How to Develop Content Using the Novell Sentinel Software Development Kit

Novell® Sentinel™

Software Development KitDeveloping Novell Sentinel Plug-ins

David CorletteProduct Line [email protected]

© Novell, Inc. All rights reserved.2

Agenda

• Quick Sentinel™ Intro - Plug-ins

• The Sentinel Plug-in SDK

• Collector Development

• Report Development


Sentinel™ Overview


Inbound / Outbound and Plug-ins

SentinelCoreCorrelation

Rule

Action

Integrator

Collector

Connector

EventSourceServer

EventSource

• Engine layer – backend routing and processing

• Correlation – Custom RuleLG event patterns

• Reporting – Jasper-based Plug-ins

• Script layer – simplified parsing,JS support

• ITRAC Workflow – remediation and alerting

• Protocol/API connections – Java code

• Event Source: Applications and devices

Workflow

Sentinel provides a modular, pluggable architecture so that the functionality of the base product can be extended by adding

new components. Some of these are user-editable.


Sentinel™ Plug-ins

Collectors are used to parse data received from endpoint systems via Connectors. They implement JavaScript-based code to extract relevant information from the input and reformat the data into the normalized Sentinel event schema.

Actions are attached to correlation rules and are executed when those rules fire. Written in JavaScript they can do many different things, but a common use case is to extract data from the event(s) which caused the rule to fire and take action based on that data (alert, forward, etc).

Reports pull data from the Sentinel database and/or text files (via Lucene) and present that data on flexible reports along with summaries, charts, and so forth. Sentinel uses Jasper as its core reporting engine and related tools (iReport) to do the actual report design.


Sentinel™ Plug-ins

Solution Packs allow you to package related pieces of content into a structured solution broken down into categories and controls. Various plug-ins (Reports, Actions, Integrators) can be included, as well as other native Sentinel content like workflows, correlation rules, filters, and roles (the native content pieces are created within Sentinel itself).

The Solution Pack maintains dependencies and versioning for all content components that are included. A simple drag-and-drop tool (Solution Designer) is used to create the Pack, categories, and controls.

Sentinel™ Plug-in SDK


Sentinel™ Plug-in SDK

http://developer.novell.com/wiki/index.php/Develop_to_Sentinel• Documentation provided on the Forge wiki• ZIP download and/or SVN repository• Mailing lists and other support resources

http://developer.novell.com/wiki/index.php/Develop_to_Sentinel


Eclipse-based Development

• Each Plug-in type is its own project; Ant scripts drive creation and build of plug-ins• Creating a Plug-in involves copying a functional template and inserting metadata• External tools include: Solution Designer, iReport, OpenOffice


Ant Targets

• Create New Plug-in: copies the template to create a new plug-in• Build Test Plug-in: creates a quick “development” build• Build Release Plug-in: creates a full “release” build• Edit Report: creates temporary editable Report and starts iReport

to work on it• Edit Solution Pack: creates temporary editable Pack and starts

Solution Designer to work on it• Create Solution Pack Placeholder: creates an empty

“placeholder” Report for use in Solution Packs (full Reports are built during final Solution Pack build)

• Extract Jasper Parameters: extracts Report parameters from Jasper file for use in web interface


JavaScript API

• JavaScript implementations of Sentinel™ domain objects:

– Event, Record, Identity, Account, Vuln, Customer– Collector, Connector, Action, Integrator,

EventSource, EventSourceServer• Utility objects:

– DataMap, KeyMap, Session, SQLQuery, File

• Extension methods for native JS objects:– String.trim(), String.insert(), String.parseBase64(),

String.parseLDAP(), String.parseNVP()– Date (includes full ‘date.js’ library)

Collector Development


Collector Template


Development Process

1. Create the new Collector Plug-in

2. Research the device and collect sample data

3. Debug the Collector to get code samples

4. Develop a parsing plan

5. Write parsing logic and mappings

6. Test

7. Finalize metadata and documentation


Creation, Research, Debug

• Use the ‘Create New Plug-in’ target to create the new Plug-in

• Collect sample data using the Generic Event Collector

– Configure the relevant Connector to the real datasource

– Edit the Connector and select “Save raw data to file”

• Attach sample data to new Collector using Replay mode

• Debug to see input structure, copy to code comments


Parsing Plan

• Structure of input data– Structured (name-value) or freeform? Fixed fields?– Event Ids?– Opaque data values to be translated?

• Variability– Is structure always the same or does it vary?– Are there classes of events?– Do field contents vary dramatically?

• Optional features– Multiple possible Connection Methods?– Optional fields or output formats?


Parsing Logic

• Input– ‘rec’ object used as input and as temporary output container

• Four ways to get data in output event– Rec2Evt.map: DataMap that defines transform of input Record

to output Event object– protoEvt.map: Used to set static fields in output Event– Explicit set: Directly set attributes of output Event (discouraged)– Special Event object methods (setTaxonomyKey() and

set*Time()• SQLQuery and Session

– Advanced topics


Test

• Development builds using ‘Create Test Plug-in’– No prompted questions

– Skips documentation and Collector Pack

– Quick import into ESM

– Debuggable

• Final Release build using ‘Create Release Plug-in’– Asks some final questions

– Builds docs and Pack

– Minifies JavaScript template


Documentation and Metadata

• Docs are auto-built from single source– Template doc guides you with themes for each section– ‘plugin.pdf’ is simple help doc embedded in Plug-in– Full doc is external PDF

• Plug-in metadata used for deployment, parameters, etc– Parameter list can include template or local parameters– Each parameter defined in separate XML file– Connection methods used to describe Connector interaction– Device support used to drive deployment

• Collector Pack– Standard set of controls included, can be extended/trimmed

Report Development


Report Template

• Includes basic report with complete set of relevant files• Covers Sentinel Log Manager (SLM) and Sentinel™ RD• Localized using standard .properties files• Some custom charting types included


Development Process

1. Create the new Report Plug-in

2. Determine how to fetch the data using either a SQL or Lucene query

3. Decide on grouping and categorization (colors)

4. Lay out report fields

5. Add summary charts and tables

6. Add parameters

7. Test

8. Finalize metadata and documentation


Create, Query

• Use the same ‘Create New Plug-in’ target but for Reports

• Refer to Sentinel™ documentation (core product docs and developer wiki under “Sentinel Development Topics”) for view, field, and schema details

• Refer to Sentinel and database documentation for SQL and Lucene query language details

• Run test queries from Sentinel or DB tool

• Use ‘Edit Report’ to invoke iReport on temporary Report Plug-in


Grouping and Categorization

• Most reports will group data using one of the returned fields – use relevant Sentinel™ fields like InitUserDomain, TargetHostName, etc

• In general, reports look at a subset of event types or a single type with multiple outcomes. You can use categorization to color-code events according to those types or outcomes.


Lay Out Report Fields

• Our standard is a two-level row with more important data in the top subrow

• Typically include domain/container information along with host, user, or data object info

• Review input events to find which critical data should be displayed

• Account for extra-long values and nulls


Add Charts

• For many reports, quick summary charts, sparklines, and tables can be very useful

– For event-based data, reports can run to hundreds of pages – consider a summary table at top to display the per-grouping counts

– Sparklines are great for quick trend analysis– Summary counts and pie charts can go at top right

• Some useful custom chart formatters are available


Parameters

Parameters for Report Plug-ins is a multi-step process

1. Define and test normal Jasper/iReport parameters as part of the report development process

2. Run ‘Extract Jasper Parameters’ to extract Jasper parameters into Sentinel Plug-in parameters

3. Edit metadata for Sentinel™ Plug-in parameters

4. Build Report Plug-in and test parameters in web interface


Test, Docs, and Metadata

• Testing can be tricky if the data is rarely seen

• Can use fake import data to test basic report layout etc

• Docs work the same as other plug-ins

• Include a sample output PDF as ‘TemplateReport.pdf’ in dev directory

• You can localize the report strings using standard ‘.properties’ files (TemplateReport.properties, TemplateReport_fr.properties, etc)

• Make sure supported platforms info is correct

Demonstration

Question and Answer

Unpublished Work of Novell, Inc. All Rights Reserved.This work is an unpublished work and contains confidential, proprietary, and trade secret information of Novell, Inc. Access to this work is restricted to Novell employees who have a need to know to perform tasks within the scope of their assignments. No part of this work may be practiced, performed, copied, distributed, revised, modified, translated, abridged, condensed, expanded, collected, or adapted without the prior written consent of Novell, Inc. Any use or exploitation of this work without authorization could subject the perpetrator to criminal and civil liability.

General DisclaimerThis document is not to be construed as a promise by any participating company to develop, deliver, or market a product. It is not a commitment to deliver any material, code, or functionality, and should not be relied upon in making purchasing decisions. Novell, Inc. makes no representations or warranties with respect to the contents of this document, and specifically disclaims any express or implied warranties of merchantability or fitness for any particular purpose. The development, release, and timing of features or functionality described for Novell products remains at the sole discretion of Novell. Further, Novell, Inc. reserves the right to revise this document and to make changes to its content, at any time, without obligation to notify any person or entity of such revisions or changes. All Novell marks referenced in this presentation are trademarks or registered trademarks of Novell, Inc. in the United States and other countries. All third-party trademarks are the property of their respective owners.

How to Develop Content Using the Novell Sentinel Software Development Kit

Documents

Transcript of How to Develop Content Using the Novell Sentinel Software Development Kit