Collector Development Topics
ASSETS AND VULNERABILITIES
Sentinel Collectors can import referential information into Sentinel SIEM (but not Log Manager, which doesn't support contextual analysis of this kind) about hosts and associated host vulnerabilities within the enterprise, and then leverage that information to provide additional analysis capabilities on top of the standard events. In essence, this allows you to more easily identify the systems associated with events and determine if they are likely to be compromised by network attacks.
Importation of Asset (Host) and Vulnerability Information
There are two methods by which Asset and Vulnerability information can be imported into Sentinel:
- [Sentinel 7 only] REST APIs can be used to load data into Sentinel using an outboard process that converts some native format into Sentinel's REST API format.
The development of outboard scripts to send data to the REST interfaces is outside the scope of this SDK; see the REST API documentation (available in any Sentinel 7 UI's Help menu) for details.
The following API reference information will assist you in creating your own Collector:
When working with these classes, consider the following:
- Asset and Vulnerability information is mapped to events based on the IP addresses in the events, so if your sources are reporting hostnames you may need to turn on host-to-IP resolution (see the Generic Hostname Resolution Collector) to get consistent matching.
- Each of the Source, Target, Observer, and Reporter hosts have a set of asset metadata fields that are filled in with information imported about hosts. See for example the SourceHostDepartment field. Additional information about any host referenced in an event can be looked up in the UI interactively.
- For Vulnerabilities, the only event field that is filled in is the Vulnerability field (see below), based on whether the TargetHost is perceived as likely to be compromised by a given attack. You can, however, look up vulnerability information for any host referenced in an event interactively.
- Vulnerability information can be tied to hosts and can then work in conjunction with the Advisor service's Exploit Detection feature to provide notification if network attacks are likely to succeed.
- Back to Develop to Sentinel
Collector Development Guide
- Getting Started
- Initial Build
- Plug-in Contents
- Data Parsing
- Build Process
- Event Construction
- Connector Interaction
- Common Code
- Additional Information