Solution Development Guide
SOLUTION PACK OVERVIEW
Solution Packs help solve a few major problems that people typically have when managing large sets of interrelated content. First, the Solution Pack helps you categorize and organize the content in a logical structure, and keeps track of that structure even after you deploy the content into Sentinel's native toolsets which don't have such structure. Second, the Solution Pack keeps track of dependencies between various pieces of content (such as a report that depends on output from a correlation rule), whereas the underlying Sentinel platform may have no knowledge of those dependencies. Third, the Solution Pack allows you to easily package a set of content along with the exact instructions needed to deploy and use that content, and even surrounds that with a simple formalized rollout process to help ensure that the content is properly configured and tested. Finally, Solution Packs provide a convenient way to package up your content for archival purposes, so that it can easily be transferred to a separate Sentinel system, from development to production, and so forth.
There are two main tools that people use when working with Solution Packs: Solution Designer and Solution Manager. Solution Designer is the Solution Pack editor — you can open up a Solution Pack and add content or modify the documentation. Solution Manager (built into Sentinel Control Center) is used to manage a completed Solution Pack, to assist with installing the content in that Solution Pack into the Sentinel environment in a managed fashion.
Solution Pack Content Types
Solution Packs can store the following types of content:
- Solution Packs store Actions, but not only that they also store the Action configuration — how the Action is installed and configured in the Sentinel environment. This includes things like which (if any) Integrator the Action is using and other deployment details.
- Paired with the Actions are Integrators, which are similarly stored along with their runtime configuration.
- Correlation Rules
- Correlation rules are also stored in Solution Packs, and as with Actions they are also stored with relevant configuration. This includes which Actions they are attached to (if any), which workflows they trigger (if any), and which Dynamic Lists they reference.
- Dynamic Lists
- These are included to support any included correlation rules, see above.
- Workflows are also included whether they are explicitly attached to rules, or separately.
- Mapping Service maps, which add referential context data to inbound events, can also be stored along with event field configuration details (such as modified field labels).
- Solution Packs can include standard Sentinel reports based on Jasper, and also older Crystal/BusinessObjects/SAP reports.
- Data Definitions
- For reports that depend on Report Data Definitions, the associated RDD is also stored in the Solution Pack.
- Arbitrary attachments can also be stored in the Pack, although these of course are not native Sentinel content.
Since many of the specific types of content listed above come as part of an active deployment, in the Solution Designer UI you actually only have four options: Correlation (rules, which come with Actions, Dynamic Lists, Workflows, etc), Event Enrichment (maps), iTRAC (standalone workflows), and Jasper Reports (which come with RDDs). For most of these types of content, you will notice that in order to add them to the Solution Pack you need to be actively connected to a running Sentinel system that has that content deployed in it and configured correctly.
There are two significant alternatives to this: one involves adding something called a "placeholder" to the Pack; all this really does is remind you to come back later and put the real content in its place. The second alternative is for Report plug-ins, which can be added simply by browsing for the plug-in file on the local system. Attachments are handled separately and can be added anywhere in the Pack internal structure.
What we've discussed so far is material that is native to Solution Designer and that holds true even if the SDK is not in use. The SDK adds another layer, however, by allowing you to create something called a Solution Pack Report Link. The Report Link works a little like the placeholder — it is not a real report, and its purpose is solely to put a bookmark in the Solution Pack to indicate where the real Report should go — however it works in conjunction with the SDK in such a way that when the Pack is built, the real Report is built and injected into the Solution Pack automatically. We'll cover this feature in more detail when we discuss Solution Pack Reports.
Managing and Updating Solution Pack Contents
One of the things you'll notice about Solution Packs is that in a sense they are a one-way street: you can put native Sentinel content into the Pack, but once it's in there you can't edit that content directly from the SDK. The exception to this is for Sentinel plug-ins, which have their own editing methodology. In many cases this isn't a problem — perhaps you maintain a development system, and whenever you want to modify your Sentinel content you just go to that system, edit it, and then sync that system with your Solution Pack. If the original system on which some piece of content was developed is not available, however, then you have to go through the process of deploying the Solution Pack to a new Sentinel system, and then you can edit and re-sync the content to your Solution Pack.