Novell Home

Collector Development Topics

ASSETS AND VULNERABILITIES

Sentinel Collectors can import referential information into Sentinel SIEM (but not Log Manager, which doesn't support contextual analysis of this kind) about hosts and associated host vulnerabilities within the enterprise, and then leverage that information to provide additional analysis capabilities on top of the standard events. In essence, this allows you to more easily identify the systems associated with events and determine if they are likely to be compromised by network attacks.

Importation of Asset (Host) and Vulnerability Information

There are two methods by which Asset and Vulnerability information can be imported into Sentinel:

  • [Sentinel 7 only] REST APIs can be used to load data into Sentinel using an outboard process that converts some native format into Sentinel's REST API format.
  • Collectors can be used to consume data from Asset/Vulnerability sources and convert that data into JavaScript classes.

The development of outboard scripts to send data to the REST interfaces is outside the scope of this SDK; see the REST API documentation (available in any Sentinel 7 UI's Help menu) for details.

For Collectors, the general process is to consume some data that describes an Asset or Vulnerability, create that Asset or Vulnerability object in JavaScript, and then save it to Sentinel. Before spending a lot of time writing a Collector for this, you may wish to look for a pre-built Collector on our website for your particular source, or at least one that is similar. You may be able to adapt the code from those Collectors for your needs.

The following API reference information will assist you in creating your own Collector:

When working with these classes, consider the following:

  • Asset and Vulnerability information is mapped to events based on the IP addresses in the events, so if your sources are reporting hostnames you may need to turn on host-to-IP resolution (see the Generic Hostname Resolution Collector) to get consistent matching.
  • Each of the Source, Target, Observer, and Reporter hosts have a set of asset metadata fields that are filled in with information imported about hosts. See for example the SourceHostDepartment field. Additional information about any host referenced in an event can be looked up in the UI interactively.
  • For Vulnerabilities, the only event field that is filled in is the Vulnerability field (see below), based on whether the TargetHost is perceived as likely to be compromised by a given attack. You can, however, look up vulnerability information for any host referenced in an event interactively.
  • Vulnerability information can be tied to hosts and can then work in conjunction with the Advisor service's Exploit Detection feature to provide notification if network attacks are likely to succeed.

Collector Development Guide

Development Topics

© 2014 Novell