varchar2(255) Name of contact person/organization 2 ORGANIZATION_NAME_1 varchar2(100) Asset owner organization level 1 ORGANIZATION_NAME_2 varchar2(100) Asset owner organization level 2 ORGANIZATION_NAME_3 varchar2(100) Asset owner organization level 3 ORGANIZATION_NAME_4 varchar2(100) Asset owner organization level 4 DATE_CREATED date Date the entry was created DATE_MODIFIED date Date the entry was modified CREATED_BY number(38) User who created object MODIFIED_BY number(38) User who last modified object 7.1.51 EVT_ASSET_RPT_V3 View references EVT_ASSET table that stores asset information. This view is designed for Sentinel 6.1. 98 Column Name Datatype ASSET_CRITICALITY varchar2(50) ASSET_CLASS varchar2(100) ASSET_FUNCTION varchar2(255) Sentinel 6.1 Reference Guide Comment novdocx (en) 16 April 2010 Column Name Datatype Comment ASSET_DEPARTMENT varchar2(100) Asset department DATE_CREATED Date Date the entry was created DATE_MODIFIED Date Date the entry was modified CREATED_BY number(38,0) User who created object MODIFIED_BY number(38,0) User who last modified object novdocx (en) 16 April 2010 Column Name 7.1.52 EVT_DEST_EVT_NAME_SMRY_1_RPT_V View summarizes event count by destination, taxonomy, event name, severity and event time. Column Name Datatype Comment DESTINATION_IP number(38) Destination IP address DESTINATION_EVENT_ASSET_ID number(38) Event asset identifier TAXONOMY_ID number(38) Taxonomy identifier EVENT_NAME_ID number(38) Event name identifier SEVERITY number(38) Event severity CUST_ID number(38) Customer identifier EVENT_TIME date Event time EVENT_COUNT number(38) Event count DATE_CREATED date Date the entry was created DATE_MODIFIED date Date the entry was modified CREATED_BY number(38) User who created object MODIFIED_BY number(38) User who last modified object DESTINATION_HOST_NAME varchar2(255) 7.1.53 EVT_DEST_SMRY_1_RPT_V View contains event destination summary information. Column Name Datatype Comment DESTINATION_IP number(38) Destination IP address DESTINATION_EVENT_ASSET_ID number(38) Event asset identifier DESTINATION_PORT varchar2(32) Destination port DESTINATION_USER_ID number(38) Destination user identifier TAXONOMY_ID number(38) Taxonomy identifier Sentinel Database Views for Oracle 99 Datatype Comment EVENT_NAME_ID number(38) Event name identifier RESOURCE_ID number(38) Resource identifier AGENT_ID number(38) Collector identifier PROTOCOL_ID number(38) Protocol identifier SEVERITY number(38) Event severity CUST_ID number(38) Customer identifier EVENT_TIME date Event time EVENT_COUNT number(38) Event count DATE_CREATED date Date the entry was created DATE_MODIFIED date Date the entry was modified CREATED_BY number(38) User who created object MODIFIED_BY number(38) User who last modified object DESTINATION_HOST_NAME varchar2(255) 7.1.54 EVT_DEST_TXNMY_SMRY_1_RPT_V View summarizes event count by destination, taxonomy, severity and event time. Column Name Datatype Comment DESTINATION_IP number(38) Destination IP address DESTINATION_EVENT_ASSET_ID number(38) Event asset identifier TAXONOMY_ID number(38) Taxonomy identifier SEVERITY number(38) Event severity CUST_ID number(38) Customer identifier EVENT_TIME date Event time EVENT_COUNT number(38) Event count DATE_CREATED date Date the entry was created DATE_MODIFIED date Date the entry was modified CREATED_BY number(38) User who created object MODIFIED_BY number(38) User who last modified object DESTINATION_HOST_NAME varchar2(255) 7.1.55 EVT_NAME_RPT_V View references EVT_NAME table that stores event name information. 100 Sentinel 6.1 Reference Guide novdocx (en) 16 April 2010 Column Name Datatype Comment EVENT_NAME_ID number(38) Event name identifier EVENT_NAME varchar2(255) Event name DATE_CREATED date Date the entry was created DATE_MODIFIED date Date the entry was modified CREATED_BY number(38) User who created object MODIFIED_BY number(38) User who last modified object 7.1.56 EVT_PORT_SMRY_1_RPT_V View summarizes event count by destination port, severity and event time. Column Name Datatype Comment DESTINATION_PORT varchar2(32) Destination port SEVERITY number(38) Event severity CUST_ID number(38) Customer identifier EVENT_TIME date Event time EVENT_COUNT number(38) Event count DATE_CREATED date Date the entry was created DATE_MODIFIED date Date the entry was modified CREATED_BY number(38) User who created object MODIFIED_BY number(38) User who last modified object 7.1.57 EVT_PRTCL_RPT_V View references EVT_PRTCL table that stores event protocol information. Column Name Datatype Comment PROTOCOL_ID number(38) Protocol identifier PROTOCOL_NAME varchar2(255) Protocol name DATE_CREATED date Date the entry was created DATE_MODIFIED date Date the entry was modified CREATED_BY number(38) User who created object MODIFIED_BY number(38) User who last modified object Sentinel Database Views for Oracle 101 novdocx (en) 16 April 2010 Column Name View references EVT_PRTCL table that stores event protocol information. Column Name Datatype Comment PROTOCOL_ID number(38,0) Protocol identifier PROTOCOL varchar2(255) Protocol name DATE_CREATED date Date the entry was created DATE_MODIFIED date Date the entry was modified CREATED_BY number(38,0) User who created object MODIFIED_BY number(38,0) User who last modified object 7.1.59 EVT_RSRC_RPT_V View references EVT_RSRC table that stores event resource information. Column Name Datatype Comment RESOURCE_ID number(38) Resource identifier CUST_ID number(38) Customer Identifier RESOURCE_NAME varchar2(255) Resource name SUB_RESOURCE_NAME varchar2(255) Subresource name DATE_CREATED date Date the entry was created DATE_MODIFIED date Date the entry was modified CREATED_BY number(38) User who created object MODIFIED_BY number(38) User who last modified object 7.1.60 EVT_SEV_SMRY_1_RPT_V View summarizes event count by severity and event time. Column Name Datatype Comment SEVERITY number(38) Event severity CUST_ID number(38) Customer identifier EVENT_TIME date Event time EVENT_COUNT number(38) Event count DATE_CREATED date Date the entry was created DATE_MODIFIED date Date the entry was modified CREATED_BY number(38) User who created object 102 Sentinel 6.1 Reference Guide novdocx (en) 16 April 2010 7.1.58 EVT_PRTCL_RPT_V3 Datatype Comment MODIFIED_BY number(38) User who last modified object 7.1.61 EVT_SRC_COLLECTOR_RPT_V View contains information about the Event Source Management configuration. Column Name Datatype Comment EVT_SRC_COLLECTOR_ID varchar2(36) Event source collector identifier SENTINEL_PLUGIN_ID varchar2(36) Sentinel plug-in identifier EVT_SRC_MGR_ID varchar2(36) Event source manager identifier EVT_SRC_COLLECTOR_NAME varchar2(255) Event source collector name STATE_IND number(1,0) State indicator EVT_SRC_COLLECTOR_PROPS clob Event source collector prop MAP_FILTER clob Map filter CREATED_BY number(38,0) User who created object MODIFIED_BY number(38,0) User who last modified object DATE_CREATED date Date the entry was created DATE_MODIFIED date Date the entry was modified 7.1.62 EVT_SRC_GRP_RPT_V View contains information about the Event Source Management configuration. Column Name Datatype Comment EVT_SRC_GRP_ID varchar2(36) Event source group identifier EVT_SRC_COLLECTOR_ID varchar2(36) Event source collector identifier SENTINEL_PLUGIN_ID varchar2(36) Sentinel plug-in identifier EVT_SRC_SRVR_ID varchar2(36) Event source server identifier EVT_SRC_GRP_NAME varchar2(255) Event source group name STATE_IND number(1,0) State indicator EVT_SRC_DEFAULT_CONFIG clob Event source default configuration MAP_FILTER clob Map filter CREATED_BY number(38,0) User who created object MODIFIED_BY number(38,0) User who last modified object DATE_CREATED date Date the entry was created Sentinel Database Views for Oracle 103 novdocx (en) 16 April 2010 Column Name Datatype Comment DATE_MODIFIED date Date the entry was modified 7.1.63 EVT_SRC_MGR_RPT_V View contains information about the Event Source Management configuration. Column Name Datatype Comment EVT_SRC_MGR_ID varchar2(36) Event source manager identifier SENTINEL_ID varchar2(36) Sentinel identifier EVT_SRC_MGR_NAME varchar2(255) Event source manager name SENTINEL_HOST_ID varchar2(36) Sentinel host identifier STATE_IND number(1,0) State indicator EVT_SRC_MGR_CONFIG clob Event source manager configuration CREATED_BY number(38,0) User who created object MODIFIED_BY number(38,0) User who last modified object DATE_CREATED date Date the entry was created DATE_MODIFIED date Date the entry was modified 7.1.64 EVT_SRC_OFFSET_RPT_V View contains information about the Event Source Management configuration. Column Name Datatype Comment EVT_SRC_ID varchar2(36) Event source identifier OFFSET_VAL clob Offset value OFFSET_TIMESTAMP date Offset timestamp CREATED_BY number(38,0) User who created object MODIFIED_BY number(38,0) User who last modified object DATE_CREATED date Date the entry was created DATE_MODIFIED date Date the entry was modified 7.1.65 EVT_SRC_RPT_V View contains information about the Event Source Management configuration. Column Name Datatype Comment EVT_SRC_ID varchar2(36) Event source identifier 104 Sentinel 6.1 Reference Guide novdocx (en) 16 April 2010 Column Name Datatype Comment EVT_SRC_NAME varchar2(255) Event source name EVT_SRC_GRP_ID varchar2(36) Event source group identifier STATE_IND number(1,0) State indicator MAP_FILTER clob Map filter EVT_SRC_CONFIG clob Event source configuration CREATED_BY number(38,0) User who created object MODIFIED_BY number(38,0) User who last modified object DATE_CREATED date Date the entry was created DATE_MODIFIED date Date the entry was modified 7.1.66 EVT_SRC_SMRY_1_RPT_V View contains event source and destination summary information. Column Name Datatype Comment SOURCE_IP number(38) Source IP address SOURCE_EVENT_ASSET_ID number(38) Source event asset identifier SOURCE_PORT varchar2(32) Source port SOURCE_USER_ID number(38) Source user identifier TAXONOMY_ID number(38) Taxonomy identifier EVENT_NAME_ID number(38) Event name identifier RESOURCE_ID number(38) Resource identifier AGENT_ID number(38) Collector identifier PROTOCOL_ID number(38) Protocol identifier SEVERITY number(38) Event severity CUST_ID number(38) Customer identifier EVENT_TIME date Event time EVENT_COUNT number(38) Event count DATE_CREATED date Date the entry was created DATE_MODIFIED date Date the entry was modified CREATED_BY number(38) User who created object MODIFIED_BY number(38) User who last modified object SOURCE_HOST_NAME varchar2(255) Sentinel Database Views for Oracle 105 novdocx (en) 16 April 2010 Column Name View contains information about the Event Source Management configuration. Column Name Datatype Comment EVT_SRC_SRVR_ID varchar2(36) Event source server identifier EVT_SRC_SRVR_NAME varchar2(255) Event source server name EVT_SRC_MGR_ID varchar2(36) Event source manager identifier SENTINEL_PLUGIN_ID varchar2(36) Sentinel plug-in identifier STATE_IND number(1,0) State indicator EVT_SRC_SRVR_CONFIG clob Event source server configuration CREATED_BY number(38,0) User who created object MODIFIED_BY number(38,0) User who last modified object DATE_CREATED date Date the entry was created DATE_MODIFIED date Date the entry was modified 7.1.68 EVT_TXNMY_RPT_V View references EVT_TXNMY table that stores event taxonomy information. Column Name Datatype Comment TAXONOMY_ID number(38) Taxonomy identifier TAXONOMY_LEVEL_1 varchar2(100) Taxonomy level 1 TAXONOMY_LEVEL_2 varchar2(100) Taxonomy level 2 TAXONOMY_LEVEL_3 varchar2(100) Taxonomy level 3 TAXONOMY_LEVEL_4 varchar2(100) Taxonomy level 4 DEVICE_CATEGORY varchar2(255) DATE_CREATED date Date the entry was created DATE_MODIFIED date Date the entry was modified CREATED_BY number(38) User who created object MODIFIED_BY number(38) User who last modified object 7.1.69 EVT_USR_RPT_V View references EVT_USR table that stores event user information. Column Name Datatype Comment USER_ID number(38) User identifier 106 Sentinel 6.1 Reference Guide novdocx (en) 16 April 2010 7.1.67 EVT_SRC_SRVR_RPT_V Datatype Comment USER_NAME varchar2(255) User name USER_DOMAIN varchar2(255) CUST_ID number(38) Customer identifier DATE_CREATED date Date the entry was created DATE_MODIFIED date Date the entry was modified CREATED_BY number(38) User who created object MODIFIED_BY number(38) User who last modified object 7.1.70 EVT_XDAS_TXNMY_RPT_V Column Name Datatype Comment EVENT_TAXONOMY varchar2(255) Event taxonomy name EVENT_OUTCOME varchar2(255) Event outcome name XDAS_REGISTRY number(38,0) XDAS registry XDAS_PROVIDER number(38,0) XDAS provider XDAS_CLASS number(38,0) XDAS class XDAS_IDENTIFIER number(38,0) XDAS identifier XDAS_OUTCOME number(38,0) XDAS outcome XDAS_DETAIL number(38,0) XDAS detail XDAS_TAXONOMY_ID number(38,0) XDAS taxonomy identifier DATE_CREATED date Date the entry was created DATE_MODIFIED date Date the entry was modified CREATED_BY number(38,0) User who created object MODIFIED_BY number(38,0) User who last modified object 7.1.71 EXTERNAL_DATA_RPT_V View references EXTERNAL_DATA table that stores external data. Column Name Datatype Comment EXTERNAL_DATA_ID number External data identifier SOURCE_NAME varchar2(50) Source name SOURCE_DATA_ID varchar2(255) Source data identifier EXTERNAL_DATA clob External data Sentinel Database Views for Oracle 107 novdocx (en) 16 April 2010 Column Name Datatype Comment EXTERNAL_DATA_TYPE varchar2(10) External data type DATE_CREATED date Date the entry was created DATE_MODIFIED date Date the entry was modified CREATED_BY number User who created object MODIFIED_BY number User who last modified object 7.1.72 HIST_CORRELATED_EVENTS_RPT_V (legacy view) This view is provided for backward compatibility. New report should use CORRELATED_EVENTS_RPT_V1 instead. 7.1.73 HIST_EVENTS_RPT_V (legacy view) This view is provided for backward compatibility. Sentinel 6.0 reports should use EVENTS_RPT_V2 instead. Sentinel 6.1 reports should use EVENTS_RPT_V3 instead. 7.1.74 IMAGES_RPT_V View references IMAGES table that stores system overview image information. Column Name Datatype Comment NAME varchar2(128) Image name TYPE varchar2(64) Image type DATA clob Image data DATE_CREATED date Date the entry was created DATE_MODIFIED date Date the entry was modified CREATED_BY number User who created object MODIFIED_BY number User who last modified object 7.1.75 INCIDENTS_ASSETS_RPT_V View references INCIDENTS_ASSETS table that stores information about the assets that makeup incidents created in the Sentinel Console. Column Name Datatype Comment INC_ID number Incident identifier – sequence number ASSET_ID varchar2(36) Asset Universal Unique Identifier (UUID) DATE_CREATED date Date the entry was created DATE_MODIFIED date Date the entry was modified 108 Sentinel 6.1 Reference Guide novdocx (en) 16 April 2010 Column Name Datatype Comment CREATED_BY number User who created object MODIFIED_BY number User who last modified object 7.1.76 INCIDENTS_EVENTS_RPT_V View references INCIDENTS_EVENTS table that stores information about the events that makeup incidents created in the Sentinel Console. Column Name Datatype Comment INC_ID number Incident identifier – sequence number EVT_ID varchar2(36) Event Universal Unique Identifier (UUID) EVT_TIME date Event time DATE_CREATED date Date the entry was created DATE_MODIFIED date Date the entry was modified CREATED_BY number User who created object MODIFIED_BY number User who last modified object 7.1.77 INCIDENTS_RPT_V View references INCIDENTS table that stores information describing the details of incidents created in the Sentinel Console. Column Name Datatype Comment INC_ID number Incident identifier – sequence number NAME varchar2(255) Incident name SEVERITY number Incident severity STT_ID number Incident State ID SEVERITY_RATING varchar2(32) Average of all the event severities that comprise an incident. VULNERABILITY_RATING varchar2(32) Reserved for future use by Novell. Use of this field for any other purpose might result in data being overwritten by future functionality. CRITICALITY_RATING varchar2(32) Reserved for future use by Novell. Use of this field for any other purpose might result in data being overwritten by future functionality. DATE_CREATED date Date the entry was created DATE_MODIFIED date Date the entry was modified CREATED_BY number User who created object Sentinel Database Views for Oracle 109 novdocx (en) 16 April 2010 Column Name Datatype Comment MODIFIED_BY number User who last modified object INC_DESC varchar2(4000) Incident description INC_CAT varchar2(255) Incident category INC_PRIORITY number Incident priority INC_RES varchar2(4000) Incident resolution 7.1.78 INCIDENTS_VULN_RPT_V View references INCIDENTS_VULN table that stores information about the vulnerabilities that makeup incidents created in the Sentinel Console. Column Name Datatype Comment INC_ID number Incident identifier – sequence number VULN_ID varchar2(36) Vulnerability Universal Unique Identifier (UUID) DATE_CREATED date Date the entry was created DATE_MODIFIED date Date the entry was modified CREATED_BY number User who created object MODIFIED_BY number User who last modified object 7.1.79 L_STAT_RPT_V View references L_STAT table that stores statistical information. Column Name Datatype Comment RES_NAME varchar2(32) Resource name STATS_NAME varchar2(32) Statistic name STATS_VALUE varchar2(32) Value of the statistic OPEN_TOT_SECS number(38) Number of seconds since 1970. 7.1.80 LOGS_RPT_V View references LOGS_RPT table that stores logging information. 11 0 Column Name Datatype Comment LOG_ID number Sequence number TIME date Date of Log MODULE varchar2(64) Module log is for Sentinel 6.1 Reference Guide novdocx (en) 16 April 2010 Column Name Datatype Comment TEXT varchar2(4000) Log text novdocx (en) 16 April 2010 Column Name 7.1.81 MSSP_ASSOCIATIONS_V View references MSSP_ASSOCIATIONS table that associates an number key in one table to a UUID in another table. Column Name Datatype Comment TABLE1 varchar2(64) Table name 1 ID1 number(38) ID1 TABLE2 varchar2(64) Table name 2 ID2 varchar2(36) ID2 DATE_CREATED date Date the entry was created DATE_MODIFIED date Date the entry was modified CREATED_BY number User who created object MODIFIED_BY number User who last modified object 7.1.82 NETWORK_IDENTITY_RPT_V View references NETWORK_IDENTITY_LKUP table that stores asset network identity information. Column Name Datatype Comment NETWORK_IDENTITY_ID number(38) Network identity code NETWORK_IDENTITY_NAME varchar2(255) Network identify name DATE_CREATED date Date the entry was created DATE_MODIFIED date Date the entry was modified CREATED_BY number(38) User who created object MODIFIED_BY number(38) User who last modified object 7.1.83 ORGANIZATION_RPT_V View references ORGANIZATION table that stores organization (asset) information. Column Name Datatype Comment ORGANIZATION_ID varchar2(36) Organization identifier ORGANIZATION_NAME varchar2(100) Organization name Sentinel Database Views for Oracle 111 Datatype Comment CUST_ID number(38) Customer identifier DATE_CREATED date Date the entry was created DATE_MODIFIED date Date the entry was modified CREATED_BY number(38) User who created object MODIFIED_BY number(38) User who last modified object 7.1.84 PERSON_RPT_V View references PERSION table that stores personal (asset) information. Column Name Datatype Comment PERSON_ID varchar2(36) Person identifier FIRST_NAME varchar2(255) First name LAST_NAME varchar2(255) Last name CUST_ID number(38) Customer identifier PHONE_NUMBER varchar2(50) Phone number EMAIL_ADDRESS varchar2(255) E-mail address DATE_CREATED date Date the entry was created DATE_MODIFIED date Date the entry was modified CREATED_BY number(38) User who created object MODIFIED_BY number(38) User who last modified object 7.1.85 PHYSICAL_ASSET_RPT_V View references PHYSICAL_ASSET table that stores physical asset information. Column Name Datatype Comment PHYSICAL_ASSET_ID varchar2(36) Physical asset identifier CUST_ID number(38) Customer identifier HOST_NAME varchar2(255) Host name IP_ADDRESS number(38) IP address LOCATION_ID number(38) Location identifier NETWORK_IDENTITY_ID number(38) Network identity code MAC_ADDRESS varchar2(100) MAC address RACK_NUMBER varchar2(50) Rack number 112 Sentinel 6.1 Reference Guide novdocx (en) 16 April 2010 Column Name Datatype Comment ROOM_NAME varchar2(100) Room name DATE_CREATED date Date the entry was created DATE_MODIFIED date Date the entry was modified CREATED_BY number(38) User who created object MODIFIED_BY number(38) User who last modified object novdocx (en) 16 April 2010 Column Name 7.1.86 PRODUCT_RPT_V View references PRDT table that stores asset product information. Column Name Datatype Comment PRODUCT_ID number(38) Product identifier PRODUCT_NAME varchar2(255) Product name PRODUCT_VERSION varchar2(100) Product version VENDOR_ID number(38) Vendor identifier DATE_CREATED date Date the entry was created DATE_MODIFIED date Date the entry was modified CREATED_BY number(38) User who created object MODIFIED_BY number(38) User who last modified object 7.1.87 ROLE_RPT_V View references ROLE_LKUP table that stores user role (asset) information. Column Name Datatype Comment ROLE_CODE varchar2(5) Role code ROLE_NAME varchar2(255) Role name DATE_CREATED date Date the entry was created DATE_MODIFIED date Date the entry was modified CREATED_BY number(38) User who created object MODIFIED_BY number(38) User who last modified object 7.1.88 RPT_LABELS_RPT_V View contains report label translations. Sentinel Database Views for Oracle 113 Datatype Comment RPT_NAME varchar2(100) Report name LABEL_1 - 35 varchar2(2000) Translated report labels 7.1.89 SENSITIVITY_RPT_V View references SENSITIVITY_LKUP table that stores asset sensitivity information. Column Name Datatype Comment SENSITIVITY_ID number(38) Asset sensitivity code SENSITIVITY_NAME varchar2(50) Asset sensitivity name DATE_CREATED date Date the entry was created DATE_MODIFIED date Date the entry was modified CREATED_BY number(38) User who created object MODIFIED_BY number(38) User who last modified object 7.1.90 SENTINEL_HOST_RPT_V View contains data used internally by Sentinel. Column Name Datatype Comment SENTINEL_HOST_ID varchar2(36) Sentinel host identifier SENTINEL_ID varchar2(36) Sentinel identifier SENTINEL_HOST_NAME varchar2(255) Sentinel host name HOST_NAME varchar2(255) Host name IP_ADDR varchar2(255) Host IP address HOST_OS varchar2(255) Host operating system HOST_OS_VERSION varchar2(255) Host operating system version MODIFIED_BY number(38,0) User who last modified object CREATED_BY number(38,0) User who created object DATE_CREATED Date Date the entry was created DATE_MODIFIED Date Date the entry was modified 7.1.91 SENTINEL_PLUGIN_RPT_V View contains data used internally by Sentinel. 114 Sentinel 6.1 Reference Guide novdocx (en) 16 April 2010 Column Name Datatype Comment SENTINEL_HOST_ID varchar2(36) Sentinel host identifier SENTINEL_ID varchar2(36) Sentinel identifier SENTINEL_HOST_NAME varchar2(255) Sentinel host name HOST_NAME varchar2(255) Host name IP_ADDR varchar2(255) Host IP address HOST_OS varchar2(255) Host operating system HOST_OS_VERSION varchar2(255) Host operating system version MODIFIED_BY number(38,0) User who last modified object CREATED_BY number(38,0) User who created object DATE_CREATED Date Date the entry was created DATE_MODIFIED Date Date the entry was modified novdocx (en) 16 April 2010 Column Name 7.1.92 SENTINEL_RPT_V View contains data used internally by Sentinel. Column Name Datatype Comment SENTINEL_ID varchar2(36) Sentinel identifier SENTINEL_NAME varchar2(255) Sentinel name ONLINE_IND number(1,0) Online indicator STATE_IND number(1,0) State indicator SENTINEL_CONFIG clob Sentinel configuration CREATED_BY number(38,0) User who created object MODIFIED_BY number(38,0) User who last modified object DATE_CREATED date Date the entry was created DATE_MODIFIED date Date the entry was modified 7.1.93 STATES_RPT_V View references STATES table that stores definitions of states defined by applications or context. Column Name Datatype Comment STT_ID number(38) State ID – sequence number CONTEXT varchar2(64) Context of the state. That is case, incident, user. NAME varchar2(64) Name of the state. Sentinel Database Views for Oracle 115 Datatype Comment TERMINAL_FLAG varchar2(1) Indicates if state of incident is resolved. DATE_CREATED date Date the entry was created DATE_MODIFIED date Date the entry was modified MODIFIED_BY number User who last modified object CREATED_BY number User who created object 7.1.94 UNASSIGNED_INCIDENTS_RPT_V View references CASES and INCIDENTS tables to report on unassigned cases. Name Datatype Comment INC_ID number NAME varchar2(255) SEVERITY number STT_ID number SEVERITY_RATING varchar2(32) VULNERABILITY_RATING varchar2(32) CRITICALITY_RATING varchar2(32) DATE_CREATED date Date the entry was created DATE_MODIFIED date Date the entry was modified CREATED_BY number User who created object MODIFIED_BY number User who last modified object INC_DESC varchar2(4000) INC_CAT varchar2(255) INC_PRIORITY number INC_RES varchar2(4000) 7.1.95 USERS_RPT_V View references USERS table that lists all users of the application. The users will also be created as database users to accommodate 3rd party reporting tools. Column Name Datatype Comment USR_ID number User identifier – Sequence number NAME varchar2(64) Short, unique user name used as a login CNT_ID number Contact ID – Sequence number 116 Sentinel 6.1 Reference Guide novdocx (en) 16 April 2010 Column Name Datatype Comment STT_ID number State ID. Status is either active or inactive. DESCRIPTION varchar2(512) Comments DATE_CREATED date Date the entry was created DATE_MODIFIED date Date the entry was modified CREATED_BY number User who created object MODIFIED_BY number User who last modified object PERMISSIONS varchar2(4000) Permissions currently assigned to the Sentinel user FILTER varchar2(128) Current security filter assigned to the Sentinel user UPPER_NAME varchar2(64) User name in upper case DOMAIN_AUTH_IND number (1) Domain authentication indication novdocx (en) 16 April 2010 Column Name 7.1.96 USR_ACCOUNT_RPT_V View contains user account information from an identity management system. Column Name Datatype Comment ACCOUNT_ID number(38,0) Account identifier USER_NAME varchar2(255) User name USER_DOMAIN varchar2(255) User domain CUST_ID number(38,0) Customer identifier BEGIN_EFFECTIVE_DATE date Begin effective date END_EFFECTIVE_DATE date End effective date CURRENT_F number(1,0) Current flag USER_STATUS varchar2(50) User status IDENTITY_GUID varchar2(36) Identity identifier SOURCE_USER_ID varchar2(100) User ID on source system DATE_CREATED date Date the entry was created DATE_MODIFIED date Date the entry was modified CREATED_BY number(38,0) User who created object MODIFIED_BY number(38,0) User who last modified object 7.1.97 USR_IDENTITY_EXT_ATTR_RPT_V View contains extended attributes information from an identity management system, including name value pairs in the ATTRIBUTE_NAME and ATTRIBUTE_VALUE columns. Sentinel Database Views for Oracle 117 Datatype Comment IDENTITY_GUID varchar2(36) Identity identifier ATTRIBUTE_NAME varchar2(255) Attribute name ATTRIBUTE_VALUE varchar2(1024) Attribute value 7.1.98 USR_IDENTITY_RPT_V View contains user identity information from an identity management system. Column Name Datatype Comment IDENTITY_GUID varchar2(36) Identity identifier DN varchar2(255) Distinguished name CUST_ID number(38,0) Customer identifier SRC_IDENTITY_ID varchar2(100) Source identity identifier WFID varchar2(100) Workforce identifier FIRST_NAME varchar2(255) First name LAST_NAME varchar2(255) Last name FULL_NAME varchar2(255) Full name JOB_TITLE varchar2(255) Job title DEPARTMENT_NAME varchar2(100) Department name OFFICE_LOC_CD varchar2(100) Office location code PRIMARY_EMAIL varchar2(255) Primary e-mail address PRIMARY_PHONE varchar2(100) Primary phone number VAULT_NAME varchar2(100) Identity vault name MGR_GUID varchar2(36) Manager identity identifier PHOTO clob Photo DATE_CREATED date Date the entry was created DATE_MODIFIED date Date the entry was modified CREATED_BY number(38,0) User who created object MODIFIED_BY number(38,0) User who last modified object 7.1.99 VENDOR_RPT_V View references VNDR table that stores information about asset product vendors. 118 Sentinel 6.1 Reference Guide novdocx (en) 16 April 2010 Column Name novdocx (en) 16 April 2010 Column Name Datatype Comment VENDOR_ID number(38) Vendor identifier VENDOR_NAME varchar2(255) Vendor name DATE_CREATED date Date the entry was created DATE_MODIFIED date Date the entry was modified CREATED_BY number(38) User who created object MODIFIED_BY number(38) User who last modified object 7.1.100 VULN_CALC_SEVERITY_RPT_V View references VULN_RSRC and VULN to calculate eSecurity vulnerability severity rating base on current vulnerabilities. Column Name Datatype Comment RSRC_ID varchar2(36) Resource identifier IP varchar2(32) IP HOST_NAME varchar2(255) Host name CRITICALITY number Asset criticality code ASSIGNED_VULN_SEVERITY number VULN_COUNT number Vulnerability Count CALC_SEVERITY number Calculated severity 7.1.101 VULN_CODE_RPT_V View references VULN_CODE table that stores industry assigned vulnerability codes such as Mitre’s CVEs and CANs. Column Name Datatype Comment VULN_CODE_ID varchar2(36) Vulnerability code identifier VULN_ID varchar2(36) Vulnerability identifier VULN_CODE_TYPE varchar2(64) Vulnerability code type VULN_CODE_VALUE varchar2(255) Vulnerability code value URL varchar2(512) Web URL DATE_CREATED date Date the entry was created DATE_MODIFIED date Date the entry was modified CREATED_BY number User who created object Sentinel Database Views for Oracle 119 Datatype Comment MODIFIED_BY number User who last modified object 7.1.102 VULN_INFO_RPT_V View references VULN_INFO table that stores additional information reported during a scan. Column Name Datatype Comment VULN_INFO_ID varchar2(36) Vulnerability info identifier VULN_ID varchar2(36) Vulnerability identifier VULN_INFO_TYPE varchar2(36) Vulnerability info type VULN_INFO_VALUE varchar2(2000) Vulnerability info value DATE_CREATED date Date the entry was created DATE_MODIFIED date Date the entry was modified CREATED_BY number User who created object MODIFIED_BY number User who last modified object 7.1.103 VULN_RPT_V View references VULN table that stores information of scanned system. Each scanner will have its own entry for each system. Column Name Datatype Comment VULN_ID varchar2(36) Vulnerability identifier RSRC_ID varchar2(36) Resource identifier PORT_NAME varchar2(64) Port Name PORT_NUMBER number Port Number NETWORK_PROTOCOL number Network Protocol APPLICATION_PROTOCOL varchar2(64) Application Protocol ASSIGNED_VULN_SEVERITY number COMPUTED_VULN_SEVERITY number VULN_DESCRIPTION clob Vulnerability description VULN_SOLUTION clob Vulnerability solution VULN_SUMMARY varchar2(1000) Vulnerability summary BEGIN_EFFECTIVE_DATE date Date from which the entry is valid END_EFFECTIVE_DATE date Date until which the entry is valid DETECTED_OS varchar2(64) Operating system of scanned machine 120 Sentinel 6.1 Reference Guide novdocx (en) 16 April 2010 Column Name Datatype Comment DETECTED_OS_VERSION varchar2(64) Operating system version of scanned machine SCANNED_APP varchar2(64) SCANNED_APP_VERSION varchar2(64) VULN_USER_NAME varchar2(64) Username used by scanner VULN_USER_DOMAIN varchar2(64) Domain of user used by scanned VULN_TAXONOMY varchar2(1000) SCANNER_CLASSIFICATION varchar2(255) VULN_NAME varchar2(300) VULN_MODULE varchar2(64) DATE_CREATED date Date the entry was created DATE_MODIFIED date Date the entry was modified CREATED_BY number User who created object MODIFIED_BY number User who last modified object 7.1.104 VULN_RSRC_RPT_V View references VULN_RSRC table that stores each resource scanned for a particular scan. Column Name Datatype Comment RSRC_ID varchar2(36) Resource identifier SCANNER_ID varchar2(36) Scanner identifier IP varchar2(32) IP Address HOST_NAME varchar2(255) Host name LOCATION varchar2(128) Location DEPARTMENT varchar2(128) Department BUSINESS_SYSTEM varchar2(128) Business System OPERATIONAL_ENVIRONMENT varchar2(64) Operational environment CRITICALITY number Criticality REGULATION varchar2(128) Regulation REGULATION_RATING varchar2(64) Regulation rating DATE_CREATED date Date the entry was created DATE_MODIFIED date Date the entry was modified CREATED_BY number User who created object Sentinel Database Views for Oracle 121 novdocx (en) 16 April 2010 Column Name Datatype Comment MODIFIED_BY number User who last modified object 7.1.105 VULN_RSRC_SCAN_RPT_V View references VULN_RSRC_SCAN table that stores each resource scanned for a particular scan. Column Name Datatype Comment RSRC_ID varchar2(36) Resource identifier SCAN_ID varchar2(36) Vulnerability scan identifier DATE_CREATED date Date the entry was created DATE_MODIFIED date Date the entry was modified CREATED_BY number User who created object MODIFIED_BY number User who last modified object 7.1.106 VULN_SCAN_RPT_V View references table that stores information pertaining to scans. Column Name Datatype Comment SCAN_ID varchar2(36) Vulnerability scan identifier SCANNER_ID varchar2(36) Vulnerability scanner identifier SCAN_TYPE varchar2(10) Vulnerability scan type SCAN_START_DATE date Scan start date SCAN_END_DATE date Scan start date CONSOLIDATION_SERVER varchar2(64) Consolidation server LOAD_STATUS varchar2(64) DATE_CREATED date Date the entry was created DATE_MODIFIED date Date the entry was modified CREATED_BY number User who created object MODIFIED_BY number User who last modified object 7.1.107 VULN_SCAN_VULN_RPT_V View references VULN_SCAN_VULN table that stores vulnerabilities detected during scans. Column Name Datatype Comment SCAN_ID varchar2(36) Vulnerability scan identifier 122 Sentinel 6.1 Reference Guide novdocx (en) 16 April 2010 Column Name Datatype Comment VULN_ID varchar2(36) Vulnerability identifier DATE_CREATED date Date the entry was created DATE_MODIFIED date Date the entry was modified CREATED_BY number User who created object MODIFIED_BY number User who last modified object 7.1.108 VULN_SCANNER_RPT_V View references VULN_SCANNER table that stores information about vulnerability scanners. Column Name Datatype Comment SCANNER_ID varchar2(36) Vulnerability scanner identifier PRODUCT_NAME varchar2(100) Product Name PRODUCT_VERSION varchar2(64) Product Version SCANNER_TYPE varchar2(64) Vulnerability Scanner Type VENDOR varchar2(100) Vendor SCANNER_INSTANCE varchar2(64) Scanner Instance DATE_CREATED date Date the entry was created DATE_MODIFIED date Date the entry was modified CREATED_BY number User who created object MODIFIED_BY number User who last modified object 7.1.109 WORKFLOW_DEF_RPT_V Column Name Datatype Comment PKG_NAME varchar2(255) Package name PKG_DATA clob Package data DATE_CREATED date Date the entry was created DATE_MODIFIED date Date the entry was modified CREATED_BY number(38,0) User who created object MODIFIED_BY number(38,0) User who last modified object Sentinel Database Views for Oracle 123 novdocx (en) 16 April 2010 Column Name Column Name Datatype Comment INFO_ID number(38,0) Info identifier PROCESS_DEF_ID varchar2(100) Process definition identifier PROCESS_INSTANCE_ID varchar2(150) Process instance identifier DATE_CREATED date Date the entry was created DATE_MODIFIED date Date the entry was modified CREATED_BY number(38,0) User who created object MODIFIED_BY number(38,0) User who last modified object 7.2 Deprecated Views The following legacy views are no longer created in the Sentinel 6 database: ADV_ALERT_CVE_RPT_V ADV_ALERT_PRODUCT_RPT_V ADV_ALERT_RPT_V ADV_ATTACK_ALERT_RPT_V ADV_ATTACK_CVE_RPT_V ADV_CREDIBILITY_RPT_V ADV_SEVERITY_RPT_V ADV_SUBALERT_RPT_V ADV_URGENCY_RPT_V 124 Sentinel 6.1 Reference Guide novdocx (en) 16 April 2010 7.1.110 WORKFLOW_INFO_RPT_V 8 This section lists the Sentinel schema views for Microsoft SQL Server. The views provide information for developing your own reports (Crystal Reports). Sentinel defines an event schema that is used to hold the parsed data received from event sources. For more information on Sentinel Event schema, see Event schema (http://developer.novell.com/wiki/index.php/Event_schema). 8.1 Views Listed below are the views available with Sentinel. 8.1.1 ACTVY_PARM_RPT_V Column Name Datatype Comment ACTVY_PARM_ID uniqueidentifier Activity parameter identifier ACTVY_ID uniqueidentifier Activity identifier PARM_NAME varchar/nvarchar(255) Activity Parameter name PARM_TYP_CD varchar/nvarchar(1) Activity parameter type code DATA_TYP varchar/nvarchar(50) Activity parameter data type DATA_SUBTYP varchar/nvarchar(50) Activity parameter data subtype RQRD_F Bit Required flag PARM_DESC varchar/nvarchar(255) Activity parameter description PARM_VAL varchar/nvarchar(1000) Activity parameter value FORMATTER varchar/nvarchar(255) Activity parameter formatter DATE_CREATED datetime Date the entry was created DATE_MODIFIED datetime Date the entry was modified CREATED_BY int User who created object MODIFIED_BY int User who last modified object 8.1.2 ACTVY_REF_PARM_VAL_RPT_V Column Name Datatype Comment ACTVY_ID uniqueidentifier Activity identifier SEQ_NUM int Sequence number Sentinel Database Views for Microsoft SQL Server 125 novdocx (en) 16 April 2010 Sentinel Database Views for Microsoft SQL Server 8 Datatype Comment ACTVY_PARM_ID uniqueidentifier Activity parameter identifier PARM_VAL varchar/nvarchar(1000) Activity parameter value DATE_CREATED datetime Date the entry was created DATE_MODIFIED datetime Date the entry was modified CREATED_BY int User who created object MODIFIED_BY int User who last modified object 8.1.3 ACTVY_REF_RPT_V Column Name Datatype Comment ACTVY_ID uniqueidentifier Activity identifier SEQ_NUM int Sequence number REFD_ACTVY_ID uniqueidentifier Referenced activity identifier DATE_CREATED datetime Date the entry was created DATE_MODIFIED datetime Date the entry was modified CREATED_BY int User who created object MODIFIED_BY int User who last modified object 8.1.4 ACTVY_RPT_V Column Name Datatype Comment ACTVY_ID uniqueidentifier Activity identifier ACTVY_NAME varchar/nvarchar(255) Activity name ACTVY_TYP_CD varchar/nvarchar(1) Activity type code ACCESS_LVL varchar/nvarchar(50) Access level EXEC_LOC varchar/nvarchar(50) Execution location ACTVY_DESC varchar/nvarchar(255) Activity description PROCESSOR varchar/nvarchar(255) Processor INPUT_FORMATTER varchar/nvarchar(255) Input formatter OUTPUT_FORMATTER varchar/nvarchar(255) Output formatter APP_NAME varchar/nvarchar(25) Application name DATE_CREATED datetime Date the entry was created DATE_MODIFIED datetime Date the entry was modified 126 Sentinel 6.1 Reference Guide novdocx (en) 16 April 2010 Column Name Datatype Comment CREATED_BY int User who created object MODIFIED_BY int User who last modified object 8.1.5 ADV_NXS_FEED_V This view contains information about the Advisor feed files that are processed on a regular schedule. Column Name Datatype Comment FILE_NAME varchar (256) The filename of the Advisor feed file. HASH_VALUE varchar (256) The hash value of the Advisor feed file. RECORDS_INSERTED numeric The number of records inserted into the database. RECORDS_UPDATED numeric The number of records updated into the database. PROCESSING_START_TIME datetime Time stamp indicating when the processing of the feed files started. PROCESSING_END_TIME datetime Time stamp indicating when the processing of the feed files ended. GENERATION datetime Time stamp indicating when the feed file was generated. DATE_CREATED datetime Time stamp indicating when the feed file information was entered in the Sentinel database. DATE_MODIFIED datetime Time stamp indicating when the feed file information was modified in the Sentinel database. CREATED_BY int ID of the user who entered the feed file information in the Sentinel database. MODIFIED_BY int ID of the user who modified the feed file information in the Sentinel database. 8.1.6 ADV_NXS_PRODUCTS_V This view contains information about all the products that are supported by Novell® for Advisor, which include the Intrusion Detection System (IDS), Vulnerablility Scanners, and Knowledge Base (OSVDB, CVE, and Bugtraq). Column Name Datatype Comment PRODUCT_ID numeric The unique ID of the product. Sentinel Database Views for Microsoft SQL Server 127 novdocx (en) 16 April 2010 Column Name Datatype Comment PRODUCT_NAME varchar (256) Name of the product. For example, Cisco Secure IDS, Enterasys Dragon Network Sensor, or McAfee IntruShield. INTERNAL_NAME varchar (256) Short name of the product that is used in generating the exploitdetection.csv file. This name is used by Collectors for exploit detection. For example, if the product name is Cisco Secure IDS, the internal name is Secure. IS_ATTACK bit This value is 1 if the product is IDS. Otherwise, this value is 0. IS_VULN bit This value is 1 if the product is Vulnerability Scanner. Otherwise, this value is 0. IS_KB bit This value is 1 if the product is Knowledge Base. Otherwise, this value is 0. IS_ACTIVE bit This value is 1 if the product is selected for exploit detection in the Advisor window of Sentinel Control Center. If the value is 0, attacks from this product are not populated in the exploitdetection.csv file. IS_POPULATE_ATTACK_NAME bit This value is 1 by default. If the value is 0, the attack name is not populated in the exploitDetection.csv file. IS_POPULATE_ATTACK_CODE bit This value is 1 by default. If the value is 0, the attack code is not populated in the exploitDetection.csv file. DATE_CREATED datetime Time stamp indicating when the product information was entered in the Sentinel database. DATE_MODIFIED datetime Time stamp indicating when the product information was modified in the Sentinel database. CREATED_BY int ID of the user who entered the product information in the Sentinel database. MODIFIED_BY int ID of the user who modified the product information in the Sentinel database. 8.1.7 ADV_NXS_SIGNATURES_V This view contains the information about the list of signatures for each product that is supported by Novell for Advisor. Column Name Datatype Comment PRODUCT_ID numeric The unique ID of the product. SIGNATURE_ID varchar (256) The unique ID of the signature. SIGNATURE_NAME varchar (256) Name of the signature. 128 Sentinel 6.1 Reference Guide novdocx (en) 16 April 2010 Column Name Datatype Comment PUBLISHED datetime Time stamp indicating when the signature was published for the product by the vendor. INSERTED datetime Time stamp indicating when the signature information was entered in the vendor database. UPDATED datetime Time stamp indicating when the signature information was updated in the vendor database. DATE_CREATED datetime Time stamp indicating when the signature information was entered in the Sentinel database. DATE_MODIFIED datetime Time stamp indicating when the signature information was modified in the Sentinel database. CREATED_BY int ID of the user who entered the signature information in the Sentinel database. MODIFIED_BY int ID of the user who modified the signature information in the Sentinel database. 8.1.8 ADV_NXS_MAPPINGS_V This view contains the mapping information for the products supported by Novell for Advisor. It provides information about the type of mapping between each product including the IDS product signatures, Vulnerability product signatures, and Knowledge Base product signatures. Column Name Datatype Comment SOURCE_PRODUCT_ID numeric The unique ID of the source product. SOURCE_SIGNATURE_ID varchar (256) The unique ID of the source signature. TARGET_PRODUCT_ID numeric The unique ID of the target product. TARGET_SIGNATURE_ID varchar (256) The unique ID of the target signature. MAPPING_DIRECT bit This value is 1 if the mapping is direct. MAPPING_INDIRECT bit This value is 1 if the mapping is indirect. MAPPING_NGRAM bit This value is 1 if the mapping is n-gram. INSERTED datetime Time stamp indicating when the mapping information was entered in the vendor database. UPADATED datetime Time stamp indicating when the mapping was updated in the vendor database. IS_DELETED bit This value is 1 if the mapping is marked as invalid. DELETED datetime Time stamp indicating when the mapping was marked as invalid. DATE_CREATED datetime Time stamp indicating when the mapping information was entered in the Sentinel database. DATE_MODIFIED datetime Time stamp indicating when the mapping information was modified in the Sentinel database. Sentinel Database Views for Microsoft SQL Server 129 novdocx (en) 16 April 2010 Column Name Datatype Comment CREATED_BY int ID of the user who entered the mapping information in the Sentinel database. MODIFIED_BY int ID of the user who modified the mapping information in the Sentinel database. 8.1.9 ADV_OSVDB_DETAILS_V This view contains information about the known vulnerablities from the OSVDB for the products supported by Novell for Advisor. It also stores the classifications to which the vulnerability applies. Column Name Datatype Comment OSVDB_ID int The unique ID of the vulnerability in the OSVDB. OSVDB_TITLE varchar (256) The normalized name of the vulnerability. DESCRIPTION text A brief description of the vulnerability. URGENCY int Indicates the urgency of the vulnerability. The rating is 1- 10. The higher the number, the more urgent the vulnerability. SEVERITY int Indicates the severity of the vulnerability. The rating is 1- 10. The higher the number, the more urgent the vulnerability. ATTACK_TYPE_AUTH_MANAGE bit This value is 1 if the attack type is authentication management. For example, brute force attack, default password, and cookie poisoning. ATTACK_TYPE_CRYPT bit This value is 1 if the attack type is cryptographic. For example, weak encryption (implementation or algorithm), no encryption (plaintext), and sniffing. ATTACK_TYPE_DOS bit This value is 1 if the attack type is denial of service. For example, saturation flood, crash, lock up, and forced reboot. ATTACK_TYPE_HIJACK bit This value is 1 if the attack type is hijack. For example, man-in-the-middle attacks, IP spoofing, session timeout or take-over, and session replay. ATTACK_TYPE_INFO_DISCLOSE bit This value is 1 if the attack type is information disclosure. For example, comments, passwords, fingerprinting, and system information. ATTACK_TYPE_INFRASTRUCT bit This value is 1 if the attack type is infrastructure. For example, DNS poisoning and route manipulation. ATTACK_TYPE_INPUT_MANIP bit This value is 1 if the attack type is input manipulation. For example, XSS, SQL injection, file retrieval, directory traversal, overflows, and URL encoding. 130 Sentinel 6.1 Reference Guide novdocx (en) 16 April 2010 Column Name Datatype Comment ATTACK_TYPE_MISS_CONFIG bit This value is 1 if the attack type is misconfiguration. For example, default files, debugging enabled, and directory indexing. ATTACK_TYPE_RACE bit This value is 1 if the attack type is race condition. For example, symlink. ATTACK_TYPE_OTHER bit This value is 1 if the attack type does not fall under any of the above attack types. ATTACK_TYPE_UNKNOWN bit This value is 1 if the attack type is unknown. IMPACT_CONFIDENTIAL bit This value is 1 if the impact of the attack(s) is loss of confidential information. For example, passwords, server information, environment variables, confirmation of file existence, path disclosure, file content access, and SQL injection. IMPACT_INTEGRITY bit This value is 1 if the impact of the attack(s) is loss of integrity, which results in data modifications by unauthorized persons. For example, unauthorized file modification, deletion, or creation, remote file inclusion, and arbitrary command execution. IMPACT_AVAILABLE bit This value is 1 if the impact of the attack is loss of availability of a service or information. IMPACT_UNKNOWN bit TrThis value is 1 if the impact of the attack is unknown. EXPLOIT_AVAILABLE bit This value is 1 if an exploit is available for the vulnerability. EXPLOIT_UNAVAILABLE bit This value is 1 if an exploit is not available for the vulnerability. EXPLOIT_RUMORED bit This value is 1 if an exploit is rumored to exist for the vulnerability. EXPLOIT_UNKNOWN bit This value is 1 if an exploit is unknown for the vulnerability. VULN_VERIFIED bit This value is 1 if the existence of the vulnerability has been verified. VULN_MYTH_FAKE bit This value is 1 if the vulnerability is a myth or a false alarm. VULN_BEST_PRAC bit This value is 1 if the vulnerability is a result of not following the best practices in the configuration or usage of the vulnerable system or software. VULN_CONCERN bit This value is 1 if the vulnerability requires additional concern for remediation. VULN_WEB_CHECK bit This value is 1 if the vulnerability is a common problem in Web servers or Web applications. Sentinel Database Views for Microsoft SQL Server 131 novdocx (en) 16 April 2010 Column Name Datatype Comment ATTACK_SCENARIO text Description of how a vulnerability can be exploited. SOLUTION_DESCRIPTION text Description of the solution that is used to fix the vulnerability. FULL_DESCRIPTION text The complete description of the vulnerability. LOCATION_PHYSICAL bit This value is 1 if the vulnerability can be exploited with only physical system access. LOCATION_LOCAL bit This value is 1 if the vulnerability can be exploited on a local system. LOCATION_REMOTE bit This value is 1 if the vulnerabilitycan be exploited on a remote system. LOCATION_DIALUP bit This value is 1 if the vulnerability can be exploited using a dial-up connection. LOCATION_UNKNOWN bit This value is 1 if the vulnerability is exploited in an unknown location. PUBLISHED datetime Time stamp indicating when the vulnerability was published in the OSVDB. INSERTED datetime Time stamp indicating when the vulnerability was inserted in the vendor database. UPDATED datetime Time stamp indicating when the vulnerability was updated in the vendor database. DATE_CREATED datetime Time stamp indicating when the vulnerability information was entered in the Sentinel database. DATE_MODIFIED datetime Time stamp indicating when the vulnerability information was modified in the Sentinel database. CREATED_BY int The ID of the user who entered the vulnerability information in the Sentinel database. MODIFIED_BY int The ID of the user who modified the vulnerability information in the Sentinel database. 8.1.10 ADV_NXS_KB_PATCH_V This view contains information about the patches that are required to remove the vulnerabilities. Column Name Datatype Comment ID int The unique ID for the row. OSVDB_ID int The ID of the vulnerability in the OSVDB. TYPE_NAME varchar (128) The type of the patch used to remove the vulnerability. TYPE_ID int 132 Sentinel 6.1 Reference Guide The unique ID of the patch. novdocx (en) 16 April 2010 Column Name Datatype Comment REF_VALUE text The URL that has the patch information. DATE_CREATED datetime Time stamp indicating when the patch information was entered in the Sentinel database. DATE_MODIFIED datetime Time stamp indicating when the patch information was modified in the Sentinel database. CREATED_BY int The ID of the user who entered the patch information in the Sentinel database. MODIFIED_BY int The ID of the user who modified the patch information in the Sentinel database. 8.1.11 ADV_NXS_KB_PRODUCTSREF_V This view contains the information about the products that are affected by the vulnerability. Column Name Datatype Comment ID int The unique ID for the row. OSVDB_ID int The ID of the vulnerability in the OSVDB. VENDOR_NAME varchar (128) Name of the vendor of the product that is affected by the vulnerability. VERSION_NAME varchar (128) Version of the product that is affected by the vulnerability. BASE_NAME varchar (128) Name of the product that is affected by the vulnerability. TYPE_NAME varchar (128) Indicates whether the product is affected by the vulnerability or not. DATE_CREATED datetime Time stamp indicating when the product information was entered in the Sentinel database. DATE_MODIFIED datetime Time stamp indicating when the product information was modified in the Sentinel database. CREATED_BY int The ID of the user who entered the product information in the Sentinel database. MODIFIED_BY int The ID of the user who modified the product information in the Sentinel database. 8.1.12 ANNOTATIONS_RPT_V View references ANNOTATIONS table that stores documentation or notes that can be associated with objects in the Sentinel system such as cases and incidents. Column Name Datatype Comment ANN_ID int Annotation identifier - sequence number. TEXT varchar/nvarchar(4000) Documentation or notes. Sentinel Database Views for Microsoft SQL Server 133 novdocx (en) 16 April 2010 Column Name Datatype Comment ACTION varchar/nvarchar(255) Action DATE_CREATED datetime Date the entry was created DATE_MODIFIED datetime Date the entry was modified MODIFIED_BY int User who last modified object CREATED_BY int User who created object 8.1.13 ASSET_CATEGORY_RPT_V View references ASSET_CTGRY table that stores information about asset categories. Column Name Datatype Comment ASSET_CATEGORY_ID bigint Asset category identifier ASSET_CATEGORY_NAME varchar/nvarchar2(100) Asset category name DATE_CREATED datetime Date the entry was created DATE_MODIFIED datetime Date the entry was modified CREATED_BY integer User who created object MODIFIED_BY integer User who last modified object 8.1.14 ASSET_HOSTNAME_RPT_V View references ASSET_HOSTNAME table that stores information about alternate host names for assets. Column Name Datatype Comment ASSET_HOSTNAME_ID uniqueidentifier Asset alternate hostname identifier PHYSICAL_ASSET_ID uniqueidentifier Physical asset identifier HOST_NAME varchar/nvarchar(255) Host name CUST_ID bigint Customer identifier DATE_CREATED datetime Date the entry was created DATE_MODIFIED datetime Date the entry was modified CREATED_BY int User who created object MODIFIED_BY int User who last modified object 8.1.15 ASSET_IP_RPT_V View references ASSET_IP table that stores information about alternate IP addresses for assets. 134 Sentinel 6.1 Reference Guide novdocx (en) 16 April 2010 Column Name Datatype Comment ASSET_IP_ID uniqueidentifier Asset alternate IP identifier PHYSICAL_ASSET_ID uniqueidentifier Physical asset identifier IP_ADDRESS int Asset IP address CUST_ID bigint Customer identifier DATE_CREATED datetime Date the entry was created DATE_MODIFIED datetime Date the entry was modified CREATED_BY int User who created object MODIFIED_BY int User who last modified object 8.1.16 ASSET_LOCATION_RPT_V View references ASSET_LOC table that stores information about asset locations. Column Name Datatype Comment LOCATION_ID bigint Location identifier CUST_ID bigint Customer identifier BUILDING_NAME varchar/nvarchar(255) Building name ADDRESS_LINE_1 varchar/nvarchar(255) Address line 1 ADDRESS_LINE_2 varchar/nvarchar(255) Address line 2 CITY varchar/nvarchar(100) City STATE varchar/nvarchar(100) State COUNTRY varchar/nvarchar(100) Country ZIP_CODE varchar/nvarchar(50) Zip code DATE_CREATED datetime Date the entry was created DATE_MODIFIED datetime Date the entry was modified CREATED_BY int User who created object MODIFIED_BY int User who last modified object 8.1.17 ASSET_RPT_V View references ASSET table that stores information about the physical and soft assets. Column Name Datatype Comment ASSET_ID uniqueidentifier Asset identifier CUST_ID bigint Customer identifier Sentinel Database Views for Microsoft SQL Server 135 novdocx (en) 16 April 2010 Column Name Datatype Comment ASSET_NAME varchar/nvarchar(255) Asset name PHYSICAL_ASSET_ID uniqueidentifier Physical asset identifier PRODUCT_ID bigint Product identifier ASSET_CATEGORY_ID bigint Asset category identifier ENVIRONMENT_IDENTITY_CD bigint Environment identify code PHYSICAL_ASSET_IND bit Physical asset indicator ASSET_VALUE_CODE bigint Asset value code CRITICALITY_ID bigint Asset criticality code SENSITIVITY_ID bigint Asset sensitivity code DATE_CREATED datetime Date the entry was created DATE_MODIFIED datetime Date the entry was modified CREATED_BY int User who created object MODIFIED_BY int User who last modified object 8.1.18 ASSET_VALUE_RPT_V View references ASSET_VAL_LKUP table that stores information about the asset value. Column Name Datatype Comment ASSET_VALUE_ID bigint Asset value code ASSET_VALUE_NAME varchar/nvarchar(50) Asset value name DATE_CREATED datetime Date the entry was created DATE_MODIFIED datetime Date the entry was modified CREATED_BY int User who created object MODIFIED_BY int User who last modified object 8.1.19 ASSET_X_ENTITY_X_ROLE_RPT_V View references ASSET_X_ENTITY_X_ROLE table that associates a person or an organization to an asset. Column Name Datatype Comment PERSON_ID uniqueidentifier Person identifier ORGANIZATION_ID uniqueidentifier Organization identifier ROLE_CODE varchar/nvarchar(5) Role code ASSET_ID uniqueidentifier Asset identifier 136 Sentinel 6.1 Reference Guide novdocx (en) 16 April 2010 Column Name Datatype Comment ENTITY_TYPE_CODE varchar/nvarchar(5) Entity type code PERSON_ROLE_SEQUENCE int Order of persons under a particular role DATE_CREATED datetime Date the entry was created DATE_MODIFIED datetime Date the entry was modified CREATED_BY int User who created object MODIFIED_BY int User who last modified object 8.1.20 ASSOCIATIONS_RPT_V View references ASSOCIATIONS table that associates users to incidents, incidents to annotations and so on. Column Name Datatype Comment TABLE1 varchar/nvarchar(64) Table name 1. For example, incidents ID1 int ID1. For example, incident ID. TABLE2 varchar/nvarchar(64) Table name 2. For example, users. ID2 int ID2. For example, user ID. DATE_CREATED datetime Date the entry was created DATE_MODIFIED datetime Date the entry was modified CREATED_BY int User who created object MODIFIED_BY int User who last modified object 8.1.21 ATTACHMENTS_RPT_V View references ATTACHMENTS table that stores attachment data. Column Name Datatype Comment ATTACHMENT_ID int Attachment identifier NAME varchar/nvarchar(255) Attachment name SOURCE_REFERENCE varchar/nvarchar(64) Source reference TYPE varchar/nvarchar(32) Attachment type SUB_TYPE varchar/nvarchar(32) Attachment subtype FILE_EXTENSION varchar/nvarchar(32) File extension ATTACHMENT_DESCRIPTION varchar/nvarchar(255) Attachment description DATA ntext Attachment data DATE_CREATED datetime Date the entry was created Sentinel Database Views for Microsoft SQL Server 137 novdocx (en) 16 April 2010 Column Name Datatype Comment DATE_MODIFIED datetime Date the entry was modified CREATED_BY int User who created object MODIFIED_BY int User who last modified object 8.1.22 AUDIT_RECORD_RPT_V View reference AUDIT_RECORD table that stores Sentinel internal audit data. Column Name Datatype Comment AUDIT_ID uniqueidentifier Audit record identifier AUDIT_TYPE varchar/nvarchar(255) Audit type SRC varchar/nvarchar(255) Audit source SENDER_HOSTNAME varchar/nvarchar(255) Sender hostname SENDER_HOST_IP varchar/nvarchar(255) Sender host IP SENDER_CONTAINER varchar/nvarchar(255) Sender container name SENDER_ID varchar/nvarchar(255) Sender Identifier CLIENT varchar/nvarchar(255) Client application that requested audit EVT_NAME varchar/nvarchar(255) Event name RES varchar/nvarchar(255) Event resource SRES varchar/nvarchar(255) Event sub-resource MSG varchar/nvarchar(500) A descriptive string which describes the event and some event details of what occurred CREATED_BY int User who created object MODIFIED_BY int User who last modified object DATE_CREATED datetime Date the entry was created DATE_MODIFIED datetime Date the entry was modified 8.1.23 CONFIGS_RPT_V View references CONFIGS table that stores general configuration information of the application. Column Name Datatype Comment USR_ID varchar/nvarchar(32) User name. APPLICATION varchar/nvarchar(255) Application identifier UNIT varchar/nvarchar(64) Application unit 138 Sentinel 6.1 Reference Guide novdocx (en) 16 April 2010 Column Name Datatype Comment VALUE varchar/nvarchar(255) Text value if any DATA ntext XML data DATE_CREATED datetime Date the entry was created DATE_MODIFIED datetime Date the entry was modified CREATED_BY int User who created object MODIFIED_BY int User who last modified object 8.1.24 CONTACTS_RPT_V View references CONTACTS table that stores contact information. Column Name Datatype Comment CNT_ID int Contact ID - Sequence number FIRST_NAME varchar/nvarchar(20) Contact first name. LAST_NAME varchar/nvarchar(30) Contact last name. TITLE varchar/nvarchar(128) Contact title DEPARTMENT varchar/nvarchar(128) Department PHONE varchar/nvarchar(64) Contact phone EMAIL varchar/nvarchar(255) Contact e-mail PAGER varchar/nvarchar(64) Contact pager CELL varchar/nvarchar(64) Contact cell phone DATE_CREATED datetime Date the entry was created DATE_MODIFIED datetime Date the entry was modified CREATED_BY int User who created object MODIFIED_BY int User who last modified object 8.1.25 CORRELATED_EVENTS_RPT_V (legacy view) This view is provided for backward compatibility. New reports should use CORRELATED_EVENTS_RPT_V1 because this view does not include archived correlated events that have been imported back into the database. 8.1.26 CORRELATED_EVENTS_RPT_V1 View contains current and historical correlated events (correlated events imported from archives). Sentinel Database Views for Microsoft SQL Server 139 novdocx (en) 16 April 2010 Column Name Datatype Comment PARENT_EVT_ID uniqueidentifier Event Universal Unique Identifier (UUID) of parent event CHILD_EVT_ID uniqueidentifier Event Universal Unique Identifier (UUID) of child event PARENT_EVT_TIME datetime Parent event time CHILD_EVT_TIME datetime Child event time DATE_CREATED datetime Date the entry was created DATE_MODIFIED datetime Date the entry was modified CREATED_BY int User who created object MODIFIED_BY int User who last modified object 8.1.27 CRITICALITY_RPT_V View references CRIT_LKUP table that contains information about asset criticality. Column Name Datatype Comment CRITICALITY_ID bigint Asset criticality code CRITICALITY_NAME varchar/nvarchar(50) Asset criticality name DATE_CREATED datetime Date the entry was created DATE_MODIFIED datetime Date the entry was modified CREATED_BY int User who created object MODIFIED_BY int User who last modified object 8.1.28 CUST_HIERARCHY_V View references CUST_HIERARCHY table that stores information about MSSP customer hierarchy. Column Name Datatype Comment CUST_HIERARCHY_ID bigint Customer hierarchy ID CUST_NAME varchar/nvarchar (255) The name of the customer from which this data was captured. This can be used to generically classify data gathered from different domains to ensure that segregation of the data is maintained and IP/name spaces do not conflict CUST_HIERARCHY_LVL1 varchar/nvarchar (255) Customer hierarchy level 1 140 Sentinel 6.1 Reference Guide novdocx (en) 16 April 2010 Column Name Datatype Comment CUST_HIERARCHY_LVL2 varchar/nvarchar (255) Customer hierarchy level 2 CUST_HIERARCHY_LVL3 varchar/nvarchar (255) Customer hierarchy level 3 CUST_HIERARCHY_LVL4 varchar/nvarchar (255) Customer hierarchy level 4 DATE_CREATED datetime Date the entry was created DATE_MODIFIED datetime Date the entry was modified CREATED_BY int User who created object MODIFIED_BY int User who last modified object 8.1.29 CUST_RPT_V View references CUST table that stores customer information for MSSPs. Column Name Datatype Comment CUST_ID bigint Customer identifier CUSTOMER_NAME varchar/nvarchar(255) Customer name DATE_CREATED datetime Date the entry was created DATE_MODIFIED datetime Date the entry was modified CREATED_BY int User who created object MODIFIED_BY int User who last modified object 8.1.30 ENTITY_TYPE_RPT_V View references ENTITY_TYP table that stores information about entity types (person, organization). Column Name Datatype Comment ENTITY_TYPE_CODE varchar/nvarchar(5) Entity type code ENTITY_TYPE_NAME varchar/nvarchar(50) Entity type name DATE_CREATED datetime Date the entry was created DATE_MODIFIED datetime Date the entry was modified CREATED_BY int User who created object MODIFIED_BY int User who last modified object 8.1.31 ENV_IDENTITY_RPT_V View references ENV_IDENTITY_LKUP table that stores information about asset environment identity. Sentinel Database Views for Microsoft SQL Server 141 novdocx (en) 16 April 2010 Column Name Datatype Comment ENVIRONMENT_IDENTITY_ID bigint Environment identity code ENV_IDENTITY_NAME varchar/nvarchar(255) Environment identity name DATE_CREATED datetime Date the entry was created DATE_MODIFIED datetime Date the entry was modified CREATED_BY int User who created object MODIFIED_BY int User who last modified object 8.1.32 ESEC_CONTENT_GRP_CONTENT_RPT_V Column Name Datatype Comment CONTENT_GRP_ID uniqueidentifier Content group identifier CONTENT_ID varchar/nvarchar(255) Content identifier CONTENT_TYP varchar/nvarchar(100) Content type CONTENT_HASH varchar/nvarchar(255) Content hash DATE_CREATED datetime Date the entry was created DATE_MODIFIED datetime Date the entry was modified CREATED_BY int User who created object MODIFIED_BY int User who last modified object 8.1.33 ESEC_CONTENT_GRP_RPT_V Column Name Datatype Comment CONTENT_GRP_ID uniqueidentifier Content group identifier CONTENT_GRP_NAME varchar/nvarchar(255) Content group name CONTENT_GRP_DESC text Content group description CTRL_ID uniqueidentifier Control identifier CONTENT_EXTERNAL_ID varchar/nvarchar(255) Content external identifier DATE_CREATED datetime Date the entry was created DATE_MODIFIED datetime Date the entry was modified CREATED_BY int User who created object MODIFIED_BY int User who last modified object 142 Sentinel 6.1 Reference Guide novdocx (en) 16 April 2010 Column Name Column Name Datatype Comment CONTENT_PACK_ID uniqueidentifier Content pack identifier CONTENT_PACK_DESC text Content pack description CONTENT_PACK_NAME varchar/nvarchar(255) Content pack name CONTENT_EXTERNAL_ID varchar/nvarchar(255) Content external identifier DATE_MODIFIED datetime Date the entry was modified DATE_CREATED datetime Date the entry was created CREATED_BY int User who created object MODIFIED_BY int User who last modified object 8.1.35 ESEC_CONTENT_RPT_V Column Name Datatype Comment CONTENT_ID varchar/nvarchar(255) Content identifier CONTENT_NAME varchar/nvarchar(255) Content name CONTENT_DESC text Content description CONTENT_STATE int Content state CONTENT_TYP varchar/nvarchar(100) Content type CONTENT_CONTEXT text Content context CONTENT_HASH varchar/nvarchar(255) Content hash DATE_CREATED datetime Date the entry was created DATE_MODIFIED datetime Date the entry was modified MODIFIED_BY int User who last modified object CREATED_BY int User who created object 8.1.36 ESEC_CTRL_CTGRY_RPT_V Column Name Datatype Comment CTRL_CTGRY_ID uniqueidentifier Control category identifier CTRL_CTGRY_DESC text Control category description CTRL_CTGRY_NAME varchar/nvarchar(255) Control category name CONTENT_PACK_ID uniqueidentifier Content pack identifier Sentinel Database Views for Microsoft SQL Server 143 novdocx (en) 16 April 2010 8.1.34 ESEC_CONTENT_PACK_RPT_V Datatype Comment CONTENT_EXTERNAL_ID varchar/nvarchar(255) Content external identifier DATE_CREATED datetime Date the entry was created DATE_MODIFIED datetime Date the entry was modified CREATED_BY int User who created object MODIFIED_BY int User who last modified object 8.1.37 ESEC_CTRL_RPT_V Column Name Datatype Comment CTRL_ID uniqueidentifier Control identifier CTRL_NAME varchar/nvarchar(255) Control name CTRL_DESC text Control description CTRL_STATE int Control state CTRL_NOTES text Control notes CTRL_CTGRY_ID uniqueidentifier Control category identifier CONTENT_EXTERNAL_ID varchar/nvarchar(255) Content external identifier DATE_CREATED datetime Date the entry was created DATE_MODIFIED datetime Date the entry was modified CREATED_BY int User who created object MODIFIED_BY int User who last modified object 8.1.38 ESEC_DISPLAY_RPT_V View references ESEC_DISPLAY table that stores displayable properties of objects. Currently used in renaming meta-tags. Used with Event Configuration (Business Relevance). Column Name Datatype Comment DISPLAY_OBJECT varchar/nvarchar(32) The parent object of the property TAG varchar/nvarchar(32) The native tag name of the property LABEL varchar/nvarchar(32) The display string of tag. POSITION int Position of tag within display. WIDTH int The column width ALIGNMENT int The horizontal alignment FORMAT int The enumerated formatter for displaying the property 144 Sentinel 6.1 Reference Guide novdocx (en) 16 April 2010 Column Name Datatype Comment ENABLED bit Indicates if the tag is shown. TYPE int Indicates datatype of tag. 1 = string 2 = ulong 3 = date 4 = uuid 5 = ipv4 DESCRIPTION varchar/nvarchar(255) Textual description of the tag DATE_CREATED datetime Date the entry was created DATE_MODIFIED datetime Date the entry was modified CREATED_BY int User who created object MODIFIED_BY int User who last modified object REF_CONFIG varchar/nvarchar(4000) Referential data configuration 8.1.39 ESEC_PORT_REFERENCE_RPT_V View references ESEC_PORT_REFERENCE table that stores industry standard assigned port numbers. Column Name Datatype Comment PORT_NUMBER int Per http://www.iana.org/assignments/portnumbers (http://www.iana.org/ assignments/port-numbers), the numerical representation of the port. This port number is typically associated with the Transport Protocol level in the TCP/IP stack. PROTOCOL_NUMBER int Per http://www.iana.org/assignments/ protocol-numbers (http://www.iana.org/ assignments/protocol-numbers), the numerical identifiers used to represent protocols that are encapsulated in an IP packet. PORT_KEYWORD varchar/nvarchar(64) Per http://www.iana.org/assignments/portnumbers (http://www.iana.org/ assignments/port-numbers), the keyword representation of the port. PORT_DESCRIPTION varchar/nvarchar(512) Port description. DATE_CREATED datetime Date the entry was created DATE_MODIFIED datetime Date the entry was modified Sentinel Database Views for Microsoft SQL Server 145 novdocx (en) 16 April 2010 Column Name Datatype Comment CREATED_BY int User who created object MODIFIED_BY int User who last modified object 8.1.40 ESEC_PROTOCOL_REFERENCE_RPT_V View references ESEC_PROTOCOL_REFERENCE table that stores industry standard assigned protocol numbers. Column Name Datatype Comment PROTOCOL_NUMBER int Per http://www.iana.org/assignments/ protocol-numbers (http://www.iana.org/ assignments/protocol-numbers), the numerical identifiers used to represent protocols that are encapsulated in an IP packet. PROTOCOL_KEYWORD varchar/nvarchar(64) Per http://www.iana.org/assignments/ protocol-numbers (http://www.iana.org/ assignments/protocol-numbers), the keyword used to represent protocols that are encapsulated in an IP packet. PROTOCOL_DESCRIPTION varchar/nvarchar(512) IP packet protocol description. DATE_CREATED datetime Date the entry was created DATE_MODIFIED datetime Date the entry was modified CREATED_BY int User who created object MODIFIED_BY int User who last modified object 8.1.41 ESEC_SEQUENCE_RPT_V View references ESEC_SEQUENCE table that’s used to generate primary key sequence numbers for Sentinel tables. Column Name Datatype Comment TABLE_NAME varchar/nvarchar(32) Name of the table. COLUMN_NAME varchar/nvarchar(255) Name of the column SEED int Current value of primary key field. DATE_CREATED datetime Date the entry was created DATE_MODIFIED datetime Date the entry was modified CREATED_BY int User who created object MODIFIED_BY int User who last modified object 146 Sentinel 6.1 Reference Guide novdocx (en) 16 April 2010 Column Name Column Name Datatype Comment OBJECT1 varchar/nvarchar(64) Object 1 ID1 uniqueidentifier UUID for object 1 OBJECT2 varchar/nvarchar(64) Object 2 ID2 uniqueidentifier UUID for object 2 DATE_CREATED datetime Date the entry was created DATE_MODIFIED datetime Date the entry was modified CREATED_BY int User who created object MODIFIED_BY int User who last modified object 8.1.43 EVENTS_ALL_RPT_V (legacy view) This view is provided for backward compatibility. View contains current and historical events (events imported from archives). 8.1.44 EVENTS_ALL_RPT_V1 (legacy view) This view is provided for backward compatibility. New reports should use EVENTS_RPT_V2. View contains current events. 8.1.45 EVENTS_ALL_V (legacy view) This view is provided for backward compatibility. New reports should use EVENTS_RPT_V2. 8.1.46 EVENTS_RPT_V (legacy view) This view is provided for backward compatibility. New reports should use EVENTS_RPT_V2. View contains current and historical events. 8.1.47 EVENTS_RPT_V1 (legacy view) This view is provided for backward compatibility. New reports should use EVENTS_RPT_V2. View contains current events. 8.1.48 EVENTS_RPT_V2 This is the primary reporting view. View contains current event and historical events. Column Name Datatype Comment EVENT_ID uniqueidentifier An internal UUID generated to identify the specific event on this system Sentinel Database Views for Microsoft SQL Server 147 novdocx (en) 16 April 2010 8.1.42 ESEC_UUID_UUID_ASSOC_RPT_V Datatype Comment RESOURCE_NAME varchar/nvarchar(255) Resource name SUB_RESOURCE varchar/nvarchar(255) Subresource name SEVERITY int The normalized Sentinel event severity (05) EVENT_PARSE_TIME datetime The absolute time, according to Sentinel, that this event occurred EVENT_DATETIME datetime Event time EVENT_DEVICE_TIME datetime A timestamp representation of the time the event occurred, according to the event source SENTINEL_PROCESS_TIME datetime The time at which Sentinel processed the event BEGIN_TIME datetime The time the event began to occur, if the event represents a lengthy transaction END_TIME datetime The time the event completed, if the event represents a lengthy transaction REPEAT_COUNT int The number of times the identical event occurred DESTINATION_PORT_Int int Destination port (integer) SOURCE_PORT_Int int Source port (integer) BASE_MESSAGE varchar/nvarchar(4000) A descriptive string which describes the event and some event details of what occurred EVENT_NAME varchar/nvarchar(255) A short, abstract description of the event, such as "User Logged In" EVENT_TIME varchar/nvarchar(255) A string representation of the time, according to the event source, that the event occurred AGENT_ID bigint Collector identifier SOURCE_IP int Source IP address in numeric format SOURCE_IP_DOTTED varchar/nvarchar (16) Source IP in dotted format SOURCE_HOST_NAME varchar/nvarchar(255) Source host name SOURCE_PORT varchar/nvarchar(32) Source port DESTINATION_IP int Destination IP address in numeric format DESTINATION_IP_DOTTED varchar/nvarchar (16) Destination IP in dotted format DESTINATION_HOST_NAME varchar/nvarchar(255) Destination host name DESTINATION_PORT varchar/nvarchar(32) Destination port SOURCE_USER_NAME varchar/nvarchar(255) Source user name 148 Sentinel 6.1 Reference Guide novdocx (en) 16 April 2010 Column Name Datatype Comment DESTINATION_USER_NAME varchar/nvarchar(255) Destination user name FILE_NAME varchar/nvarchar(1000) The name of the data object (file, database table, directory object, etc) that was affected by this event. EXTENDED_INFO varchar/nvarchar(1000) A name-value pair field that holds extra information about the event, which does not fit into the existing event schema CUSTOM_TAG_1 varchar/nvarchar(255) Customer Tag 1 CUSTOM_TAG 2 varchar/nvarchar(255) Customer Tag 2 CUSTOM_TAG 3 int Customer Tag 3 RESERVED_TAG_1 varchar/nvarchar(255) Reserved Tag 1 Reserved for future use by Sentinel. This field is used for Advisor information concerning attack descriptions. RESERVED_TAG_2 varchar/nvarchar(255) Reserved for future use by Sentinel. Use of this field for any other purpose might result in data being overwritten by future functionality. RESERVED_TAG_3 int Reserved for future use by Sentinel. Use of this field for any other purpose might result in data being overwritten by future functionality. Vulnerability_Rating int Vulnerability rating Criticality_Rating int Criticality rating RV01 - 10 int Reserved Value 1 - 10 Reserved for future use by Sentinel. Use of this field for any other purpose might result in data being overwritten by future functionality. RV11 - 20 DATETIME Reserved Value 1 - 31 Reserved for future use by Sentinel. Use of this field for any other purpose might result in data being overwritten by future functionality. RV21 - 25 uniqueidentifier Reserved Value 21 - 25 Reserved for future use by Sentinel to store UUIDs. Use of this field for any other purpose might result in data being overwritten by future functionality. Sentinel Database Views for Microsoft SQL Server 149 novdocx (en) 16 April 2010 Column Name Datatype Comment RV26 - 31 varchar/nvarchar(255) Reserved Value 26 - 31 Reserved for future use by Sentinel. Use of this field for any other purpose might result in data being overwritten by future functionality. RV33 varchar/nvarchar(255) Reserved Value 33 Reserved for EventContex Use of this field for any other purpose might result in data being overwritten by future functionality. RV34 varchar/nvarchar(255) Reserved Value 34 Reserved for SourceThreatLevel Use of this field for any other purpose might result in data being overwritten by future functionality. RV35 varchar/nvarchar(255) Reserved Value 35 Reserved for SourceUserContext. Use of this field for any other purpose might result in data being overwritten by future functionality. RV36 varchar/nvarchar(255) Reserved Value 36 Reserved for DataContext. Use of this field for any other purpose might result in data being overwritten by future functionality. RV37 varchar/nvarchar(255) Reserved Value 37 Reserved for SourceFunction. Use of this field for any other purpose might result in data being overwritten by future functionality. RV38 varchar/nvarchar(255) Reserved Value 38 Reserved for SourceOperationalContext. Use of this field for any other purpose might result in data being overwritten by future functionality. RV39 150 Sentinel 6.1 Reference Guide varchar/nvarchar(255) novdocx (en) 16 April 2010 Column Name Datatype Comment RV40 - 43 varchar/nvarchar(255) Reserved Value 40 - 43 The ID or code used by the vendor to reference that specific event type. Reserved for future use by Sentinel. Use of this field for any other purpose might result in data being overwritten by future functionality. RV44 varchar/nvarchar(255) Reserved Value 44 Reserved for DestinationThreatLevel. Use of this field for any other purpose might result in data being overwritten by future functionality. RV45 varchar/nvarchar(255) Reserved Value 45 Reserved for DestinationUserContext. Use of this field for any other purpose might result in data being overwritten by future functionality. RV46 varchar/nvarchar(255) Reserved Value 46 Reserved for VirusStatus. Use of this field for any other purpose might result in data being overwritten by future functionality. RV47 varchar/nvarchar(255) Reserved Value 47 Reserved for future use by Sentinel. Use of this field for any other purpose might result in data being overwritten by future functionality. RV48 varchar/nvarchar(255) Reserved Value 48 Reserved for DestinationOperationalContext. Use of this field for any other purpose might result in data being overwritten by future functionality. RV49 varchar/nvarchar(255) Reserved Value 49 Reserved for future use by Sentinel. Use of this field for any other purpose might result in data being overwritten by future functionality. RV50-53 varchar/nvarchar(255) Sentinel Database Views for Microsoft SQL Server 151 novdocx (en) 16 April 2010 Column Name Datatype Comment REFERENCE_ID 01 - 20 bigint Reserved for future use by Sentinel. Use of this field for any other purpose might result in data being overwritten by future functionality. CV01 - 10 int Custom Value 1 - 10 Reserved for use by Customer, typically for association of Business relevant data CV11 - 20 datetime Custom Value 11 - 20 Reserved for use by Customer, typically for association of Business relevant data CV21 - 100 varchar/nvarchar(255) Custom Value 21 – 100 Reserved for use by Customer, typically for association of Business relevant data CV30 - 34 varchar/nvarchar(4000) DATE_CREATED datetime Date the entry was created DATE_MODIFIED datetime Date the entry was modified CREATED_BY int User who created object MODIFIED_BY int User who last modified object 8.1.49 EVENTS_RPT_V3 Column Name Datatype Comment Event_ID uniqueidentifier An internal UUID generated to identify the specific event on this system Sub_Resource_Name varchar/nvarchar(255) Subresource name Severity int The normalized Sentinel event severity (0-5) Event_Parse_Time datetime The absolute time when the event occurred according to Sentinel Event_Device_Time datetime A timestamp representation of the time the event occurred, according to the event source Device_Event_Time datetime Sentinel_Process_Time datetime The time at which Sentinel processed the event Begin_Time datetime The time the event began to occur, if the event represents a lengthy transaction 152 Sentinel 6.1 Reference Guide novdocx (en) 16 April 2010 Column Name Datatype Comment End_Time datetime The time the event completed, if the event represents a lengthy transaction Target_Service_Port int The numeric network port accessed on the target Event_Time varchar/nvarchar(255) A string representation of the time the event occurred, according to the event source Init_Asset_id bigint Initiator asset identifier Target_Asset_id bigint Internal asset identifier of the target Target_IP int The IPv4 address of the target system Target_IP_Dotted varchar/nvarchar (16) Target IP address in dotted format Target_Host_Name varchar/nvarchar(255) The unqualified hostname of the target system Init_User_Name varchar/nvarchar(255) The account name of the initiating user Target_User_Name varchar/nvarchar(255) The account name of the target user (DestinationUsername). File_Name varchar/nvarchar(1000) The name of the data object (file, database table, directory object, etc) that was affected by this event Extended_Info varchar/nvarchar(1000) A name-value pair field that holds extra information about the event, which does not fit into the existing event schema Init_User_ Id varchar/nvarchar(255) The initiating source-specific identifier of the account as determined by the Collector based on raw device data Init_User_Identity uniqueidentifier The internal UUID of the identity associated with the initiating account Target_User_Id varchar/nvarchar(255) The source-specific identifier of the target account as determined by the Collector, based on raw device data Target_User_Identity uniqueidentifier The internal UUID of the identity associated with the target account Effective_User_Name varchar/nvarchar(255) The name of the account that is effectively being used Effective_User_Sys_Id varchar/nvarchar(255) The source-specific identifier of the account that is effectively being used as determined by the Collector based on raw device data Effective_User_Domain varchar/nvarchar(255) The domain (namespace) in which the effective user account exists Target_Trust_Name varchar/nvarchar(255) The name of the trust (group, role, profile, etc) affected Sentinel Database Views for Microsoft SQL Server 153 novdocx (en) 16 April 2010 Column Name Datatype Comment Target_Trust_Sys_Id varchar/nvarchar(255) Target trust ID Target_Trust_Domain varchar/nvarchar(255) The domain (namepsace) within which the target trust exists Observer_Ip int The IP address of the observer (sensor) that detected the event Reporter_Ip int The IP address of the reporter (the system that delivered the event to Sentinel) Observer_Host_Domain varchar/nvarchar(255) The domain name that is mentioned in the fully qualified hostname of the observer (sensor) Reporter_Host_Domain varchar/nvarchar(255) The domain name that is mentioned in the fully qualified hostname of the reporter Observer_Asset_Id varchar/nvarchar(255) Internal asset identifier of the observer Reporter_Asset_Id varchar/nvarchar(255) Internal asset identifier of the reporter Init_Service_Comp varchar/nvarchar(255) The subcomponent of the initiating service that caused this event Target_Service_Comp varchar/nvarchar(255) The subcomponent of the target service affected by this event Custom_Tag_1 varchar/nvarchar(255) Customer Tag 1 Custom_Tag_2 varchar/nvarchar(255) Customer Tag 2 Custom_Tag_3 int Customer Tag 3 Reserved_Tag_1 varchar/nvarchar(255) Reserved_Tag_2 varchar/nvarchar(255) Reserved_Tag_3 int Vulnerability_Rating int Criticality_Rating int Date_Created datetime Date the entry was created Date_Modified datetime Date the entry was modified Created_By int User who created object Modified_By int User who last modified object RV01 int Event_Metric int Event metric Data_Tag_Id int Data tag ID RV04-RV10 int RV11-RV20 datetime 154 Sentinel 6.1 Reference Guide novdocx (en) 16 April 2010 Column Name Datatype Comment RV21-RV28 varchar/nvarchar(255) Init_IP_Country varchar/nvarchar(255) The country where the IPv4 address of the initiating system is located Target_IP_Country varchar/nvarchar(255) The country where the IPv4 address of the target system is located RV31 varchar/nvarchar(255) RV33 RV36 RV40 RV43 RV46 RV49 Init_Threat_Level varchar/nvarchar(255) Initiator threat level Init_User_Domain varchar/nvarchar(255) The domain (namespace) in which the initiating account exists Init_Function varchar/nvarchar(255) Initiator function Init_Operational_Context varchar/nvarchar(255) Initiator operational context Target_Host_Domain varchar/nvarchar(255) The domain name that is mentioned in the fully qualified hostname of the target system Target_Threat_Level varchar/nvarchar(255) Target threat level Target_User_Domain varchar/nvarchar(255) The domain (namespace) in which the target account exists Target_Function varchar/nvarchar(255) The function of the target system (fileserver, webserver, etc) Target_Operational_Context varchar/nvarchar(255) Target operational context Taxonomy_id bigint Used to link to XDAS and legacy taxonomy tables Reference_id_1 bigint XDAS_Taxonomy_Id bigint XDAS Taxonomy identifier Reference_id_2-Reference_id_20 CV01-CV10 int CV11-CV20 datetime CV21-CV29 varchar/nvarchar(255) CV30-CV34 varchar/nvarchar(4000) CV35-CV100 varchar/nvarchar(255) Sentinel Database Views for Microsoft SQL Server 155 novdocx (en) 16 April 2010 Column Name Datatype Customer_Var_101Customer_Var_110 int Customer_Var_111Customer_Var_120 datetime Customer_Var_121Customer_Var_130 uniqueidentifier Customer_Var_131Customer_Var_140 int Customer_Var_141Customer_Var_150 varchar/nvarchar(255) Comment 8.1.50 EVT_AGENT_RPT_V View references EVT_AGENT table that stores information about Collectors. Column Name Datatype Comment Agent_ID bigint Collector identifier CUST_ID bigint Customer identifier Agent varchar/nvarchar(64) Collector name Port varchar/nvarchar(64) Collector port Report_Name varchar/nvarchar(255) Reporter name Product_Name varchar/nvarchar(255) The basic name of the product that the Collector processing this event is designed to handle Sensor_Name varchar/nvarchar(255) Sensor name Sensor_Type varchar/nvarchar(5) The type of sensor which produced the event: H - host-based N - network-based V - virus O - other Most event sources are type "N", the Correlation Engine is type "C", etc Device_Category varchar/nvarchar(255) The category of the event source, from an enumerated list (OS, DB, etc) Source_UUID uniqueidentifier Unique identifier of the Sentinel service that generated this event DATE_CREATED datetime Date the entry was created DATE_MODIFIED datetime Date the entry was modified 156 Sentinel 6.1 Reference Guide novdocx (en) 16 April 2010 Column Name Datatype Comment CREATED_BY int User who created object MODIFIED_BY int User who last modified object 8.1.51 EVT_AGENT_RPT_V3 Column Name Datatype Comment Agent_ID bigint Collector identifier Cust_ID bigint Customer identifier Agent varchar/nvarchar(64) Collector Port varchar/nvarchar(64) Port Reporter_Host_Name varchar/nvarchar(255) The unqualified hostname of the reporter of the event (ReporterName) Sensor_Type varchar/nvarchar(5) Sensor type: H - host-based N - network-based V - virus O - other Device_Category varchar/nvarchar(255) The category of the event source, from an enumerated list (OS, DB, etc) Source_UUID uniqueidentifier Unique identifier of the Sentinel service that generated this event DATE_CREATED datetime Date the entry was created DATE_MODIFIED datetime Date the entry was modified CREATED_BY int User who created object MODIFIED_BY int User who last modified object 8.1.52 EVT_ASSET_RPT_V View references EVT_ASSET table that stores asset information. Column Name Datatype Comment Event_Asset_ID bigint Event asset identifier CUST_ID bigint Customer identifier Asset_Name varchar/nvarchar(255) Asset name Physical_Asset_Name varchar/nvarchar(255) Physical asset name Sentinel Database Views for Microsoft SQL Server 157 novdocx (en) 16 April 2010 Column Name Datatype Comment Reference_Asset_IDvarchar/ nvarchar(100) Reference asset identifier, links to Reference_Asset_IDvarchar/ source asset management nvarchar(100) system. Mac_Address varchar/nvarchar(100) MAC address Rack_Number varchar/nvarchar(50) Rack number Room_Name varchar/nvarchar(100) Room name Building_Name varchar/nvarchar(255) Building name City varchar/nvarchar(100) City State varchar/nvarchar(100) State Country varchar/nvarchar(100) Country Zip_Code varchar/nvarchar(50) Zip code Asset_Category_Name varchar/nvarchar(100) Asset category name Network_Identity_Name varchar/nvarchar(255) Asset network identity name Environment_Identity_Name varchar/nvarchar(255) Environment name Asset_Value_Name varchar/nvarchar(50) Asset value name Criticality_Name varchar/nvarchar(50) Asset criticality name Sensitivity_Name varchar/nvarchar(50) Asset sensitivity name Contact_Name_1 varchar/nvarchar(255) Name of contact person/ organization 1 Contact_Name_2 varchar/nvarchar(255) Name of contact person/ organization 2 Organization_Name_1 varchar/nvarchar(100) Asset owner organization level 1 Organization_Name_2 varchar/nvarchar(100) Asset owner organization level 2 Organization_Name_3 varchar/nvarchar(100) Asset owner organization level 3 Organization_Name_4 varchar/nvarchar(100) Asset owner organization level 4 DATE_CREATED datetime Date the entry was created DATE_MODIFIED datetime Date the entry was modified CREATED_BY int User who created object MODIFIED_BY int User who last modified object 8.1.53 EVT_ASSET_RPT_V3 Asset_Department varchar/nvarchar(100) Asset department DATE_CREATED datetime Date the entry was created 158 Sentinel 6.1 Reference Guide novdocx (en) 16 April 2010 Column Name varchar/nvarchar(100) Asset department DATE_MODIFIED datetime Date the entry was modified CREATED_BY int User who created object MODIFIED_BY int User who last modified object 8.1.54 EVT_DEST_EVT_NAME_SMRY_1_RPT_V View summarizes event count by destination, taxonomy, event name, severity and event time. Column Name Datatype Comment Destination_IP int Destination IP address Destination_Event_Asset_ID bigint Event asset identifier Taxonomy_ID bigint Used to link to XDAS and legacy taxonomy tables Event_Name_ID bigint Event name identifier Severity int The normalized Sentinel event severity (05) CUST_ID bigint Customer identifier Event_Tme datetime A string representation of the time the event occurred, according to the event source Event_Count int Event count Date_Created datetime Date the entry was created Date_Modified datetime Date the entry was modified Created_By int User who created object Modified_By int User who last modified object Destination_Host_Name varchar/nvarchar(255) Destination host name 8.1.55 EVT_DEST_SMRY_1_RPT_V View contains event destination summary information. Column Name Datatype Comment Destination_IP int Destination IP address Destination_Event_Asset_ID bigint Event asset identifier Destination_Port varchar/nvarchar(32) Destination port Destination_User_ID bigint Destination user identifier Sentinel Database Views for Microsoft SQL Server 159 novdocx (en) 16 April 2010 Asset_Department Datatype Comment Taxonomy_ID bigint Used to link to XDAS and legacy taxonomy tables Event_Name_ID bigint Event name identifier Resource_ID bigint Resource identifier Agent_ID bigint Collector identifier Protocol_ID bigint Protocol identifier Severity int The normalized Sentinel event severity (0-5) CUST_ID bigint Customer identifier Event_Time datetime A string representation of the time the event occurred, according to the event source XDAS_Taxonomy_id bigint XDAS taxonomy identifier Target_User_Identity uniqueidentifier The internal UUID of the identity associated with the target account Event_Count int Event count Date_Created datetime Date the entry was created Date_Modified datetime Date the entry was modified Created_By int User who created object Modified_By int User who last modified object Destination_Host_Name varchar/nvarchar(255) Destination host name 8.1.56 EVT_DEST_TXNMY_SMRY_1_RPT_V View summarizes event count by destination, taxonomy, severity and event time. Column Name Datatype Comment Destination_IP int Destination IP address Destination_Event_Asset_ID bigint Event asset identifier Taxonomy_ID bigint Used to link to XDAS and legacy taxonomy tables Severity int The normalized Sentinel event severity (0-5) CUST_ID bigint Customer identifier Event_Time datetime A string representation of the time the event occurred, according to the event source XDAS_Taxonomy_id bigint XDAS taxonomy identifier 160 Sentinel 6.1 Reference Guide novdocx (en) 16 April 2010 Column Name Datatype Comment Event_Count int Event count Date_Created datetime Date the entry was created Date_Modified datetime Date the entry was modified Created_By int User who created object Modified_By int User who last modified object Destination_Host_Name varchar/nvarchar(255) Destination host name 8.1.57 EVT_NAME_RPT_V View references EVT_NAME table that stores event name information. Column Name Datatype Comment Event_Name_ID bigint Event name identifier Event_Name varchar/nvarchar(255) A short, abstract description of the event, such as "User Logged In" DATE_CREATED datetime Date the entry was created DATE_MODIFIED datetime Date the entry was modified CREATED_BY int User who created object MODIFIED_BY int User who last modified object 8.1.58 EVT_PORT_SMRY_1 Column Name Datatype Comment DEST_PORT varchar/nvarchar(32) Destination port SEV int Severity CUST_ID bigint Customer identifier EVT_TIME datetime A string representation of the time the event occurred, according to the event source EVT_CNT int Event count DATE_CREATED datetime Date the entry was created DATE_MODIFIED datetime Date the entry was modified CREATED_BY int User who created object MODIFIED_BY int User who last modified object Sentinel Database Views for Microsoft SQL Server 161 novdocx (en) 16 April 2010 Column Name View summarizes event count by destination port, severity and event time. Column Name Datatype Comment Destination_Port varchar/nvarchar(32) Destination port Severity int The normalized Sentinel event severity (0-5) Cust_ID bigint Customer identifier Event_Time datetime A string representation of the time the event occurred, according to the event source Event_Count int Event count Date_Created datetime Date the entry was created Date_Modified datetime Date the entry was modified Created_By int User who created object Modified_By int User who last modified object 8.1.60 EVT_PRTCL_RPT_V View references EVT_PRTCL table that stores event protocol information. Column Name Datatype Comment Protocol_ID bigint Protocol identifier Protocol_Name varchar/nvarchar(255) Protocol name DATE_CREATED datetime Date the entry was created DATE_MODIFIED datetime Date the entry was modified CREATED_BY int User who created object MODIFIED_BY int User who last modified object 8.1.61 EVT_RSRC_RPT_V View references EVT_RSRC table that stores event resource information. Column Name Datatype Comment Resource_ID bigint Resource identifier CUST_ID bigint Customer identifier Resource_Name varchar/nvarchar(255) Resource name Sub_Resource_Name varchar/nvarchar(255) Subresource name 162 Sentinel 6.1 Reference Guide novdocx (en) 16 April 2010 8.1.59 EVT_PORT_SMRY_1_RPT_V Datatype Comment DATE_CREATED datetime Date the entry was created DATE_MODIFIED datetime Date the entry was modified CREATED_BY int User who created object MODIFIED_BY int User who last modified object 8.1.62 EVT_SEV_SMRY_1_RPT_V View summarizes event count by severity and event time. Column Name Datatype Comment Severity int The normalized Sentinel event severity (0-5) CUST_ID bigint Customer identifier Event_Time datetime A string representation of the time the event occurred, according to the event source Event_Count int Event count Date_Created datetime Date the entry was created Date_Modified datetime Date the entry was modified Created_By int User who created object Modified_By int User who last modified object 8.1.63 EVT_SRC_COLLECTOR_RPT_V Column Name Datatype Comment EVT_SRC_COLLECTOR_ID uniqueidentifier Event source collector identifier SENTINEL_PLUGIN_ID uniqueidentifier Sentine plug-in identifier EVT_SRC_MGR_ID uniqueidentifier Event source manager identifier EVT_SRC_COLLECTOR_NAME varchar/nvarchar(255) Event source collector name STATE_IND bit State indicator EVT_SRC_COLLECTOR_PROPS ntext Event source collector prop MAP_FILTER ntext Map filter CREATED_BY int Date the entry was created MODIFIED_BY int Date the entry was modified DATE_CREATED datetime User who created object DATE_MODIFIED datetime User who last modified object Sentinel Database Views for Microsoft SQL Server 163 novdocx (en) 16 April 2010 Column Name Column Name Datatype Comment EVT_SRC_GRP_ID uniqueidentifier Event source group identifier EVT_SRC_COLLECTOR_ID uniqueidentifier Event source collector identifier SENTINEL_PLUGIN_ID uniqueidentifier Sentinel plug-in identifier EVT_SRC_SRVR_ID uniqueidentifier Event source server identifier EVT_SRC_GRP_NAME varchar/nvarchar(255) Event source group name STATE_IND bit State indicator MAP_FILTER ntext Map filter EVT_SRC_DEFAULT_CONFIG ntext Event source default configuration CREATED_BY int Date the entry was created MODIFIED_BY int Date the entry was modified DATE_CREATED datetime User who created object DATE_MODIFIED datetime User who last modified object 8.1.65 EVT_SRC_MGR_RPT_V Column Name Datatype Comment EVT_SRC_MGR_ID uniqueidentifier Event source manager identifier SENTINEL_ID uniqueidentifier Sentinel identifier SENTINEL_HOST_ID uniqueidentifier Sentinel host identifier EVT_SRC_MGR_NAME varchar/nvarchar(255) Event source manager name STATE_IND bit State indicator EVT_SRC_MGR_CONFIG ntext Event source manager config CREATED_BY int Date the entry was created MODIFIED_BY int Date the entry was modified DATE_CREATED datetime User who created object DATE_MODIFIED datetime User who last modified object 8.1.66 EVT_SRC_OFFSET_RPT_V Column Name Datatype Comment EVT_SRC_ID uniqueidentifier Event source identifier 164 Sentinel 6.1 Reference Guide novdocx (en) 16 April 2010 8.1.64 EVT_SRC_GRP_RPT_V Datatype Comment OFFSET_VAL ntext Offset value OFFSET_TIMESTAMP datetime Offset timestamp CREATED_BY int User who created object MODIFIED_BY int User who last modified object DATE_CREATED datetime Date the entry was created DATE_MODIFIED datetime Date the entry was modified 8.1.67 EVT_SRC_RPT_V Column Name Datatype Comment EVT_SRC_ID uniqueidentifier Event source identifier EVT_SRC_NAME varchar/nvarchar(255) Event source name EVT_SRC_GRP_ID uniqueidentifier Event source group identifier STATE_IND bit State indicator MAP_FILTER ntext Map filter EVT_SRC_CONFIG ntext Event source config CREATED_BY int User who created object MODIFIED_BY int User who last modified object DATE_CREATED datetime Date the entry was created DATE_MODIFIED datetime Date the entry was modified 8.1.68 EVT_SRC_SMRY_1_RPT_V View contains event source and destination summary information. Column Name Datatype Comment Source_IP int Source IP address Source_Event_Asset_ID bigint Event asset identifier Source_Port varchar/nvarchar(32) Source port Source_User_ID bigint User identifier Taxonomy _ID bigint Used to link to XDAS and legacy taxonomy tables Event_Name_ID bigint Event name identifier Resource_ID bigint Resource identifier Sentinel Database Views for Microsoft SQL Server 165 novdocx (en) 16 April 2010 Column Name Datatype Comment Agent_ID bigint Collector identifier Protocol _ID bigint Protocol identifier Severity int The normalized Sentinel event severity (05) CUST_ID bigint Customer identifier Event_Time datetime A string representation of the time the event occurred, according to the event source XDAS_Taxonomy_id bigint XDAS taxonomy id Init_User_Identity uniqueidentifier The internal UUID of the identity that is associated with the initiating account Event_Count int Event count Date_Created datetime Date the entry was created Date_Modified datetime Date the entry was modified Created_By int User who created object Modified_By int User who last modified object Source_Host_Name varchar/nvarchar(255) Source host name 8.1.69 EVT_SRC_SRVR_RPT_V Column Name Datatype Comment EVT_SRC_SRVR_ID uniqueidentifier Event source server identifier EVT_SRC_SRVR_NAME varchar/nvarchar(255) Event source server name EVT_SRC_MGR_ID uniqueidentifier Event source manager identifier SENTINEL_PLUGIN_ID uniqueidentifier Sentinel plugin identifier STATE_IND bit State indicator EVT_SRC_SRVR_CONFIG ntext Event source server configuration CREATED_BY int User who created object MODIFIED_BY int User who last modified object DATE_CREATED datetime Date the entry was created DATE_MODIFIED datetime Date the entry was modified 8.1.70 EVT_TXNMY_RPT_V View references EVT_TXNMY table that stores event taxonomy information. 166 Sentinel 6.1 Reference Guide novdocx (en) 16 April 2010 Column Name Datatype Comment Taxonomy _ID bigint Used to link to XDAS and legacy taxonomy tables Taxonomy _ Level _1 varchar/nvarchar(100) Deprecated Taxonomy _ Level _2 varchar/nvarchar(100) Deprecated Taxonomy _ Level _3 varchar/nvarchar(100) Deprecated Taxonomy _ Level _4 varchar/nvarchar(100) Deprecated Device_Category varchar/nvarchar(255) DATE_CREATED datetime Date the entry was created DATE_MODIFIED datetime Date the entry was modified CREATED_BY int User who created object MODIFIED_BY int User who last modified object 8.1.71 EVT_USR_RPT_V View references EVT_USR table that stores event user information. Column Name Datatype Comment User_ID bigint User identifier User_Name varchar/nvarchar(255) User name User_Domain varchar/nvarchar(255) CUST_ID bigint Customer identifier DATE_CREATED datetime Date the entry was created DATE_MODIFIED datetime Date the entry was modified CREATED_BY int User who created object MODIFIED_BY int User who last modified object 8.1.72 EVT_XDAS_TXNMY_RPT_V Column Name Datatype Comment XDAS_TXNMY_NAME varchar/nvarchar(255) Human-readable XDAS event taxonomy string XDAS_OUTCOME_NAME varchar/nvarchar(255) Human-readable XDAS outcome Xdas_Registry int The XDAS Registry ID; refer to XDAS specifications Sentinel Database Views for Microsoft SQL Server 167 novdocx (en) 16 April 2010 Column Name Datatype Comment Xdas_Provider int The XDAS Provider ID; refer to XDAS specifications Xdas_Class int The XDAS Event Class ID; refer to XDAS specifications Xdas_Identifier int The XDAS Event Identifier; refer to XDAS specifications Xdas_Outcome int The XDAS major outcome; success, failure, or denial Xdas_Detail int The XDAS outcome detail; refer to XDAS specifications Xdas_Taxonomy_Id bigint XDAS taxonomy identifier DATE_CREATED datetime Date the entry was created DATE_MODIFIED datetime Date the entry was modified CREATED_BY int User who created object MODIFIED_BY int User who last modified object 8.1.73 EXTERNAL_DATA_RPT_V View references EXTERNAL_DATA table that stores external data. Column Name Datatype Comment EXTERNAL_DATA_ID int External data identifier SOURCE_NAME varchar/nvarchar(50) Source name SOURCE_DATA_ID varchar/nvarchar(255) Source data identifier EXTERNAL_DATA ntext External data EXTERNAL_DATA_TYPE varchar/nvarchar(10) External data type DATE_CREATED datetime Date the entry was created DATE_MODIFIED datetime Date the entry was modified CREATED_BY int User who created object MODIFIED_BY int User who last modified object 8.1.74 HIST_CORRELATED_EVENTS Column Name Datatype Comment PARENT_EVT_ID uniqueidentifier Event Universal Unique Identifier (UUID) of parent event 168 Sentinel 6.1 Reference Guide novdocx (en) 16 April 2010 Column Name Datatype Comment CHILD_EVT_ID uniqueidentifier Event Universal Unique Identifier (UUID) of child event PARENT_EVT_TIME datetime Parent event created time CHILD_EVT_TIME datetime Child event created time DATE_CREATED datetime Date the entry was created DATE_MODIFIED datetime Date the entry was modified CREATED_BY int User who created object MODIFIED_BY int User who last modified object 8.1.75 HIST_CORRELATED_EVENTS_RPT_V (legacy view) This view is provided for backward compatibility. New reports should use CORRELATED_EVENTS_RPT_V1. 8.1.76 HIST_EVENTS Column Name Datatype Comment EVT_ID uniqueidentifier Event Universal Unique Identifier (UUID) EVT_TIME datetime A string representation of the time the event occurred, according to the event source CUST_ID bigint Customer identifier SRC_ASSET_ID bigint Source Asset ID DEST_ASSET_ID bigint Destination Asset ID TXNMY_ID bigint Used to link to XDAS and legacy taxonomy tables PRTCL_ID bigint Protocol ID AGENT_ID bigint Collector Identifier ARCH_ID bigint DEVICE_EVT_TIME datetime Device Event Time SENTINEL_PROCESS_TIME datetime The time at which Sentinel processed the event BEGIN_TIME datetime The time the event began to occur, if the event represents a lengthy transaction Sentinel Database Views for Microsoft SQL Server 169 novdocx (en) 16 April 2010 Column Name Datatype Comment END_TIME datetime The time the event completed, if the event represents a lengthy transaction REPEAT_CNT int The number of times the identical event occurred DP_INT int SP_INT int RES varchar/nvarchar(255) SRES varchar/nvarchar(255) SEV int Severity EVT varchar/nvarchar(255) Events ET varchar/nvarchar(255) SIP int SHN varchar/nvarchar(255) SP varchar/nvarchar(32) DIP int DHN varchar/nvarchar(255) DP varchar/nvarchar(32) SUN varchar/nvarchar(255) DUN varchar/nvarchar(255) FN varchar/nvarchar(1000) VULN int CT1 varchar/nvarchar(255) CT2 varchar/nvarchar(255) CT3 int RT1 varchar/nvarchar(255) RT2 varchar/nvarchar(255) RT3 int CRIT int MSG varchar/nvarchar(4000) EI varchar/nvarchar(1000) INIT_USR_SYS_ID varchar/nvarchar(255) INIT_USR_IDENTITY_GUID uniqueidentifier 170 Sentinel 6.1 Reference Guide Resolution Vulnerability A descriptive string which describes the event and some event details of what occurred novdocx (en) 16 April 2010 Column Name Datatype Comment TRGT_USR_SYS_ID varchar/nvarchar(255) TRGT_USR_IDENTITY_GUID uniqueidentifier EFFECTIVE_USR_NAME varchar/nvarchar(255) EFFECTIVE_USR_SYS_ID varchar/nvarchar(255) EFFECTIVE_USR_DOMAIN varchar/nvarchar(255) TRGT_TRUST_NAME varchar/nvarchar(255) TRGT_TRUST_SYS_ID varchar/nvarchar(255) TRGT_TRUST_DOMAIN varchar/nvarchar(255) OBSRVR_IP int RPTR_IP int OBSRVR_HOST_DOMAIN varchar/nvarchar(255) RPTR_HOST_DOMAIN varchar/nvarchar(255) OBSRVR_ASSET_ID varchar/nvarchar(255) RPTR_ASSET_ID varchar/nvarchar(255) INIT_SRVC_COMP varchar/nvarchar(255) TARGET_SRVC_COMP varchar/nvarchar(255) EVT_GRP_ID varchar/nvarchar(255) DATE_CREATED datetime Date the entry was created DATE_MODIFIED datetime Date the entry was modified CREATED_BY int User who created object MODIFIED_BY int User who last modified object RV01-RV10 int RV11-RV20 datetime RV21-RV25 uniqueidentifier RV26-RV38 varchar/nvarchar(255) RV40-RV49 RV101-RV120 datetime RV121-RV130 uniqueidentifier RV131-RV140 int RV141-RV150 varchar/nvarchar(255) RID01-RID20 bigint CV01-CV10 int The ID or code used by the vendor to reference that specific event type. Sentinel Database Views for Microsoft SQL Server 171 novdocx (en) 16 April 2010 Column Name Datatype Comment CV11-CV20 datetime CV21-CV29 varchar/nvarchar(255) CV35-CV100 CV30-CV34 varchar/nvarchar(4000) CV101-CV110 int CV131-CV140 CV111-CV120 datetime CV121-CV130 uniqueidentifier CV141-CV147 varchar/nvarchar(255) 8.1.77 HIST_EVENTS_RPT_V (legacy view) This view is provided for backward compatibility. New reports should use EVENTS_RPT_V2. 8.1.78 IMAGES_RPT_V View references IMAGES table that stores system overview image information. Column Name Datatype Comment NAME varchar/nvarchar(128) Image name TYPE varchar/nvarchar(64) Image type DATA ntext Image data DATE_CREATED datetime Date the entry was created DATE_MODIFIED datetime Date the entry was modified CREATED_BY int User who created object MODIFIED_BY int User who last modified object 8.1.79 INCIDENTS_ASSETS_RPT_V View references INCIDENTS_ASSETS table that stores information about the assets that makeup incidents created in the Sentinel Console. Column Name Datatype Comment INC_ID int Incident identifier – sequence number ASSET_ID uniqueidentifier Asset Universal Unique Identifier (UUID) DATE_CREATED datetime Date the entry was created DATE_MODIFIED datetime Date the entry was modified 172 Sentinel 6.1 Reference Guide novdocx (en) 16 April 2010 Column Name Datatype Comment CREATED_BY int User who created object MODIFIED_BY int User who last modified object 8.1.80 INCIDENTS_EVENTS_RPT_V View references INCIDENTS_EVENTS table that stores information about the events that makeup incidents created in the Sentinel Console. Column Name Datatype Comment INC_ID int Incident identifier – sequence number EVT_ID uniqueidentifier Event Universal Unique Identifier (UUID) EVT_TIME datetime A string representation of the time the event occurred, according to the event source DATE_CREATED datetime Date the entry was created DATE_MODIFIED datetime Date the entry was modified CREATED_BY int User who created object MODIFIED_BY int User who last modified object 8.1.81 INCIDENTS_RPT_V View references INCIDENTS table that stores information describing the details of incidents created in the Sentinel Console. Column Name Datatype Comment INC_ID int Incident identifier – sequence number NAME varchar/nvarchar(255) Incident name INC_CAT varchar/nvarchar(255) Incident category INC_DESC varchar/nvarchar(4000) Incident description INC_PRIORITY int Incident priority INC_RES varchar/nvarchar(4000) Incident resolution SEVERITY int The normalized Sentinel event severity (05) STT_ID int Incident State ID SEVERITY_RATING varchar/nvarchar(32) Average of all the event severities that comprise an incident. Sentinel Database Views for Microsoft SQL Server 173 novdocx (en) 16 April 2010 Column Name Datatype Comment VULNERABILITY_RATING varchar/nvarchar(32) Reserved for future use by Sentinel. Use of this field for any other purpose might result in data being overwritten by future functionality. CRITICALITY_RATING varchar/nvarchar(32) Reserved for future use by Sentinel. Use of this field for any other purpose might result in data being overwritten by future functionality. DATE_CREATED datetime Date the entry was created DATE_MODIFIED datetime Date the entry was modified CREATED_BY int User who created object MODIFIED_BY int User who last modified object 8.1.82 INCIDENTS_VULN_RPT_V View references INCIDENTS_VULN table that stores information about the vulnerabilities that makeup incidents created in the Sentinel Console. Column Name Datatype Comment INC_ID int Incident identifier – sequence number VULN_ID uniqueidentifier Vulnerability Universal Unique Identifier (UUID) DATE_CREATED datetime Date the entry was created DATE_MODIFIED datetime Date the entry was modified CREATED_BY int User who created object MODIFIED_BY int User who last modified object 8.1.83 L_STAT_RPT_V View references L_STAT table that stores statistical information. Column Name Datatype Comment RES_NAME varchar/nvarchar(32) Resource name STATS_NAME varchar/nvarchar(32) Statistic name STATS_VALUE varchar/nvarchar(32) Value of the statistic OPEN_TOT_SECS numeric(18,0) Number of seconds since 1970. 174 Sentinel 6.1 Reference Guide novdocx (en) 16 April 2010 Column Name View references LOGS_RPT table that stores logging information. Column Name Datatype Comment LOG_ID int Sequence number TIME datetime Date of Log MODULE varchar/nvarchar(64) Module log is for TEXT varchar/nvarchar(4000) Log ntext 8.1.85 MSSP_ASSOCIATIONS_V View references MSSP_ASSOCIATIONS table that associates an integer key in one table to a uuid in another table. Column Name Datatype Comment TABLE1 varchar/nvarchar (64) Table name 1 ID1 bigint ID1 TABLE2 varchar/nvarchar (64) Table name 2 ID2 uniqueidentifier ID2 DATE_CREATED datetime Date the entry was created DATE_MODIFIED datetime Date the entry was modified CREATED_BY int User who created object MODIFIED_BY int User who last modified object 8.1.86 NETWORK_IDENTITY_RPT_V View references NETWORK_IDENTITY_LKUP table that stores asset network identity information. Column Name Datatype Comment NETWORK_IDENTITY_ID bigint Network identity code NETWORK_IDENTITY_NAME varchar/nvarchar(255) Network identify name DATE_CREATED datetime Date the entry was created DATE_MODIFIED datetime Date the entry was modified CREATED_BY int User who created object MODIFIED_BY int User who last modified object Sentinel Database Views for Microsoft SQL Server 175 novdocx (en) 16 April 2010 8.1.84 LOGS_RPT_V View references ORGANIZATION table that stores organization (asset) information. Column Name Datatype Comment ORGANIZATION_ID uniqueidentifier Organization identifier ORGANIZATION_NAME varchar/nvarchar(100) Organization name CUST_ID bigint Customer identifier DATE_CREATED datetime Date the entry was created DATE_MODIFIED datetime Date the entry was modified CREATED_BY int User who created object MODIFIED_BY int User who last modified object 8.1.88 PERSON_RPT_V View references PERSION table that stores personal (asset) information. Column Name Datatype Comment PERSON_ID uniqueidentifier Person identifier FIRST_NAME varchar/nvarchar(255) First name LAST_NAME varchar/nvarchar(255) Last name CUST_ID bigint Customer identifier PHONE_NUMBER varchar/nvarchar(50) Phone number EMAIL_ADDRESS varchar/nvarchar(255) E-mail address DATE_CREATED datetime Date the entry was created DATE_MODIFIED datetime Date the entry was modified CREATED_BY int User who created object MODIFIED_BY int User who last modified object 8.1.89 PHYSICAL_ASSET_RPT_V View references PHYSICAL_ASSET table that stores physical asset information. Column Name Datatype Comment PHYSICAL_ASSET_ID uniqueidentifier Physical asset identifier CUST_ID bigint Customer identifier LOCATION_ID bigint Location identifier HOST_NAME varchar/nvarchar(255) Host name 176 Sentinel 6.1 Reference Guide novdocx (en) 16 April 2010 8.1.87 ORGANIZATION_RPT_V Datatype Comment IP_ADDRESS int IP address NETWORK_IDENTITY_ID bigint Network identity code MAC_ADDRESS varchar/nvarchar(100) MAC address RACK_NUMBER varchar/nvarchar(50) Rack number ROOM_NAME varchar/nvarchar(100) Room name DATE_CREATED datetime Date the entry was created DATE_MODIFIED datetime Date the entry was modified CREATED_BY int User who created object MODIFIED_BY int User who last modified object 8.1.90 PRODUCT_RPT_V View references PRDT table that stores asset product information. Column Name Datatype Comment PRODUCT _ID bigint Product identifier PRODUCT _NAME varchar/nvarchar(255) Product name PRODUCT _VERSION varchar/nvarchar(100) Product version VENDOR _ID bigint Vendor identifier DATE_CREATED datetime Date the entry was created DATE_MODIFIED datetime Date the entry was modified CREATED_BY int User who created object MODIFIED_BY int User who last modified object 8.1.91 ROLE_RPT_V View references ROLE_LKUP table that stores user role (asset) information. Column Name Datatype Comment ROLE_CODE varchar/nvarchar(5) Role code ROLE_NAME varchar/nvarchar(255) Role name DATE_CREATED datetime Date the entry was created DATE_MODIFIED datetime Date the entry was modified CREATED_BY int User who created object MODIFIED_BY int User who last modified object Sentinel Database Views for Microsoft SQL Server 177 novdocx (en) 16 April 2010 Column Name This view contains localized report labels for reports in non-English languages. Column Name Datatype Comment RPT_NAME varchar/nvarchar(100) Report name LABEL_1 – LABEL_35 varchar/nvarchar(2000) Translated report labels 8.1.93 SENSITIVITY_RPT_V View references SENSITIVITY_LKUP table that stores asset sensitivity information. Column Name Datatype Comment SENSITIVITY_ID bigint Asset sensitivity code SENSITIVITY_NAME varchar/nvarchar(50) Asset sensitivity name DATE_CREATED datetime Date the entry was created DATE_MODIFIED datetime Date the entry was modified CREATED_BY int User who created object MODIFIED_BY int User who last modified object 8.1.94 SENTINEL_HOST_RPT_V Column Name Datatype Comment SENTINEL_HOST_ID uniqueidentifier Sentinel host identifier SENTINEL_ID uniqueidentifier Sentinel identifier SENTINEL_HOST_NAME varchar/nvarchar(255) Sentinel host name HOST_NAME varchar/nvarchar(255) Host name IP_ADDR varchar/nvarchar(255) IP address HOST_OS varchar/nvarchar(255) Host operating system HOST_OS_VERSION varchar/nvarchar(255) Host operating system version MODIFIED_BY int User who last modified object CREATED_BY int User who created object DATE_CREATED datetime Date the entry was created DATE_MODIFIED datetime Date the entry was modified 178 Sentinel 6.1 Reference Guide novdocx (en) 16 April 2010 8.1.92 RPT_LABELS_RPT_V Column Name Datatype Comment SENTINEL_PLUGIN_ID uniqueidentifier Sentinel plugin identifier SENTINEL_PLUGIN_NAME varchar/nvarchar(255) Sentinel plugin name SENTINEL_PLUGIN_TYPE varchar/nvarchar(255) Sentinel plugin type FILE_NAME varchar/nvarchar(512) The name of the data object (file, database table, directory object, etc) that was affected by this event. CONTENT_PKG ntext Content package FILE_HASH varchar/nvarchar(255) File hash code AUX_FILE_NAME varchar/nvarchar(512) Auxiliary file name CREATED_BY int User who created object MODIFIED_BY int User who last modified object DATE_CREATED datetime Date the entry was created DATE_MODIFIED datetime Date the entry was modified 8.1.96 SENTINEL_RPT_V Column Name Datatype Comment SENTINEL_ID uniqueidentifier Sentinel identifier SENTINEL_NAME varchar/nvarchar(255) Sentinel name ONLINE_IND bit Online indicator STATE_IND bit State indicator SENTINEL_CONFIG ntext Sentinel configuration CREATED_BY int User who created object MODIFIED_BY int User who last modified object DATE_CREATED datetime Date the entry was created DATE_MODIFIED datetime Date the entry was modified 8.1.97 STATES_RPT_V View references STATES table that stores definitions of states defined by applications or context. Column Name Datatype Comment STT_ID int State ID – sequence number Sentinel Database Views for Microsoft SQL Server 179 novdocx (en) 16 April 2010 8.1.95 SENTINEL_PLUGIN_RPT_V Datatype Comment CONTEXT varchar/nvarchar(64) Context of the state. That is case, incident, user. NAME varchar/nvarchar(64) Name of the state. TERMINAL_FLAG varchar/nvarchar(1) Indicates if state of incident is resolved. DATE_CREATED datetime Date the entry was created DATE_MODIFIED datetime Date the entry was modified MODIFIED_BY int User who last modified object CREATED_BY int User who created object 8.1.98 UNASSIGNED_INCIDENTS_RPT_V View references CASES and INCIDENTS tables to report on unassigned cases. Name Datatype Comment INC_ID int Incident identifier – sequence number NAME varchar/nvarchar(255) Short, unique user name used as a login SEVERITY int The normalized Sentinel event severity (0-5) STT_ID int State ID. Status is either active or inactive. SEVERITY_RATING varchar/nvarchar(32) Average of all the event severities that comprise an incident. VULNERABILITY_RATING varchar/nvarchar(32) Vulnerability rating CRITICALITY_RATING varchar/nvarchar(32) Criticality rating DATE_CREATED datetime Date the entry was created DATE_MODIFIED datetime Date the entry was modified CREATED_BY int User who created object MODIFIED_BY int User who last modified object INC_DESC varchar/nvarchar(4000) Incident description INC_CAT varchar/nvarchar(255) Incident category INC_PRIORITY int Incident priority INC_RES varchar/nvarchar(4000) Incident resolution 8.1.99 USERS_RPT_V View references USERS table that lists all users of the application. The users will also be created as database users to accommodate 3rd party reporting tools. 180 Sentinel 6.1 Reference Guide novdocx (en) 16 April 2010 Column Name Datatype Comment USR_ID int User identifier – Sequence number NAME varchar/nvarchar(64) Short, unique user name used as a login CNT_ID int Contact ID – Sequence number STT_ID int State ID. Status is either active or inactive. DESCRIPTION varchar/nvarchar(512) Comments PERMISSIONS varchar/nvarchar(4000) Permissions currently assigned to the Sentinel user FILTER varchar/nvarchar(128) Current security filter assigned to the Sentinel user UPPER_NAME varchar/nvarchar(64) User name in upper case DOMAIN_AUTH_IND bit Domain authentication indication DATE_CREATED datetime Date the entry was created DATE_MODIFIED datetime Date the entry was modified CREATED_BY int User who created object MODIFIED_BY int User who last modified object 8.1.100 USR_ACCOUNT_RPT_V Column Name Datatype Comment ACCOUNT_ID bigint Account identifier USER_DOMAIN varchar/nvarchar(255) User domain CUST_ID bigint Customer identifier BEGIN_EFFECTIVE_DATE datetime Begin effective date END_EFFECTIVE_DATE datetime End effective date CURRENT_F bit Current flag USER_STATUS varchar/nvarchar(50) User status IDENTITY_GUID uniqueidentifier Identity identifier SOURCE_USER_ID varchar/nvarchar(100) User ID on source system DATE_CREATED datetime Date the entry was created DATE_MODIFIED datetime Date the entry was modified CREATED_BY int User who created object MODIFIED_BY int User who last modified object Sentinel Database Views for Microsoft SQL Server 181 novdocx (en) 16 April 2010 Column Name Column Name Datatype Comment IDENTITY_GUID uniqueidentifier Identity identifier ATTRIBUTE_NAME varchar/nvarchar(255) Attribute name ATTRIBUTE_VALUE varchar/nvarchar(1024) Attribute value 8.1.102 USR_IDENTITY_RPT_V Column Name Datatype Comment IDENTITY_GUID uniqueidentifier Identity identifier DN varchar/nvarchar(255) Distinguished name CUST_ID bigint Customer identifier SRC_IDENTITY_ID varchar/nvarchar(100) Source identity identifier WFID varchar/nvarchar(100) Workforce identifier FIRST_NAME varchar/nvarchar(255) First name LAST_NAME varchar/nvarchar(255) Last name FULL_NAME varchar/nvarchar(255) The full name of the identity associated with the initiating account JOB_TITLE varchar/nvarchar(255) Job title DEPARTMENT_NAME varchar/nvarchar(100) The department of the identity associated with the initiating account OFFICE_LOC_CD varchar/nvarchar(100) Office location code PRIMARY_EMAIL varchar/nvarchar(255) Primary e-mail address PRIMARY_PHONE varchar/nvarchar(100) Primary phone number VAULT_NAME varchar/nvarchar(100) Identity vault name MGR_GUID uniqueidentifier Manager identity identifier PHOTO text Photo DATE_CREATED datetime Date the entry was created DATE_MODIFIED datetime Date the entry was modified CREATED_BY int User who created object MODIFIED_BY int User who last modified object 8.1.103 VENDOR_RPT_V View references VNDR table that stores information about asset product vendors. 182 Sentinel 6.1 Reference Guide novdocx (en) 16 April 2010 8.1.101 USR_IDENTITY_EXT_ATTR_RPT_V Datatype Comment VENDOR_ID bigint Vendor identifier VENDOR_NAME varchar/nvarchar(255) Vendor name DATE_CREATED datetime Date the entry was created DATE_MODIFIED datetime Date the entry was modified CREATED_BY int User who created object MODIFIED_BY int User who last modified object 8.1.104 VULN_CALC_SEVERITY_RPT_V View references VULN_RSRC and VULN to calculate eSecurity vulnerability severity rating base on current vulnerabilities. Column Name Datatype Comment RSRC_ID uniqueidentifier IP varchar/nvarchar(32) IP HOST_NAME varchar/nvarchar(255) Host name CRITICALITY int Asset criticality code ASSIGNED_VULN_SEVERITY int VULN_COUNT int CALC_SEVERITY numeric(14,2) Vulnerability Count 8.1.105 VULN_CODE_RPT_V View references VULN_CODE table that stores industry assigned vulnerability codes such as Mitre's CVEs and CANs. Column Name Datatype Comment VULN_CODE_ID uniqueidentifier VULN_ID uniqueidentifier Vulnerability identifier VULN_CODE_TYPE varchar/nvarchar(64) Vulnerability code type VULN_CODE_VALUE varchar/nvarchar(255) Vulnerability code value URL varchar/nvarchar(512) Web URL DATE_CREATED datetime Date the entry was created DATE_MODIFIED datetime Date the entry was modified CREATED_BY int User who created object Sentinel Database Views for Microsoft SQL Server 183 novdocx (en) 16 April 2010 Column Name Datatype Comment MODIFIED_BY int User who last modified object 8.1.106 VULN_INFO_RPT_V View references VULN_INFO table that stores additional information reported during a scan. Column Name Datatype Comment VULN_INFO_ID uniqueidentifier VULN_ID uniqueidentifier VULN_INFO_TYPE varchar/nvarchar(36) VULN_INFO_VALUE varchar/nvarchar(2000) DATE_CREATED datetime Date the entry was created DATE_MODIFIED datetime Date the entry was modified CREATED_BY int User who created object MODIFIED_BY int User who last modified object Vulnerability identifier 8.1.107 VULN_RPT_V View references VULN table that stores information of scanned system. Each scanner will have its own entry for each system. Column Name Datatype Comment VULN_ID uniqueidentifier Vulnerability identifier RSRC_ID uniqueidentifier Resource identifier PORT_NAME varchar/nvarchar(64) Port Name PORT_NUMBER int Port Number NETWORK_PROTOCOL int Network Protocol APPLICATION_PROTOCOL varchar/nvarchar(64) Application Protocol ASSIGNED_VULN_SEVERITY int COMPUTED_VULN_SEVERITY int VULN_DESCRIPTION ntext VULN_SOLUTION ntext VULN_SUMMARY varchar/nvarchar(1000) BEGIN_EFFECTIVE_DATE datetime Date from which the entry is valid END_EFFECTIVE_DATE datetime Date until which the entry is valid DETECTED_OS varchar/nvarchar(64) 184 Sentinel 6.1 Reference Guide novdocx (en) 16 April 2010 Column Name Datatype Comment DETECTED_OS_VERSION varchar/nvarchar(64) SCANNED_APP varchar/nvarchar(64) SCANNED_APP_VERSION varchar/nvarchar(64) VULN_USER_NAME varchar/nvarchar(64) VULN_USER_DOMAIN varchar/nvarchar(64) VULN_TAXONOMY varchar/nvarchar(1000) SCANNER_CLASSIFICATION varchar/nvarchar(255) VULN_NAME varchar/nvarchar(300) VULN_MODULE varchar/nvarchar(64) DATE_CREATED datetime Date the entry was created DATE_MODIFIED datetime Date the entry was modified CREATED_BY int User who created object MODIFIED_BY int User who last modified object 8.1.108 VULN_RSRC_RPT_V View references VULN_RSRC table that stores each resource scanned for a particular scan. Column Name Datatype Comment RSRC_ID uniqueidentifier SCANNER_ID uniqueidentifier Scanner identifier IP varchar/nvarchar(32) IP Address HOST_NAME varchar/nvarchar(255) Host name LOCATION varchar/nvarchar(128) Location DEPARTMENT varchar/nvarchar(128) Department BUSINESS_SYSTEM varchar/nvarchar(128) Business System OPERATIONAL_ENVIRONMENT varchar/nvarchar(64) Operational environment CRITICALITY int Criticality REGULATION varchar/nvarchar(128) Regulation REGULATION_RATING varchar/nvarchar(64) Regulation rating DATE_CREATED datetime Date the entry was created DATE_MODIFIED datetime Date the entry was modified CREATED_BY int User who created object MODIFIED_BY int User who last modified object Sentinel Database Views for Microsoft SQL Server 185 novdocx (en) 16 April 2010 Column Name View references VULN_RSRC_SCAN table that stores each resource scanned for a particular scan. Column Name Datatype Comment RSRC_ID uniqueidentifier SCAN_ID uniqueidentifier DATE_CREATED datetime Date the entry was created DATE_MODIFIED datetime Date the entry was modified CREATED_BY int User who created object MODIFIED_BY int User who last modified object 8.1.110 VULN_SCAN_RPT_V View references table that stores information pertaining to scans. Column Name Datatype Comment SCAN_ID uniqueidentifier Vulnerability scan identifier SCANNER_ID uniqueidentifier Vulnerability scanner identifier SCAN_TYPE varchar/nvarchar(10) Vulnerability scan type SCAN_START_DATE datetime Scan start date SCAN_END_DATE datetime Scan start date CONSOLIDATION_SERVER varchar/nvarchar(64) Consolidation server DATE_CREATED datetime Date the entry was created DATE_MODIFIED datetime Date the entry was modified CREATED_BY int User who created object MODIFIED_BY int User who last modified object 8.1.111 VULN_SCAN_VULN_RPT_V View references VULN_SCAN_VULN table that stores vulnerabilities detected during scans. Column Name Datatype SCAN_ID uniqueidentifier VULN_ID uniqueidentifier DATE_CREATED datetime Date the entry was created DATE_MODIFIED datetime Date the entry was modified CREATED_BY int User who created object 186 Sentinel 6.1 Reference Guide Comment novdocx (en) 16 April 2010 8.1.109 VULN_RSRC_SCAN_RPT_V Datatype Comment MODIFIED_BY int User who last modified object 8.1.112 VULN_SCANNER_RPT_V View references VULN_SCANNER table that stores information about vulnerability scanners. Column Name Datatype Comment SCANNER_ID uniqueidentifier PRODUCT_NAME varchar/nvarchar(100) The basic name of the product that the Collector processing this event is designed to handle PRODUCT_VERSION varchar/nvarchar(64) Product Version SCANNER_TYPE varchar/nvarchar(64) Vulnerability Scanner Type VENDOR varchar/nvarchar(100) Vendor SCANNER_INSTANCE varchar/nvarchar(64) Scanner Instance DATE_CREATED datetime Date the entry was created DATE_MODIFIED datetime Date the entry was modified CREATED_BY int User who created object MODIFIED_BY int User who last modified object 8.1.113 WORKFLOW_DEF_RPT_V Column Name Datatype Comment PKG_NAME varchar/nvarchar(255) Package name PKG_DATA ntext Package data DATE_CREATED datetime Date the entry was created DATE_MODIFIED datetime Date the entry was modified CREATED_BY int User who created object MODIFIED_BY int User who last modified object 8.1.114 WORKFLOW_INFO_RPT_V Column Name Datatype Comment INFO_ID bigint Info identifier PROCESS_DEF_ID varchar/nvarchar(100) Process definition identifier Sentinel Database Views for Microsoft SQL Server 187 novdocx (en) 16 April 2010 Column Name Datatype Comment PROCESS_INSTANCE_ID varchar/nvarchar(150) Process instance identifier DATE_CREATED datetime Date the entry was created DATE_MODIFIED datetime Date the entry was modified CREATED_BY int User who created object MODIFIED_BY int User who last modified object 8.2 Deprecated Views The following legacy views are no longer created in the Sentinel 6 database: ADV_ALERT_CVE_RPT_V ADV_ALERT_PRODUCT_RPT_V ADV_ALERT_RPT_V ADV_ATTACK_ALERT_RPT_V ADV_ATTACK_CVE_RPT_V ADV_CREDIBILITY_RPT_V ADV_SEVERITY_RPT_V ADV_SUBALERT_RPT_V ADV_URGENCY_RPT_V HIST_INCIDENTS_RPT_V 188 Sentinel 6.1 Reference Guide novdocx (en) 16 April 2010 Column Name This checklist is provided to aid in diagnosing a problem. By filling in this checklist, you can solve common issues or reduce the amount of time needed to solve more complex issues. Table A-1 Checklist Checklist Item Information Example Novell Version: V6.0 Novell Platform and OS Version: SuSE Linux Enterprise Server 10 Database Platform and OS Version: Oracle 10.2.0.3 with critical patch #5881721 Sentinel Server Hardware Configuration 4 CPU @ 3 GHz 5 GB RAM Processor Memory Other Database Server Hardware Configuration 4 CPU @ 3.0 GHz 8 GB RAM Processor Memory Other (if separate Box) Database Storage Configuration (NAS, SAN, Local and so on.) Local with offsite backup Reporting Server OS and Configuration Crystal XI (Crystal Server) SuSE Linux Enterprise Server 10 with MySQL NOTE: Depending upon how your Sentinel system is configured (distributed), you might need to expand the above table. For instance additional information might be needed for DAS, Advisor, Sentinel Control Center, Collector Builder and communication layer. 1 Check the Novell Customer Center (http://support.novell.com/ phone.html?sourceidint=suplnav4_phonesup) for your particular issue: Is this a known issue with a work-around? Is this issue fixed in the latest patch release or hot-fix? Is this issue currently scheduled to be fixed in a future release? Sentinel Troubleshooting Checklist 189 novdocx (en) 16 April 2010 A Sentinel Troubleshooting Checklist A Can it be reproduced? Can the steps to reproduce the problem be enumerated? What user action, if any, will cause the problem? Is the issue periodic in nature? 3 Determine the severity of this problem. Is the system still useable? 4 Understand the environment and systems involved. What platforms and product versions are involved? Are there any non-standard or custom components involved? Is it a high event rate environment? What is the rate of events being collected? What is the event rate of insertion into the database? How many concurrent users are there? Is Crystal reporting used? When are reports run? Is correlation used? How many rules are deployed? Collect configuration files, log files and system information from appropriate subdirectories in $ESEC_HOME or %ESEC_HOME%. Assemble this information for possible future knowledge transfer. 5 Check the health of the system. Can you log into the Sentinel Control Center? Are events being generated and inserted into the database? Can events be seen on the Sentinel Control Center? Can events be retrieved from the database using quick query? Check the RAM usage, disk space, process activity, CPU usage and network connectivity of the hosts involved. Verify all expected Sentinel processes are running. Microsoft Task Manager can be used in a Windows environment. In UNIX, the command ps –ef|grep esecadm can be used. Check for any core dumps in any of the sub-directories of ESEC_HOME. Find out which process core dumped. (cd $ESEC_HOME, find . –name core –print) Check for the sqlplus net access. Check for the tablespaces. Make sure the Sonic broker is running. Connectivity can be verified using the Sonic management console. Check that the various connections are active from Novell processes. Make sure that a lock file is not preventing Sonic from starting. Optionally telnet to that server on the sonic port (that is telnet sentinel.company.com 10012) Check whether the wrapper service is running on the server. (ps –ef | grep wrapper) Are any errors visible in the Servers View of the Sentinel Control Center? Are any errors visible in the Event Source Management Live View in the Sentinel Control Center? What is the OS resource consumption on the Collector Managers? 6 Is there a problem with the Database? Using sqlplus, can you log into the database? 190 Sentinel 6.1 Reference Guide novdocx (en) 16 April 2010 2 Determine the nature of the problem. schema? Does querying on one of the table succeed? Does a select statement on a database table succeed? Check the JDBC drivers, their locations and class path settings. If Oracle, do they have Partitioning installed (provide “select * from v$version;”) and used? Is the database being maintained by an administrator? By anyone? Has the database been modified by that administrator? Is SDM being used to maintain the partitions and archive/delete the partitions to make more room in the database? Using SDM what is the current partition? Is it P_MAX? 7 Inspect whether the product environment settings are correct. Verify the sanity of User login shell scripts, environment variables, configurations, java home settings. Are the environment variable set to run the correct jvm? Verify the proper permissions on the folders for the installed product. Check if any cron jobs are setup causing interference with our product’s functionality. If the product is installed on NFS mounts, check the sanity of NFS mounts & NFS/NIS services. 8 Is there a possible memory leak? Obtain the statistics on how fast the memory is being consumed and by which process. Gather the metrics of the events throughput per Collector. Run the prstat command on Solaris. This will give the process runtime statistics. In Windows you can check the process size and handle count in task manager. This issue, if not resolved, is now ready for escalation. Possible results of escalation are: Configuration file changes Hot fixes or patches to your system Enhancement request Temporary workaround. Sentinel Troubleshooting Checklist 191 novdocx (en) 16 April 2010 Does the database allow a sqlplus login using the Novell dba account into the ESEC novdocx (en) 16 April 2010 192 Sentinel 6.1 Reference Guide B The purpose of this document is to describe in detail of how to set up Sentinel service logon account as NT AUTHORITY\NetworkService instead of Domain user account. This has been tested on the Windows 2003 platform only. B.1 Sentinel Services Sentinel Services should be set to run in order to use Sentinel application. To run a service you need to login to the machine where Sentinel is installed using a logon Account. The different logon accounts and advantages of using a logon account are discussed in this document. B.2 Introduction to Service Logon Accounts A service must log on to an account to access resources and objects on the operating system. If you select an account that does not have permission to log on as a service, the Services snap-in automatically grants that account the user rights that are required to log on as a service on the computer that you are managing. However, this does not guarantee that the service will start. For example, it is recommended that the user accounts that are used to log on as a service have the Password never expires check box selected in their properties dialog box and that they have strong passwords. If account lockout policy is enabled and the account is locked out, the service will malfunction. The following table describes the service logon accounts and how they are used. Table B-1 Usage of Service Logon Accounts Logon Account Description Local System Account The Local System account is a powerful account that has full access to the system, including the directory service on domain controllers. If a service logs onto the Local System account on a domain controller, that service has access to the entire domain. Some services are configured by default to log on to the Local System account. Do not change the default service setting. Local System account is a predefined local account that is used to start a service and provide the security context for that service. The name of the account is NT AUTHORITY\System. This account does not have a password and any password information that you supply is ignored. The Local System account has full access to the system, including the directory service on domain controllers. Because the Local System account acts as a computer on the network, it has access to network resources. Sentinel Service Logon Account 193 novdocx (en) 16 April 2010 Sentinel Service Logon Account B Description Local Service Account The Local Service account is a special built-in account that is similar to an authenticated user account. The Local Service account has the same level of access to resources and objects as members of the Users group. This limited access helps safeguard your system if individual services or processes are compromised. Services that run as the Local Service account access network resources as a null session with no credentials. Local Service account is a predefined local account that is used to start a service and provide the security context for that service. The name of the account is NT AUTHORITY\LocalService. The Local Service account has limited access to the local computer and Anonymous access to network resources. Network Service Account The Network Service account is a special, built-in account that is similar to an authenticated user account. The Network Service account has the same level of access to resources and objects as members of the Users group. This limited access helps safeguard your system if individual services or processes are compromised. Services that run as the Network Service account access network resources using the credentials of the computer account. Network Service account is a predefined local account that is used to start a service and provide the security context for that service. The name of the account is NT AUTHORITY\NetworkService. The Network Service account has limited access to the local computer and authenticated access (as the computer account) to network resources. B.2.1 Disadvantages of running a service in the context of a user logon 1 The account must be created before the service can run. If the setup program for the service creates the account, Setup must run from an account that has sufficient administrative credentials to create accounts in the directory service. 2 Service account names and passwords are stored on each computer on which the service is installed. If the password for a service account on a computer is changed or expires, the service cannot start on that computer until the password is set to the new password for that service. The recommendation is to use LocalService and Network Service instead of using an account that requires a password: this simplifies password management. 3 If a service account is renamed, locked out, disabled, or deleted, the service cannot start on that computer until the account is reset. Because of the above disadvantages, Novell has tested out running Sentinel service under NT AUTHORITY\NetworkService account. NT AUTHORITY\LocalService account does not have enough privilege for this purpose, because DAS processes need to communicate to database server on the network. NOTE: Novell has tested and recommends choosing Network Service account option. 194 Sentinel 6.1 Reference Guide novdocx (en) 16 April 2010 Logon Account To setup NT AUTHORITY\NetworkService as the logon account for Sentinel service, you need to perform the following: Add the machine that runs Sentinel Service as a login account to ESEC and ESEC_WF database instances (performed on the database machine) Change the logon account for Sentinel service to NT AUTHORITY\NetworkService (performed on your remote machine) Setting the Sentinel startup (performed on your remote machine) B.3.1 Adding Sentinel Service as a Login Account to ESEC and ESEC_WF DB Instances To add a login of a remote machine to the database server: NOTE: As an example, the following are steps to add secnet\case1 as a login to the database server. 1 On your database machine, open up SQL Server Management Studio. Specify the user credentials in the Login window. Click Connect 2 In the Object Explorer pane, under SQL Server Group, expand Security folder and highlight Logins folder. 3 Right-click Logins > New login. Sentinel Service Logon Account 195 novdocx (en) 16 April 2010 B.3 To Setup NT AUTHORITY\NetworkService as the Logon Account for Sentinel Service novdocx (en) 16 April 2010 4 In the Login-New window, provide the Login name. Alternatively, you can click the Search button next to the Login name field. The following screen displays: 196 Sentinel 6.1 Reference Guide novdocx (en) 16 April 2010 5 In the Enter the object name to select field, provide a domain name and user name (secnet\case1$ is provided as an example). This is the machine <domain name>\<name of machine>$ you are adding as a login to the database server. Click OK. 6 Click Server Roles in the Select a page navigation pane. Select sysadmin and serveradmin as Server Roles as shown below: 7 Click User Mapping in the Select a page navigation pane. Select access to ESEC and ESEC_WF as “public” and “db_owner” as shown below: Sentinel Service Logon Account 197 novdocx (en) 16 April 2010 Click OK. B.3.2 Changing logon account To change the logon for Sentinel Service to NT AUTHORITY\NetworkService: 1 On your remote machine you are connecting to the database, click Start > Programs > Administrative Tools > Services. 2 Stop the Sentinel service, right-click > Properties > Log On tab. 3 Click This account and in the field provide NT AUTHORITY\NetworkService. Clear the Password and Confirm password fields. 198 Sentinel 6.1 Reference Guide novdocx (en) 16 April 2010 4 Click OK. The Services window for the Sentinel Service should indicate Network Service under the Log On As column. B.3.3 Setting the Sentinel Service to Start Successfully In order for the Sentinel Service to start successfully, NT AUTHORITY\NetworkService account should have write permission to %ESEC_HOME%. According to Microsoft documentation, the NetworkService account has the following privileges: SE_ASSIGNPRIMARYTOKEN_NAME (disabled) SE_AUDIT_NAME (disabled) SE_CHANGE_NOTIFY_NAME (enabled) SE_CREATE_GLOBAL_NAME (enabled) SE_IMPERSONATE_NAME (enabled) SE_INCREASE_QUOTA_NAME (disabled) SE_SHUTDOWN_NAME (disabled) SE_UNDOCK_NAME (disabled) Any privileges assigned to users and authenticated users Sentinel Service Logon Account 199 To set the Sentinel Service to start successfully: 1 Open Window’s Explorer and navigate to %ESEC_HOME%. 2 Right-click the Sentinel parent folder (Typically named sentinel6) > Properties > Security tab. 3 Highlight Users group. Grant Read & Execute, List Folder Contents, Read, Write permissions. Click OK. 4 In the Services window, restart the Sentinel service. 200 Sentinel 6.1 Reference Guide novdocx (en) 16 April 2010 You must grant write access to %ESEC_HOME% to the Users group. The purpose of this document is to describe in detail various Sentinel Services and the Permissions they require for their functioning. C.1 Advisor Table C-1 Table C-1: Advisor Sentinel Component Sentinel Service Sentinel Process Function summary Permission's required Permission Explanation Advisor Sentinel java Download (optional) and processes Advisor attack data. Network access It connects to the database to Internet access read and insert over port 443 data. (optional) It File read communicates access to: over the network with ESEC_HOME iSCALE to /config notify other ESEC_HOME processes it is /lib down ESEC_HOME processing a feed. /jre It reads local configuration files and uses ESEC_HOME the java executable. /data File write access to: ESEC_HOME It writes log files /log as well as caches data in the local file system. Sentinel Service Permission Tables 201 novdocx (en) 16 April 2010 C Sentinel Service Permission Tables C Table C-2 Collector Manager Sentinel Component Collector Manager Sentinel Service Sentinel Process Function summary Permissions required Permission Explanation Sentinel java Manages Connectors and Collectors. It spawns off an agentengine process for each Collector it manages. Collector Manager also publishes system status messages, performs global filtering of events, and performs referential mappings. The agentengine process runs as an interpreter for Collector scripts, which normalize unprocessed (raw) events from security devices and systems producing event, vulnerability, and asset data that Sentinel can analyze and store in its database. Network access (both outgoing access and local access to bind to ports greater than 1024) It communicates with iSCALE for configuration, event processing, and mapping data. 202 Sentinel 6.1 Reference Guide agentengine (child process) It reads local configuration files and uses ESEC_HOME the java /config executable. ESEC_HOME It writes log files /lib as well as ESEC_HOME caches data in /jre the local file system. File write access to: File read access to: ESEC_HOME /data ESEC_HOME /log NOTE: Additionally, will need access to other resources depending which Connectors it is configured to run and which Event Sources it connecting to. Please refer to the individual Connector documentation for any additional permission requirements. novdocx (en) 16 April 2010 C.2 Collector Manager Table C-3 Correlation Engine Sentinel Component Correlation Engine Sentinel Service Sentinel Process Function summary Permission's required Permission Explanation Sentinel java Receives Network access It events from the communicates File read Collector over the access to: Manager and network with publishes iSCALE for ESEC_HOME correlated configuration, /config events based event ESEC_HOME processing, and on user-defined /lib correlation correlated rules. ESEC_HOME event generation. /jre It reads local configuration files and uses ESEC_HOME the java executable. /data File write access to: ESEC_HOME It writes log files /log as well as caches data in the local file system. Sentinel Service Permission Tables 203 novdocx (en) 16 April 2010 C.3 Correlation Engine Table C-4 DATA Access Server (DAS) Sentinel Component Sentinel Service DAS Sentinel 204 Sentinel 6.1 Reference Guide Sentinel Process java (das_binary) Function summary Permission's required Permission Explanation Responsible for Network access It connects to event insertion. the database to Database read and insert Access java Provides data. (das_query) general File read It database access to: communicates access over the services, map ESEC_HOME network with data server, /config iSCALE for exploit ESEC_HOME configuration detection data /lib and event generation, Sentinel user ESEC_HOME processing and other general login, and other /jre data general processing. services. File write access to: It reads local java (das_rt) Provides data that drives the ESEC_HOME configuration files and uses Active View /data the java charts. ESEC_HOME executable. /log java (das_itrac) Provides It writes log files services to use as well as and manage caches data in iTRAC workflow the local file processes. system. java Summaries (das_aggregati event data into on) summary database tables, primarily for use by reports. novdocx (en) 16 April 2010 C.4 Data Access Server (DAS) Table C-5 Sentinel Communication Server Sentinel Component Sentinel Sentinel Service Process Communication Sentine java (Sonic) Server (iSCALE / l MOM) java (das_proxy) Function summary iSCALE: A Message Oriented Middleware (MOM). The iSCALE component provides a Java Message Service (JMS) framework for inter-process communication. Processes communicate through a broker, which is responsible for routing and buffering messages. iSCALE also has an SSL proxy that acts as an SSL bridge between the message bus and a client connecting through SSL. Permission's required Permission Explanation It binds to local Network access ports to accept (binds to port greater than 1024) TCP connections in order to perform File read access its duties as a to: communication server. ESEC_HOME/jr e It reads local File write access to: ESEC_HOME/3r dparty/ SonicMQ/ MQ7.0 configuration files and uses the java executable. It writes to Sonic’s internal database on the local file system. It binds to local Network access ports to accept (binds to ports greater than 1024) SSL connections in order to perform File read access its duties as a to: communication server. ESEC_HOME/c onfig It reads local ESEC_HOME/lib configuration files and uses the java ESEC_HOME/jr executable. e It writes log files, caches data, and writes to Sonic’s ESEC_HOME/3r internal database on the local file dparty/ system. SonicMQ/ MQ7.0 It also will write File write access to: ESEC_HOME/d certificates to ata ESEC_HOME/lo config directory when required. g ESEC_HOME/c onfig Sentinel Service Permission Tables 205 novdocx (en) 16 April 2010 C.5 Sentinel Communication Server Table C-6 Sentinel Service Sentinel Component Sentinel Service Sentinel Service Sentinel Process Function summary Sentinel wrapper Registers as a Network access It service with the communicates File read operating over the access to: system and, network with when executed, iSCALE for ESEC_HOME launches the configuration /config java Sentinel and status ESEC_HOME reporting. Service. /lib The java It reads local ESEC_HOME configuration Sentinel /jre Service process files and uses that is the java File write responsible for access to: executable. launching, restarting, and ESEC_HOME It writes log files to the local file reporting status /log system. on the other Sentinel Server processes. java (sentinel) Permission's required Permission Explanation C.7 Reporting Server Table C-7 Reporting Server Sentinel Component Sentinel Application Sentinel Service Sentinel Process Function summary Reports - - - Crystal Reports XI or Crystal Enterprise 9 Standard is one of the reporting tools with Sentinel. 206 Sentinel 6.1 Reference Guide Permission's required novdocx (en) 16 April 2010 C.6 Sentinel Service D The purpose of this document is to provide a detailed breakdown of Sentinel database users, roles and their access permissions. D.1 Sentinel Database Instance Below listed are the Sentinel database instances D.1.1 ESEC This instance have: Users: esecadm esecrpt esecapp Other users esecdba NOTE: Other users are created through User Manager. For detailed access permissions, see Section D.3, “Sentinel Database Roles,” on page 209. Roles: ESEC_APP: The same permission as db_owner ESEC_ETL ESEC_USER D.1.2 ESEC_WF Users: esecapp: For detailed access permissions see the Section D.2, “Sentinel Database Users,” on page 207. Roles: ESEC_APP: For detailed access permissions see the Section D.3, “Sentinel Database Roles,” on page 209. D.2 Sentinel Database Users Below listed are the Sentinel database users Sentinel Database Users, Roles, and Access Permissions 207 novdocx (en) 16 April 2010 Sentinel Database Users, Roles, and Access Permissions D Table D-1 Sentinel Database Users-Summary User Name Group Name Login Name Default DB Name Esecadm ESEC_USER esecadm ESEC Esecapp ESEC_APP esecapp ESEC Esecapp ESEC_ETL esecapp ESEC Esecapp db_owner esecapp ESEC Esecdba db_owner esecdba ESEC Esecrpt ESEC_USER esecrpt ESEC D.2.2 esecadm Table D-2 Sentinel Database Users-esecadm Login Name DB Name User Name User of Alias Esecadm ESEC ESEC_USER MemberOf Esecadm ESEC esecadm User D.2.3 esecapp Table D-3 Sentinel Database Users-esecapp Login Name DB Name User Name User of Alias Esecapp ESEC ESEC_APP MemberOf Esecapp ESEC ESEC_ETL MemberOf Esecapp ESEC esecapp User Esecapp ESEC db_owner MemberOf Esecapp ESEC_WF ESEC_APP MemberOf Esecapp ESEC_WF esecapp User 208 Sentinel 6.1 Reference Guide novdocx (en) 16 April 2010 D.2.1 Summary Table D-4 Sentinel Database Users-esecdba Login Name DB Name User Name User of Alias Esecdba ESEC db_owner MemberOf Esecdba ESEC esecdba User D.2.5 esecrpt Table D-5 Sentinel Database Users-esecrpt Login Name DB Name User Name User of Alias Esecrpt ESEC ESEC_USER MemberOf Esecrpt ESEC esecrpt User D.3 Sentinel Database Roles Below listed are the Sentinel database roles D.3.1 Summary ESEC_APP: It is a database role for ESEC and ESEC_WF. It has the same permission as db_owner for ESEC instance. ESEC_ETL: It is a database role for ESEC instance. ESEC_USER: A role for ESEC instance. D.3.2 ESEC_APP For ESEC instance, ESEC_APP has the same permission as db_owner. ESEC_APP performs the activities of all database roles, as well as other maintenance and configuration activities in the database. The permissions of this role span all of the other fixed database roles. For ESEC_WF instance, these are the permission for ESEC_APP role: Table D-6 Sentinel Database Roles-ESEC_APP Role Name Object Name Action Type ESEC_APP Activities 193 SELECT U User table ESEC_APP Activities 195 INSERT U User table ESEC_APP Activities 196 DELETE U User table ESEC_APP Activities 197 UPDATE U User table Sentinel Database Users, Roles, and Access Permissions 209 novdocx (en) 16 April 2010 D.2.4 esecdba Object Name Action Type ESEC_APP ActivityData 193 SELECT U User table ESEC_APP ActivityData 195 INSERT U User table ESEC_APP ActivityData 196 DELETE U User table ESEC_APP ActivityData 197 UPDATE U User table ESEC_APP ActivityDataBLOBs 193 SELECT U User table ESEC_APP ActivityDataBLOBs 195 INSERT U User table ESEC_APP ActivityDataBLOBs 196 DELETE U User table ESEC_APP ActivityDataBLOBs 197 UPDATE U User table ESEC_APP ActivityDataWOB 193 SELECT U User table ESEC_APP ActivityDataWOB 195 INSERT U User table ESEC_APP ActivityDataWOB 196 DELETE U User table ESEC_APP ActivityDataWOB 197 UPDATE U User table ESEC_APP ActivityStateEventAudits 193 SELECT U User table ESEC_APP ActivityStateEventAudits 195 INSERT U User table ESEC_APP ActivityStateEventAudits 196 DELETE U User table ESEC_APP ActivityStateEventAudits 197 UPDATE U User table ESEC_APP ActivityStates 193 SELECT U User table ESEC_APP ActivityStates 195 INSERT U User table ESEC_APP ActivityStates 196 DELETE U User table ESEC_APP ActivityStates 197 UPDATE U User table ESEC_APP AndJoinTable 193 SELECT U User table ESEC_APP AndJoinTable 195 INSERT U User table ESEC_APP AndJoinTable 196 DELETE U User table ESEC_APP AndJoinTable 197 UPDATE U User table ESEC_APP AssignmentEventAudits 193 SELECT U User table ESEC_APP AssignmentEventAudits 195 INSERT U User table ESEC_APP AssignmentEventAudits 196 DELETE U User table ESEC_APP AssignmentEventAudits 197 UPDATE U User table ESEC_APP AssignmentsTable 193 SELECT U User table ESEC_APP AssignmentsTable 195 INSERT U User table ESEC_APP AssignmentsTable 196 DELETE U User table ESEC_APP AssignmentsTable 197 UPDATE U User table 210 Sentinel 6.1 Reference Guide novdocx (en) 16 April 2010 Role Name Object Name Action Type ESEC_APP Counters 193 SELECT U User table ESEC_APP Counters 195 INSERT U User table ESEC_APP Counters 196 DELETE U User table ESEC_APP Counters 197 UPDATE U User table ESEC_APP CreateProcessEventAudits 193 SELECT U User table ESEC_APP CreateProcessEventAudits 195 INSERT U User table ESEC_APP CreateProcessEventAudits 196 DELETE U User table ESEC_APP CreateProcessEventAudits 197 UPDATE U User table ESEC_APP DataEventAudits 193 SELECT U User table ESEC_APP DataEventAudits 195 INSERT U User table ESEC_APP DataEventAudits 196 DELETE U User table ESEC_APP DataEventAudits 197 UPDATE U User table ESEC_APP Deadlines 193 SELECT U User table ESEC_APP Deadlines 195 INSERT U User table ESEC_APP Deadlines 196 DELETE U User table ESEC_APP Deadlines 197 UPDATE U User table ESEC_APP EventTypes 193 SELECT U User table ESEC_APP EventTypes 195 INSERT U User table ESEC_APP EventTypes 196 DELETE U User table ESEC_APP EventTypes 197 UPDATE U User table ESEC_APP GroupGroupTable 193 SELECT U User table ESEC_APP GroupGroupTable 195 INSERT U User table ESEC_APP GroupGroupTable 196 DELETE U User table ESEC_APP GroupGroupTable 197 UPDATE U User table ESEC_APP GroupTable 193 SELECT U User table ESEC_APP GroupTable 195 INSERT U User table ESEC_APP GroupTable 196 DELETE U User table ESEC_APP GroupTable 197 UPDATE U User table ESEC_APP GroupUser 193 SELECT U User table ESEC_APP GroupUser 195 INSERT U User table ESEC_APP GroupUser 196 DELETE U User table ESEC_APP GroupUser 197 UPDATE U User table Sentinel Database Users, Roles, and Access Permissions novdocx (en) 16 April 2010 Role Name 211 Object Name Action Type ESEC_APP GroupUserPackLevelParticipant 193 SELECT U User table ESEC_APP GroupUserPackLevelParticipant 195 INSERT U User table ESEC_APP GroupUserPackLevelParticipant 196 DELETE U User table ESEC_APP GroupUserPackLevelParticipant 197 UPDATE U User table ESEC_APP GroupUserProcLevelParticipant 193 SELECT U User table ESEC_APP GroupUserProcLevelParticipant 195 INSERT U User table ESEC_APP GroupUserProcLevelParticipant 196 DELETE U User table ESEC_APP GroupUserProcLevelParticipant 197 UPDATE U User table ESEC_APP LockTable 193 SELECT U User table ESEC_APP LockTable 195 INSERT U User table ESEC_APP LockTable 196 DELETE U User table ESEC_APP LockTable 197 UPDATE U User table ESEC_APP NewEventAuditData 193 SELECT U User table ESEC_APP NewEventAuditData 195 INSERT U User table ESEC_APP NewEventAuditData 196 DELETE U User table ESEC_APP NewEventAuditData 197 UPDATE U User table ESEC_APP NewEventAuditDataBLOBs 193 SELECT U User table ESEC_APP NewEventAuditDataBLOBs 195 INSERT U User table ESEC_APP NewEventAuditDataBLOBs 196 DELETE U User table ESEC_APP NewEventAuditDataBLOBs 197 UPDATE U User table ESEC_APP NewEventAuditDataWOB 193 SELECT U User table ESEC_APP NewEventAuditDataWOB 195 INSERT U User table ESEC_APP NewEventAuditDataWOB 196 DELETE U User table ESEC_APP NewEventAuditDataWOB 197 UPDATE U User table ESEC_APP NextXPDLVersions 193 SELECT U User table ESEC_APP NextXPDLVersions 195 INSERT U User table ESEC_APP NextXPDLVersions 196 DELETE U User table ESEC_APP NextXPDLVersions 197 UPDATE U User table ESEC_APP NormalUser 193 SELECT U User table ESEC_APP NormalUser 195 INSERT U User table ESEC_APP NormalUser 196 DELETE U User table ESEC_APP NormalUser 197 UPDATE U User table 212 Sentinel 6.1 Reference Guide novdocx (en) 16 April 2010 Role Name Object Name Action Type ESEC_APP ObjectId 193 SELECT U User table ESEC_APP ObjectId 195 INSERT U User table ESEC_APP ObjectId 196 DELETE U User table ESEC_APP ObjectId 197 UPDATE U User table ESEC_APP OldEventAuditData 193 SELECT U User table ESEC_APP OldEventAuditData 195 INSERT U User table ESEC_APP OldEventAuditData 196 DELETE U User table ESEC_APP OldEventAuditData 197 UPDATE U User table ESEC_APP OldEventAuditDataBLOBs 193 SELECT U User table ESEC_APP OldEventAuditDataBLOBs 195 INSERT U User table ESEC_APP OldEventAuditDataBLOBs 196 DELETE U User table ESEC_APP OldEventAuditDataBLOBs 197 UPDATE U User table ESEC_APP OldEventAuditDataWOB 193 SELECT U User table ESEC_APP OldEventAuditDataWOB 195 INSERT U User table ESEC_APP OldEventAuditDataWOB 196 DELETE U User table ESEC_APP OldEventAuditDataWOB 197 UPDATE U User table ESEC_APP PackLevelParticipant 193 SELECT U User table ESEC_APP PackLevelParticipant 195 INSERT U User table ESEC_APP PackLevelParticipant 196 DELETE U User table ESEC_APP PackLevelParticipant 197 UPDATE U User table ESEC_APP PackLevelXPDLApp 193 SELECT U User table ESEC_APP PackLevelXPDLApp 195 INSERT U User table ESEC_APP PackLevelXPDLApp 196 DELETE U User table ESEC_APP PackLevelXPDLApp 197 UPDATE U User table ESEC_APP PackLevelXPDLAppTAAppDetail 193 SELECT U User table ESEC_APP PackLevelXPDLAppTAAppDetail 195 INSERT U User table ESEC_APP PackLevelXPDLAppTAAppDetail 196 DELETE U User table ESEC_APP PackLevelXPDLAppTAAppDetail 197 UPDATE U User table ESEC_APP PackLevelXPDLAppTAAppDetailUsr 193 SELECT U User table ESEC_APP PackLevelXPDLAppTAAppDetailUsr 195 INSERT U User table ESEC_APP PackLevelXPDLAppTAAppDetailUsr 196 DELETE U User table ESEC_APP PackLevelXPDLAppTAAppDetailUsr 197 UPDATE U User table Sentinel Database Users, Roles, and Access Permissions 213 novdocx (en) 16 April 2010 Role Name Object Name Action Type ESEC_APP PackLevelXPDLAppTAAppUser 193 SELECT U User table ESEC_APP PackLevelXPDLAppTAAppUser 195 INSERT U User table ESEC_APP PackLevelXPDLAppTAAppUser 196 DELETE U User table ESEC_APP PackLevelXPDLAppTAAppUser 197 UPDATE U User table ESEC_APP PackLevelXPDLAppToolAgentApp 193 SELECT U User table ESEC_APP PackLevelXPDLAppToolAgentApp 195 INSERT U User table ESEC_APP PackLevelXPDLAppToolAgentApp 196 DELETE U User table ESEC_APP PackLevelXPDLAppToolAgentApp 197 UPDATE U User table ESEC_APP ProcessData 193 SELECT U User table ESEC_APP ProcessData 195 INSERT U User table ESEC_APP ProcessData 196 DELETE U User table ESEC_APP ProcessData 197 UPDATE U User table ESEC_APP ProcessDataBLOBs 193 SELECT U User table ESEC_APP ProcessDataBLOBs 195 INSERT U User table ESEC_APP ProcessDataBLOBs 196 DELETE U User table ESEC_APP ProcessDataBLOBs 197 UPDATE U User table ESEC_APP ProcessDataWOB 193 SELECT U User table ESEC_APP ProcessDataWOB 195 INSERT U User table ESEC_APP ProcessDataWOB 196 DELETE U User table ESEC_APP ProcessDataWOB 197 UPDATE U User table ESEC_APP ProcessDefinitions 193 SELECT U User table ESEC_APP ProcessDefinitions 195 INSERT U User table ESEC_APP ProcessDefinitions 196 DELETE U User table ESEC_APP ProcessDefinitions 197 UPDATE U User table ESEC_APP Processes 193 SELECT U User table ESEC_APP Processes 195 INSERT U User table ESEC_APP Processes 196 DELETE U User table ESEC_APP Processes 197 UPDATE U User table ESEC_APP ProcessRequesters 193 SELECT U User table ESEC_APP ProcessRequesters 195 INSERT U User table ESEC_APP ProcessRequesters 196 DELETE U User table ESEC_APP ProcessRequesters 197 UPDATE U User table 214 Sentinel 6.1 Reference Guide novdocx (en) 16 April 2010 Role Name Object Name Action Type ESEC_APP ProcessStateEventAudits 193 SELECT U User table ESEC_APP ProcessStateEventAudits 195 INSERT U User table ESEC_APP ProcessStateEventAudits 196 DELETE U User table ESEC_APP ProcessStateEventAudits 197 UPDATE U User table ESEC_APP ProcessStates 193 SELECT U User table ESEC_APP ProcessStates 195 INSERT U User table ESEC_APP ProcessStates 196 DELETE U User table ESEC_APP ProcessStates 197 UPDATE U User table ESEC_APP ProcLevelParticipant 193 SELECT U User table ESEC_APP ProcLevelParticipant 195 INSERT U User table ESEC_APP ProcLevelParticipant 196 DELETE U User table ESEC_APP ProcLevelParticipant 197 UPDATE U User table ESEC_APP ProcLevelXPDLApp 193 SELECT U User table ESEC_APP ProcLevelXPDLApp 195 INSERT U User table ESEC_APP ProcLevelXPDLApp 196 DELETE U User table ESEC_APP ProcLevelXPDLApp 197 UPDATE U User table ESEC_APP ProcLevelXPDLAppTAAppDetail 193 SELECT U User table ESEC_APP ProcLevelXPDLAppTAAppDetail 195 INSERT U User table ESEC_APP ProcLevelXPDLAppTAAppDetail 196 DELETE U User table ESEC_APP ProcLevelXPDLAppTAAppDetail 197 UPDATE U User table ESEC_APP ProcLevelXPDLAppTAAppDetailUsr 193 SELECT U User table ESEC_APP ProcLevelXPDLAppTAAppDetailUsr 195 INSERT U User table ESEC_APP ProcLevelXPDLAppTAAppDetailUsr 196 DELETE U User table ESEC_APP ProcLevelXPDLAppTAAppDetailUsr 197 UPDATE U User table ESEC_APP ProcLevelXPDLAppTAAppUser 193 SELECT U User table ESEC_APP ProcLevelXPDLAppTAAppUser 195 INSERT U User table ESEC_APP ProcLevelXPDLAppTAAppUser 196 DELETE U User table ESEC_APP ProcLevelXPDLAppTAAppUser 197 UPDATE U User table ESEC_APP ProcLevelXPDLAppToolAgentApp 193 SELECT U User table ESEC_APP ProcLevelXPDLAppToolAgentApp 195 INSERT U User table ESEC_APP ProcLevelXPDLAppToolAgentApp 196 DELETE U User table ESEC_APP ProcLevelXPDLAppToolAgentApp 197 UPDATE U User table Sentinel Database Users, Roles, and Access Permissions 215 novdocx (en) 16 April 2010 Role Name Object Name Action Type ESEC_APP ResourcesTable 193 SELECT U User table ESEC_APP ResourcesTable 195 INSERT U User table ESEC_APP ResourcesTable 196 DELETE U User table ESEC_APP ResourcesTable 197 UPDATE U User table ESEC_APP StateEventAudits 193 SELECT U User table ESEC_APP StateEventAudits 195 INSERT U User table ESEC_APP StateEventAudits 196 DELETE U User table ESEC_APP StateEventAudits 197 UPDATE U User table ESEC_APP ToolAgentApp 193 SELECT U User table ESEC_APP ToolAgentApp 195 INSERT U User table ESEC_APP ToolAgentApp 196 DELETE U User table ESEC_APP ToolAgentApp 197 UPDATE U User table ESEC_APP ToolAgentAppDetail 193 SELECT U User table ESEC_APP ToolAgentAppDetail 195 INSERT U User table ESEC_APP ToolAgentAppDetail 196 DELETE U User table ESEC_APP ToolAgentAppDetail 197 UPDATE U User table ESEC_APP ToolAgentAppDetailUser 193 SELECT U User table ESEC_APP ToolAgentAppDetailUser 195 INSERT U User table ESEC_APP ToolAgentAppDetailUser 196 DELETE U User table ESEC_APP ToolAgentAppDetailUser 197 UPDATE U User table ESEC_APP ToolAgentAppUser 193 SELECT U User table ESEC_APP ToolAgentAppUser 195 INSERT U User table ESEC_APP ToolAgentAppUser 196 DELETE U User table ESEC_APP ToolAgentAppUser 197 UPDATE U User table ESEC_APP ToolAgentUser 193 SELECT U User table ESEC_APP ToolAgentUser 195 INSERT U User table ESEC_APP ToolAgentUser 196 DELETE U User table ESEC_APP ToolAgentUser 197 UPDATE U User table ESEC_APP UserGroupTable 193 SELECT U User table ESEC_APP UserGroupTable 195 INSERT U User table ESEC_APP UserGroupTable 196 DELETE U User table ESEC_APP UserGroupTable 197 UPDATE U User table 216 Sentinel 6.1 Reference Guide novdocx (en) 16 April 2010 Role Name Object Name Action Type ESEC_APP UserPackLevelParticipant 193 SELECT U User table ESEC_APP UserPackLevelParticipant 195 INSERT U User table ESEC_APP UserPackLevelParticipant 196 DELETE U User table ESEC_APP UserPackLevelParticipant 197 UPDATE U User table ESEC_APP UserProcLevelParticipant 193 SELECT U User table ESEC_APP UserProcLevelParticipant 195 INSERT U User table ESEC_APP UserProcLevelParticipant 196 DELETE U User table ESEC_APP UserProcLevelParticipant 197 UPDATE U User table ESEC_APP UserTable 193 SELECT U User table ESEC_APP UserTable 195 INSERT U User table ESEC_APP UserTable 196 DELETE U User table ESEC_APP UserTable 197 UPDATE U User table ESEC_APP XPDLApplicationPackage 193 SELECT U User table ESEC_APP XPDLApplicationPackage 195 INSERT U User table ESEC_APP XPDLApplicationPackage 196 DELETE U User table ESEC_APP XPDLApplicationPackage 197 UPDATE U User table ESEC_APP XPDLApplicationProcess 193 SELECT U User table ESEC_APP XPDLApplicationProcess 195 INSERT U User table ESEC_APP XPDLApplicationProcess 196 DELETE U User table ESEC_APP XPDLApplicationProcess 197 UPDATE U User table ESEC_APP XPDLData 193 SELECT U User table ESEC_APP XPDLData 195 INSERT U User table ESEC_APP XPDLData 196 DELETE U User table ESEC_APP XPDLData 197 UPDATE U User table ESEC_APP XPDLHistory 193 SELECT U User table ESEC_APP XPDLHistory 195 INSERT U User table ESEC_APP XPDLHistory 196 DELETE U User table ESEC_APP XPDLHistory 197 UPDATE U User table ESEC_APP XPDLHistoryData 193 SELECT U User table ESEC_APP XPDLHistoryData 195 INSERT U User table ESEC_APP XPDLHistoryData 197 UPDATE U User table ESEC_APP XPDLHistoryData 196 DELETE U User table Sentinel Database Users, Roles, and Access Permissions 217 novdocx (en) 16 April 2010 Role Name Object Name Action Type ESEC_APP XPDLParticipantPackage 193 SELECT U User table ESEC_APP XPDLParticipantPackage 195 INSERT U User table ESEC_APP XPDLParticipantPackage 196 DELETE U User table ESEC_APP XPDLParticipantPackage 197 UPDATE U User table ESEC_APP XPDLParticipantProcess 193 SELECT U User table ESEC_APP XPDLParticipantProcess 195 INSERT U User table ESEC_APP XPDLParticipantProcess 196 DELETE U User table ESEC_APP XPDLParticipantProcess 197 UPDATE U User table ESEC_APP XPDLReferences 193 SELECT U User table ESEC_APP XPDLReferences 195 INSERT U User table ESEC_APP XPDLReferences 196 DELETE U User table ESEC_APP XPDLReferences 197 UPDATE U User table ESEC_APP XPDLS 193 SELECT U User table ESEC_APP XPDLS 195 INSERT U User table ESEC_APP XPDLS 196 DELETE U User table ESEC_APP XPDLS 197 UPDATE U User table D.3.3 ESEC_ETL Table D-7 Sentinel Database Roles-ESEC_ETL Role Name Object Name Action Type ESEC_ETL ACTVY 193 SELECT U User table ESEC_ETL ACTVY_PARM 193 SELECT U User table ESEC_ETL ACTVY_REF 193 SELECT U User table ESEC_ETL ACTVY_REF_PARM_VAL 193 SELECT U User table ESEC_ETL ADV_ALERT 193 SELECT U User table ESEC_ETL ADV_ALERT_CVE 193 SELECT U User table ESEC_ETL ADV_ALERT_PRODUCT 193 SELECT U User table ESEC_ETL ADV_ATTACK 193 SELECT U User table ESEC_ETL ADV_ATTACK_ALERT 193 SELECT U User table ESEC_ETL ADV_ATTACK_CVE 193 SELECT U User table ESEC_ETL ADV_ATTACK_MAP 193 SELECT U User table 218 Sentinel 6.1 Reference Guide novdocx (en) 16 April 2010 Role Name Object Name Action Type ESEC_ETL ADV_ATTACK_PLUGIN 193 SELECT U User table ESEC_ETL ADV_CREDIBILITY 193 SELECT U User table ESEC_ETL ADV_FEED 193 SELECT U User table ESEC_ETL ADV_PRODUCT 193 SELECT U User table ESEC_ETL ADV_PRODUCT_SERVICE_PACK 193 SELECT U User table ESEC_ETL ADV_PRODUCT_VERSION 193 SELECT U User table ESEC_ETL ADV_SEVERITY 193 SELECT U User table ESEC_ETL ADV_SUBALERT 193 SELECT U User table ESEC_ETL ADV_URGENCY 193 SELECT U User table ESEC_ETL ADV_VENDOR 193 SELECT U User table ESEC_ETL ADV_VULN_PRODUCT 193 SELECT U User table ESEC_ETL ANNOTATIONS 193 SELECT U User table ESEC_ETL ASSET 193 SELECT U User table ESEC_ETL ASSET_CTGRY 193 SELECT U User table ESEC_ETL ASSET_HOSTNAME 193 SELECT U User table ESEC_ETL ASSET_IP 193 SELECT U User table ESEC_ETL ASSET_LOC 193 SELECT U User table ESEC_ETL ASSET_VAL_LKUP 193 SELECT U User table ESEC_ETL ASSET_X_ENTITY_X_ROLE 193 SELECT U User table ESEC_ETL ASSOCIATIONS 193 SELECT U User table ESEC_ETL ATTACHMENTS 193 SELECT U User table ESEC_ETL AUDIT_RECORD 193 SELECT U User table ESEC_ETL CONFIGS 193 SELECT U User table ESEC_ETL CONTACTS 193 SELECT U User table ESEC_ETL CORR_ACT_DEF 193 SELECT U User table ESEC_ETL CORR_ACT_META 193 SELECT U User table ESEC_ETL CORR_ACT_PARM 193 SELECT U User table ESEC_ETL CORR_ACT_PARM_DEF 193 SELECT U User table ESEC_ETL CORR_DEPLOY_CONFIG 193 SELECT U User table ESEC_ETL CORR_ENGINE_CONFIG 193 SELECT U User table ESEC_ETL CORR_RULE 193 SELECT U User table ESEC_ETL CORR_RULE_CFG 193 SELECT U User table Sentinel Database Users, Roles, and Access Permissions 219 novdocx (en) 16 April 2010 Role Name Object Name Action Type ESEC_ETL CORRELATED_EVENTS_P_MAX 193 SELECT U User table ESEC_ETL CORRELATED_EVENTS_P_MIN 193 SELECT U User table ESEC_ETL CRIT_LKUP 193 SELECT U User table ESEC_ETL CUST 193 SELECT U User table ESEC_ETL CUST_HIERARCHY 193 SELECT U User table ESEC_ETL ENTITY_TYP_LKUP 193 SELECT U User table ESEC_ETL ENV_IDENTITY_LKUP 193 SELECT U User table ESEC_ETL ESEC_ARCHIVE_CONFIG 193 SELECT U User table ESEC_ETL ESEC_ARCHIVE_LOG_FILES 193 SELECT U User table ESEC_ETL ESEC_ARCHIVE_LOGS 193 SELECT U User table ESEC_ETL ESEC_DB_PATCHES 193 SELECT U User table ESEC_ETL ESEC_DB_VERSION 193 SELECT U User table ESEC_ETL ESEC_DISPLAY 193 SELECT U User table ESEC_ETL ESEC_JOB_CONFIG 193 SELECT U User table ESEC_ETL ESEC_JOB_STS 193 SELECT U User table ESEC_ETL ESEC_NAMESPACE 193 SELECT U User table ESEC_ETL ESEC_NAMESPACE_LEAF 193 SELECT U User table ESEC_ETL ESEC_PARTITION_CONFIG 193 SELECT U User table ESEC_ETL ESEC_PORT_REFERENCE 193 SELECT U User table ESEC_ETL ESEC_PROTOCOL_REFERENCE 193 SELECT U User table ESEC_ETL ESEC_SDM_LOCK 193 SELECT U User table ESEC_ETL ESEC_SEQUENCE 193 SELECT U User table ESEC_ETL ESEC_TABLE_GROUPS 193 SELECT U User table ESEC_ETL ESEC_UUID_UUID_ASSOC 193 SELECT U User table ESEC_ETL EVENTS_P_MAX 193 SELECT U User table ESEC_ETL EVENTS_P_MIN 193 SELECT U User table ESEC_ETL EVT_AGENT 193 SELECT U User table ESEC_ETL EVT_ASSET 193 SELECT U User table ESEC_ETL EVT_DEST_EVT_NAME_SMRY_1_P_MAX 193 SELECT U User table ESEC_ETL EVT_DEST_EVT_NAME_SMRY_1_P_MAX 195 INSERT U User table ESEC_ETL EVT_DEST_EVT_NAME_SMRY_1_P_MAX 196 DELETE U User table ESEC_ETL EVT_DEST_EVT_NAME_SMRY_1_P_MAX 197 UPDATE U User table 220 Sentinel 6.1 Reference Guide novdocx (en) 16 April 2010 Role Name Object Name Action Type ESEC_ETL EVT_DEST_EVT_NAME_SMRY_1_P_MIN 193 SELECT U User table ESEC_ETL EVT_DEST_SMRY_1_P_MAX 193 SELECT U User table ESEC_ETL EVT_DEST_SMRY_1_P_MAX 195 INSERT U User table ESEC_ETL EVT_DEST_SMRY_1_P_MAX 196 DELETE U User table ESEC_ETL EVT_DEST_SMRY_1_P_MAX 197 UPDATE U User table ESEC_ETL EVT_DEST_SMRY_1_P_MIN 193 SELECT U User table ESEC_ETL EVT_DEST_TXNMY_SMRY_1_P_MAX 193 SELECT U User table ESEC_ETL EVT_DEST_TXNMY_SMRY_1_P_MAX 195 INSERT U User table ESEC_ETL EVT_DEST_TXNMY_SMRY_1_P_MAX 196 DELETE U User table ESEC_ETL EVT_DEST_TXNMY_SMRY_1_P_MAX 197 UPDATE U User table ESEC_ETL EVT_DEST_TXNMY_SMRY_1_P_MIN 193 SELECT U User table ESEC_ETL EVT_NAME 193 SELECT U User table ESEC_ETL EVT_NAME 195 INSERT U User table ESEC_ETL EVT_NAME 196 DELETE U User table ESEC_ETL EVT_NAME 197 UPDATE U User table ESEC_ETL EVT_PORT_SMRY_1_P_MAX 193 SELECT U User table ESEC_ETL EVT_PORT_SMRY_1_P_MAX 195 INSERT U User table ESEC_ETL EVT_PORT_SMRY_1_P_MAX 196 DELETE U User table ESEC_ETL EVT_PORT_SMRY_1_P_MAX 197 UPDATE U User table ESEC_ETL EVT_PORT_SMRY_1_P_MIN 193 SELECT U User table ESEC_ETL EVT_PRTCL 193 SELECT U User table ESEC_ETL EVT_RSRC 193 SELECT U User table ESEC_ETL EVT_SEV_SMRY_1_P_MAX 193 SELECT U User table ESEC_ETL EVT_SEV_SMRY_1_P_MAX 195 INSERT U User table ESEC_ETL EVT_SEV_SMRY_1_P_MAX 196 DELETE U User table ESEC_ETL EVT_SEV_SMRY_1_P_MAX 197 UPDATE U User table ESEC_ETL EVT_SEV_SMRY_1_P_MIN 193 SELECT U User table ESEC_ETL EVT_SRC 193 SELECT U User table ESEC_ETL EVT_SRC_COLLECTOR 193 SELECT U User table ESEC_ETL EVT_SRC_GRP 193 SELECT U User table ESEC_ETL EVT_SRC_MGR 193 SELECT U User table ESEC_ETL EVT_SRC_OFFSET 193 SELECT U User table Sentinel Database Users, Roles, and Access Permissions 221 novdocx (en) 16 April 2010 Role Name Object Name Action Type ESEC_ETL EVT_SRC_SMRY_1_P_MAX 193 SELECT U User table ESEC_ETL EVT_SRC_SMRY_1_P_MAX 195 INSERT U User table ESEC_ETL EVT_SRC_SMRY_1_P_MAX 196 DELETE U User table ESEC_ETL EVT_SRC_SMRY_1_P_MAX 197 UPDATE U User table ESEC_ETL EVT_SRC_SMRY_1_P_MIN 193 SELECT U User table ESEC_ETL EVT_SRC_SRVR 193 SELECT U User table ESEC_ETL EVT_TXNMY 193 SELECT U User table ESEC_ETL EVT_USR 193 SELECT U User table ESEC_ETL EVT_USR 195 INSERT U User table ESEC_ETL EVT_USR 196 DELETE U User table ESEC_ETL EVT_USR 197 UPDATE U User table ESEC_ETL EXT_DATA 193 SELECT U User table ESEC_ETL HIST_CORRELATED_EVENTS_P_MAX 193 SELECT U User table ESEC_ETL HIST_EVENTS_P_MAX 193 SELECT U User table ESEC_ETL IMAGES 193 SELECT U User table ESEC_ETL INCIDENTS 193 SELECT U User table ESEC_ETL INCIDENTS_ASSETS 193 SELECT U User table ESEC_ETL INCIDENTS_EVENTS 193 SELECT U User table ESEC_ETL INCIDENTS_VULN 193 SELECT U User table ESEC_ETL L_STAT 193 SELECT U User table ESEC_ETL LOGS 193 SELECT U User table ESEC_ETL MD_CONFIG 193 SELECT U User table ESEC_ETL MD_EVT_FILE_STS 193 SELECT U User table ESEC_ETL MD_EVT_FILE_STS 195 INSERT U User table ESEC_ETL MD_EVT_FILE_STS 196 DELETE U User table ESEC_ETL MD_EVT_FILE_STS 197 UPDATE U User table ESEC_ETL MD_SMRY_STS 193 SELECT U User table ESEC_ETL MD_SMRY_STS 195 INSERT U User table ESEC_ETL MD_SMRY_STS 196 DELETE U User table ESEC_ETL MD_SMRY_STS 197 UPDATE U User table ESEC_ETL MD_VIEW_CONFIG 193 SELECT U User table ESEC_ETL MSSP_ASSOCIATIONS 193 SELECT U User table 222 Sentinel 6.1 Reference Guide novdocx (en) 16 April 2010 Role Name Object Name Action Type ESEC_ETL NETWORK_IDENTITY_LKUP 193 SELECT U User table ESEC_ETL NLS_CONFIG 193 SELECT U User table ESEC_ETL NLS_MSG_TRANSLATION 193 SELECT U User table ESEC_ETL NORM_ATTACK_CD_MAP 193 SELECT U User table ESEC_ETL OBJ_STORE 193 SELECT U User table ESEC_ETL OFFLINE_QRY_STS 193 SELECT U User table ESEC_ETL ORGANIZATION 193 SELECT U User table ESEC_ETL PERSON 193 SELECT U User table ESEC_ETL PHYSICAL_ASSET 193 SELECT U User table ESEC_ETL PRDT 193 SELECT U User table ESEC_ETL ROLE_LKUP 193 SELECT U User table ESEC_ETL RPT_TRANSLATION 193 SELECT U User table ESEC_ETL SENSITIVITY_LKUP 193 SELECT U User table ESEC_ETL SENTINEL 193 SELECT U User table ESEC_ETL SENTINEL_HOST 193 SELECT U User table ESEC_ETL SENTINEL_PLUGIN 193 SELECT U User table ESEC_ETL STATES 193 SELECT U User table ESEC_ETL TXNMY_NODE 193 SELECT U User table ESEC_ETL USERS 193 SELECT U User table ESEC_ETL VNDR 193 SELECT U User table ESEC_ETL VULN 193 SELECT U User table ESEC_ETL VULN_CODE 193 SELECT U User table ESEC_ETL VULN_INFO 193 SELECT U User table ESEC_ETL VULN_RSRC 193 SELECT U User table ESEC_ETL VULN_RSRC_SCAN 193 SELECT U User table ESEC_ETL VULN_SCAN 193 SELECT U User table ESEC_ETL VULN_SCAN_VULN 193 SELECT U User table ESEC_ETL VULN_SCANNER 193 SELECT U User table ESEC_ETL WORKFLOW_DEF 193 SELECT U User table ESEC_ETL WORKFLOW_INFO 193 SELECT U User table Sentinel Database Users, Roles, and Access Permissions 223 novdocx (en) 16 April 2010 Role Name Table D-8 Sentinel Database Roles-ESEC_USER Role Name Object Name Action Type ESEC_USER ADV_ALERT_CVE_RPT_V 193 SELECT V View ESEC_USER ADV_ALERT_PRODUCT_RPT_V 193 SELECT V View ESEC_USER ADV_ALERT_RPT_V 193 SELECT V View ESEC_USER ADV_ATTACK_ALERT_RPT_V 193 SELECT V View ESEC_USER ADV_ATTACK_CVE_RPT_V 193 SELECT V View ESEC_USER ADV_ATTACK_PLUGIN_RPT_V 193 SELECT V View ESEC_USER ADV_ATTACK_RPT_V 193 SELECT V View ESEC_USER ADV_CREDIBILITY_RPT_V 193 SELECT V View ESEC_USER ADV_FEED_RPT_V 193 SELECT V View ESEC_USER ADV_PRODUCT_RPT_V 193 SELECT V View ESEC_USER ADV_PRODUCT_SERVICE_PACK_RPT_V 193 SELECT V View ESEC_USER ADV_PRODUCT_VERSION_RPT_V 193 SELECT V View ESEC_USER ADV_SEVERITY_RPT_V 193 SELECT V View ESEC_USER ADV_SUBALERT_RPT_V 193 SELECT V View ESEC_USER ADV_URGENCY_RPT_V 193 SELECT V View ESEC_USER ADV_VENDOR_RPT_V 193 SELECT V View ESEC_USER ADV_VULN_PRODUCT_RPT_V 193 SELECT V View ESEC_USER ANNOTATIONS_RPT_V 193 SELECT V View ESEC_USER ASSET_CATEGORY_RPT_V 193 SELECT V View ESEC_USER ASSET_HOSTNAME_RPT_V 193 SELECT V View ESEC_USER ASSET_IP_RPT_V 193 SELECT V View ESEC_USER ASSET_LOCATION_RPT_V 193 SELECT V View ESEC_USER ASSET_RPT_V 193 SELECT V View ESEC_USER ASSET_VALUE_RPT_V 193 SELECT V View ESEC_USER ASSET_X_ENTITY_X_ROLE_RPT_V 193 SELECT V View ESEC_USER ASSOCIATIONS_RPT_V 193 SELECT V View ESEC_USER ATTACHMENTS_RPT_V 193 SELECT V View ESEC_USER CONFIGS_RPT_V 193 SELECT V View ESEC_USER CONTACTS_RPT_V 193 SELECT V View 224 Sentinel 6.1 Reference Guide novdocx (en) 16 April 2010 D.3.4 ESEC_USER Object Name Action Type ESEC_USER CORRELATED_EVENTS 193 SELECT V View ESEC_USER CORRELATED_EVENTS_RPT_V 193 SELECT V View ESEC_USER CORRELATED_EVENTS_RPT_V1 193 SELECT V View ESEC_USER CRITICALITY_RPT_V 193 SELECT V View ESEC_USER CUST_HIERARCHY_V 193 SELECT V View ESEC_USER CUST_RPT_V 193 SELECT V View ESEC_USER ENTITY_TYPE_RPT_V 193 SELECT V View ESEC_USER ENV_IDENTITY_RPT_V 193 SELECT V View ESEC_USER ESEC_DISPLAY_RPT_V 193 SELECT V View ESEC_USER ESEC_PORT_REFERENCE_RPT_V 193 SELECT V View ESEC_USER ESEC_PROTOCOL_REFERENCE_RPT_V 193 SELECT V View ESEC_USER ESEC_SEQUENCE_RPT_V 193 SELECT V View ESEC_USER esec_check_patch 224 EXECUTE FN Function ESEC_USER get_string 224 EXECUTE FN Function ESEC_USER esec_toBase 224 EXECUTE FN Function ESEC_USER esec_toDecimal 224 EXECUTE FN Function ESEC_USER esec_toIpChar 224 EXECUTE FN Function ESEC_USER esec_toIpNum 224 EXECUTE FN Function ESEC_USER getAlertId 224 EXECUTE FN Function ESEC_USER getCve 224 EXECUTE FN Function ESEC_USER isArchived 224 EXECUTE FN Function ESEC_USER getArchSeq 224 EXECUTE FN Function ESEC_USER fn_hex_to_char 224 EXECUTE FN Function ESEC_USER esec_get_next_partition_name 224 EXECUTE FN Function ESEC_USER isSQL2005 224 EXECUTE FN Function ESEC_USER EVENTS 193 SELECT V View ESEC_USER EVENTS_ALL_RPT_V 193 SELECT V View ESEC_USER EVENTS_ALL_RPT_V1 193 SELECT V View ESEC_USER EVENTS_ALL_V 193 SELECT V View ESEC_USER EVENTS_RPT_V 193 SELECT V View ESEC_USER EVENTS_RPT_V1 193 SELECT V View ESEC_USER EVENTS_RPT_V2 193 SELECT V View Sentinel Database Users, Roles, and Access Permissions 225 novdocx (en) 16 April 2010 Role Name Object Name Action Type ESEC_USER EVT_AGENT_RPT_V 193 SELECT V View ESEC_USER EVT_ASSET_RPT_V 193 SELECT V View ESEC_USER EVT_DEST_EVT_NAME_SMRY_1 193 SELECT V View ESEC_USER EVT_DEST_EVT_NAME_SMRY_1_RPT_V 193 SELECT V View ESEC_USER EVT_DEST_SMRY_1 193 SELECT V View ESEC_USER EVT_DEST_SMRY_1_RPT_V 193 SELECT V View ESEC_USER EVT_DEST_TXNMY_SMRY_1 193 SELECT V View ESEC_USER EVT_DEST_TXNMY_SMRY_1_RPT_V 193 SELECT V View ESEC_USER EVT_NAME_RPT_V 193 SELECT V View ESEC_USER EVT_PORT_SMRY_1 193 SELECT V View ESEC_USER EVT_PORT_SMRY_1_RPT_V 193 SELECT V View ESEC_USER EVT_PRTCL_RPT_V 193 SELECT V View ESEC_USER EVT_RSRC_RPT_V 193 SELECT V View ESEC_USER EVT_SEV_SMRY_1 193 SELECT V View ESEC_USER EVT_SEV_SMRY_1_RPT_V 193 SELECT V View ESEC_USER EVT_SRC_SMRY_1 193 SELECT V View ESEC_USER EVT_SRC_SMRY_1_RPT_V 193 SELECT V View ESEC_USER EVT_TXNMY_RPT_V 193 SELECT V View ESEC_USER EVT_USR_RPT_V 193 SELECT V View ESEC_USER EXTERNAL_DATA_RPT_V 193 SELECT V View ESEC_USER HIST_CORRELATED_EVENTS 193 SELECT V View ESEC_USER HIST_CORRELATED_EVENTS_RPT_V 193 SELECT V View ESEC_USER HIST_EVENTS 193 SELECT V View ESEC_USER HIST_EVENTS_RPT_V 193 SELECT V View ESEC_USER HIST_EVT_DEST_EVT_NAME_SMRY_1 193 SELECT V View ESEC_USER HIST_EVT_DEST_SMRY_1 193 SELECT V View ESEC_USER HIST_EVT_DEST_TXNMY_SMRY_1 193 SELECT V View ESEC_USER HIST_EVT_PORT_SMRY_1 193 SELECT V View ESEC_USER HIST_EVT_SEV_SMRY_1 193 SELECT V View ESEC_USER HIST_EVT_SRC_SMRY_1 193 SELECT V View ESEC_USER IMAGES_RPT_V 193 SELECT V View ESEC_USER INCIDENTS_ASSETS_RPT_V 193 SELECT V View 226 Sentinel 6.1 Reference Guide novdocx (en) 16 April 2010 Role Name Object Name Action Type ESEC_USER INCIDENTS_EVENTS_RPT_V 193 SELECT V View ESEC_USER INCIDENTS_RPT_V 193 SELECT V View ESEC_USER INCIDENTS_VULN_RPT_V 193 SELECT V View ESEC_USER L_STAT_RPT_V 193 SELECT V View ESEC_USER LOGS_RPT_V 193 SELECT V View ESEC_USER MSSP_ASSOCIATIONS_V 193 SELECT V View ESEC_USER NETWORK_IDENTITY_RPT_V 193 SELECT V View ESEC_USER ORGANIZATION_RPT_V 193 SELECT V View ESEC_USER PERSON_RPT_V 193 SELECT V View ESEC_USER PHYSICAL_ASSET_RPT_V 193 SELECT V View ESEC_USER PRODUCT_RPT_V 193 SELECT V View ESEC_USER ROLE_RPT_V 193 SELECT V View ESEC_USER RPT_LABELS_RPT_V 193 SELECT V View ESEC_USER SENSITIVITY_RPT_V 193 SELECT V View ESEC_USER STATES_RPT_V 193 SELECT V View ESEC_USER UNASSIGNED_INCIDENTS_RPT_V 193 SELECT V View ESEC_USER USERS_RPT_V 193 SELECT V View ESEC_USER VENDOR_RPT_V 193 SELECT V View ESEC_USER VULN_CALC_SEVERITY_RPT_V 193 SELECT V View ESEC_USER VULN_CODE_RPT_V 193 SELECT V View ESEC_USER VULN_INFO_RPT_V 193 SELECT V View ESEC_USER VULN_RPT_V 193 SELECT V View ESEC_USER VULN_RSRC_RPT_V 193 SELECT V View ESEC_USER VULN_RSRC_SCAN_RPT_V 193 SELECT V View ESEC_USER VULN_SCAN_RPT_V 193 SELECT V View ESEC_USER VULN_SCAN_VULN_RPT_V 193 SELECT V View ESEC_USER VULN_SCANNER_RPT_V 193 SELECT V View Sentinel Database Users, Roles, and Access Permissions 227 novdocx (en) 16 April 2010 Role Name Table D-9 Sentinel Server Roles Server Role Description Sentinel User sysadmin System Administrators esecdba securityadmin Security Administrators esecapp serveradmin Server Administrators esecdba setupadmin Setup Administrators processadmin Process Administrators diskadmin Disk Administrators dbcreator Database Creators bulkadmin Bulk Insert Administrators D.5 Windows Domain Authentication DB users and permissions A domain user will be associated with esecadm, esecapp, esecdba and esecrpt user according to the configuration at install time. Those domain users will have the same privilege as specified by the previous sections. NOTE: The installer takes care of the database user permissions 228 Sentinel 6.1 Reference Guide novdocx (en) 16 April 2010 D.4 Sentinel Server Roles The purpose of this document is to provide information of the log file locations for the following components of Sentinel. Sentinel Data Manager iTRAC Advisor Event Insertion Database Queries Active ViewsAggregation Wrapper (formerly Sentinel Watchdog) Collector Manager Correlation Sentinel Control Center DAS Proxy The naming convention for the log files is that they include with the name of the process, the instance number (almost always 0 unless there are multiple instances of das_binary installed), and the log number in the log rotation sequence. For examples, see below. E.1 Sentinel Data Manager Logs activities executed using Sentinel Data Manager for the specific client running on that machine. For Windows: %ESEC_HOME%\log\SDM0.*.log For UNIX: $ESEC_HOME/log/SDM0.*.log E.2 iTRAC Logs activities related to iTRAC. For Windows: %ESEC_HOME%\log\das_itrac0.*.log %ESEC_HOME%\log\itrac_engine.log For UNIX: $ESEC_HOME/log/das_itrac0.*.log $ESEC_HOME/log/itrac_engine.log Sentinel Log Locations 229 novdocx (en) 16 April 2010 E Sentinel Log Locations E Logs activities related to Advisor data download and process. For Windows: %ESEC_HOME%\log\advisor_script.log %ESEC_HOME%\log\advisor0.*.log For UNIX: $ESEC_HOME/log/advisor_script.log $ESEC_HOME/log/advisor0.*.log E.4 Event Insertion Logs activities related to event insertion into the database. For Windows: %ESEC_HOME%\log\das_binary0.*.log For UNIX: $ESEC_HOME/log/das_binary0.*.log E.5 Database Queries Logs activities related to database queries, Collector, Collector Manager health, identity insertion, and all other DAS activities not performed by other DAS components. For Windows: %ESEC_HOME%\log\das_query0.*.log For UNIX: $ESEC_HOME/log/das_query0.*.log E.6 Active Views Logs activities related to Active Views. For Windows: %ESEC_HOME%\log\das_rt0.*.log For UNIX: $ESEC_HOME/log/das_rt0.*.log 230 Sentinel 6.1 Reference Guide novdocx (en) 16 April 2010 E.3 Advisor novdocx (en) 16 April 2010 E.7 Aggregation Logs activities related to Aggregation. For Windows: %ESEC_HOME%\log\das_aggregation0.*.log For UNIX: $ESEC_HOME/log/das_aggregation0.*.log E.8 Wrapper Logs activities related to Wrapper. NOTE: sentinel_wrapper.log is for the service wrapper. For Windows: %ESEC_HOME%\log\sentinel0.*.log %ESEC_HOME%\log\sentinel_wrapper.log For UNIX: $ESEC_HOME/log/sentinel0.*.log $ESEC_HOME/log/sentinel_wrapper.log E.9 Collector Manager Logs activities related to Collector Manager. For Windows: %ESEC_HOME%\log\collector_mgr0.*.log For UNIX: $ESEC_HOME/log/collector_mgr0.*.log E.10 Correlation Engine Logs activities related to Correlation Engine. For Windows: %ESEC_HOME%\log\correlation_engine0.*.log For UNIX: $ESEC_HOME/log/correlation_engine0.*.log Sentinel Log Locations 231 Logs activities related to the Sentinel Control Center. For Windows: %ESEC_HOME%\log\control_center0.*.log For UNIX: $ESEC_HOME/log/control_center0.*.log E.12 DAS Proxy Logs activities related to Proxy Communication. For Windows: %ESEC_HOME%\log\das_proxy0.*.log For UNIX: $ESEC_HOME/log/das_proxy0.*.log E.13 Solution Designer Logs activities related to Solution Designer. For Windows: %ESEC_HOME%\log\solution_designer0.*.log For UNIX: $ESEC_HOME/log/solution_designer0.*.log E.14 Multiple Instances In some environments, there can be multiple instances of a process running, such as DAS Binary, the Sentinel Control Center, or Sentinel Data Manager. If so, the first instance’s log files are named as described above (For example, das_binary0.0.log). The second instance will substitute a 1 for the first 0 in the log file name (For example, das_binary1.0.log). If other processes have log files indicating that more than one instance is running, that could indicate a system problem. 232 Sentinel 6.1 Reference Guide novdocx (en) 16 April 2010 E.11 Sentinel Control Center
advertisement
* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project
Related manuals
advertisement