You can use the Solution Designer to package and export different contents, such as a Correlation rule with associated actions and dynamic lists. The content can be selected and packaged with its configuration in a ZIP file. You can then view or select the content of the ZIP file by using the Solution Manager. For more information on the Solution Manager, see Section 16.0, Using Solution Packs.
To use the Solution Designer, you must have the correct permission. All roles contain the permission for the Solution Designer except for the PCI Compliance Audit role and the Search Proxy User role. For more information, see Section 2.0, Configuring Users and Roles.
Log in to the Sentinel Web interface as a user with permissions to access the Solution Designer.
In the toolbar, click
.Click
.Click
to accept the security certificate.Specify a username and password of a user with permission to access the Solution Designer.
Click
.Click
or to accept the security certificate.The Solution Designer is divided into several frames. Each frame has it own function and multiple sub-functions in that specific frame.
Content Palette: Displays the content of the Solution Pack. The Content Palette contains multiple sections that can be expanded.
The sections that can be expanded are Actions, Correlation, Event Actions, Event Enrichment, Filters, iTRAC, Jasper Reports, and Searches. These are items on the Sentinel server that can be exported into a Solution Pack.
Content Description: Displays a description of the content selected in the Solution Pack panel.
Solution Pack: Displays all of the items contained in a Solution Pack.
Documentation: Displays the documentation specific for the Solution Pack. The documentation explains how to install, configure, and deploy the components of the Solution Pack.
You can use the Solution Designer to create a Solution Pack with existing content objects (for example, Actions, Event Actions, Filters, Searches, Correlation Rules, Dynamic Lists, or iTRAC workflow templates) from Sentinel. The Solution Designer analyzes the dependencies for a content object and include all necessary components in the Solution Pack. For example, a Correlation Rule deployment includes a Correlation Rule definition, one or more actions, and the ability to create an incident using a workflow. The Solution Designer includes the Correlation Rule, the associated correlation actions, the iTRAC template, and the roles associated with the iTRAC template in the Solution Pack.
IMPORTANT:To add a content object to a Solution Pack, it must already exist in Sentinel. Content objects cannot be created in the Solution Designer.
To create a new Solution Pack:
Access the Solution Designer.
For more information, see Section 1.4.1, Accessing the Solution Designer.
Click
> .An empty Solution Pack is displayed in the Solution Pack panel.
Add Categories, Controls, Content Groups, and content placeholders.
For detailed instructions, see Section 1.4.4, Adding Content to a Solution Pack.
Add file attachments to the hierarchy nodes as desired.
For detailed instructions, see File Attachments.
Click
> .Browse to and select a location to save the Solution Pack, then specify a name for the Solution Pack.
Click
to save the Solution Pack.The Solution Pack is saved in a .zip format.
Although you can save a Solution Pack with empty placeholders, you cannot install controls in the Solution Manager unless all placeholders have been filled with content.
A vital part of creating a Solution Pack is adding content to the controls. Each control can have one or more types of content associated with it.
The same general procedure is used to add all types of Sentinel content to a Solution Pack. The Sentinel content palette includes the following:
Actions
Correlation Rule deployments, including their deployment status (enabled or disabled) and associated Correlation rules, Correlation Actions, and Dynamic Lists
Event Actions
Reports
Filters
Searches
iTRAC workflows, including associated roles
Event enrichment, including map definitions and event metatag configuration
Other associated files added when the Solution Pack is created, such as documentation, example report PDFs, or sample map files.
To add Sentinel content to a control:
Access the Solutions Designer.
For more information, see Section 1.1.1, Accessing the Sentinel Web Interface.
Open or create a Solution Pack.
Click the appropriate panel to display the available content:
Actions
Correlation
Event Actions
Event Enrichment
Filters
iTRAC
Jasper Reports
Searches
Drag the item and drop it into the control.
If you try to drag and drop pre-existing content in the Solution Designer, the existing content is highlighted. After you drop the content, a message prompt indicates that similar content exists.
You can set properties to a content to indicate it is designed for specific Sentinel platforms. Content that is designed in newer versions of Sentinel might not be supported in older versions because of changes in the Sentinel schema. If you try to install a Control on an unsupported Sentinel platform, the installation does not proceed and shows an “Out of date” error.
To set the properties:
Right-click a content, then select
.(Conditional) For Correlation rules, select
to deploy Correlation rules automatically during the solution pack installation.Select
, and then specify the Sentinel versions.Click
.If the user is not ready to associate content with a control, an empty placeholder can be used instead.
Click the
, , or button in the Content Palette to open the panel for the type of placeholder you want to add.Drag and drop the placeholder to the appropriate control in the Solution Pack panel.
Rename the placeholder, if desired.
To replace a placeholder with content:
Click the
, , or button in the Content Palette to open the panel for the type of placeholder you want to add.Drag and drop the appropriate Content Group from the Content Palette to the placeholder in the Solution Pack panel or select the appropriate Content Group, then click
.You can set properties for placeholders to indicate whether a placeholder is designed for specific Sentinel platforms. Placeholders that are designed in newer versions of Sentinel might not be supported in older versions because of changes in the Sentinel schema. If you try to install a placeholder on an unsupported Sentinel platform, the install does not proceed and shows an “Out of date” error.
To set the properties:
Right-click the placeholder, then select
.Select
, then specify the Sentinel versions.Click
.You can attach a file or files to any node in the hierarchy. The content in the attachment is included in the Solution Pack. These files can include anything useful for a user who must deploy the Solution Pack, such as a PDF view of a report, sample map data for event enrichment, or a script for an Execute Command Correlation Action. These files can be added, deleted, viewed, renamed, or saved to the local machine.
You can add an attachment to a node. The system prompts you for another file if you attempt to add one that is already attached.
Select a node, then click the
icon in the Attachment panel.Browse to and select the file you want to attach.
Specify a description of the file, then click
.Select a node, then select the attachment in the Attachment panel.
Click the
icon .The file displays in the associated application through the Attachment Viewer.
Select a node, then select the attachment in the Attachment panel.
Click the
icons.Make the desired changed to the attachment, then click
.You can save a copy of the attachment to the local system.
Select a node, then select the attachment in the Attachment panel.
Click the
icon to save the attachment to the local file system.Browse to and select the desired location for the attachment, then click
.Select a node, then select the attachment in the Attachment panel.
Click the
icon .Click
to confirm that you want to delete the attachment.The Correlation rules in solution packs require some data in the dynamic lists for it to work properly. The solution pack framework includes the ability to automatically populate the dynamic lists with data when you install a solution pack.
To populate a dynamic list when you install a solution pack:
Create a text file with the values that you want to add to the dynamic list. Add each different value on a separate line.
In the Solution Designer, expand the Correlation content, and then select the dynamic list.
Click Step 1.
in the Attachment panel, and attach the file that you created inAll the values in the Dynamic list are persistent. For more information, see Creating a Dynamic List
in the NetIQ Sentinel 7.1 User Guide.
The Solution Designer provides three different categories of documentation to help you create the documentation for the Solution Pack you are creating.
Allows you to provide a detailed description about the Solution Pack for your users.
Lets you add the steps required to implement the content in the target Sentinel system to the
tab of the Documentation panel. The steps might include instructions for the following types of implementation actions:Populating a .csv file that is used by the mapping service for event enrichment.
Scheduling automatic report execution
Enabling auditing on source devices.
Copying an attached script for an Execute Command Correlation Action to the appropriate location on the correlation engines.
After the content implementation, the content should be tested to verify that it is working as expected.
Lets you add the steps required to test the content in the target Sentinel system to the
tab of the Documentation panel. The steps can include instructions for the following types of testing activities:Running a report and verifying that data is returned.
Generating a failed login in a critical server and verifying that a correlated event is created and assigned to an iTRAC workflow.
A saved Solution Pack can be edited with the Solution Designer. For information about deploying the changes into an existing system, see Section 16.6, Installing an Edited Solution Pack.
To edit a Solution Pack:
Access the Solution Designer.
For more information, see Section 1.4.1, Accessing the Solution Designer.
Click zip file.
> , then browse to and select the existing Solution Pack .Click
.To update the Solution Pack with modified content from the source Sentinel system, drag and drop the content from the Content Palette to the appropriate control.
Add or delete controls as necessary.
Save the changes by selecting the options you want:
File > Save: Saves the Solution Pack with the same name.
File > Save As: Saves the Solution Pack with a different name.
File > Save As New: Saves the Solution Pack with a different name and as a different Solution Pack.
If you selected Save or Save As and some of the content is out of sync, you are prompted to synchronize.
If you modify the content in the source system, the content in the source system and the content in the original Solution Pack can be out of synchronization. To synchronize the content, do one of the following:
For content with no dependencies, drag and drop the content from the Content Palette onto the control.
The modified content is immediately updated. For example, a report has no dependencies.
For content with dependencies, the dependencies are checked and updates are made when you click the
icon or when you save the Solution Pack. However, you need to ensure that the system that you are connected to has the latest content.To synchronize specific content based on any content group, right-click the content or a content group and click
. Using this menu ensures that only the content and the contents within that group are synchronized.When an action uses the Send Email action, this action always appears as Out of Synchronization. This is expected and does not cause an error.
You can specify any control as a required control in the Solution Designer. This ensures that the control marked as required is also installed when a user chooses to install any other control first. For example, you can mark the global setup control as a required control, which is then installed when the user installs any other control from a solution pack.
You can also specify if you want to overwrite an existing control during installation. For example, if you include a newer version of a White Label Template and want to ensure that this newer version is automatically installed with a new install of solution pack, you can enable the overwrite properties.
To mark a control as required:
In the Solution Designer, select the control that you want to mark as required.
Right-click the control and select
.(Conditional) Select
if you want to ensure that this control is also installed while installing any specific control from a solution pack.(Conditional) Select
if you want to automatically install this control with a new install of solution pack.Click
.All content in a Solution Pack is hierarchically organized into categories, controls, and content groups.
Select a node in the Solution Pack panel.
Right-click the node, then select
or
Click
in the Solution Pack panel heading.Select a control in the Solution Pack panel.
Right-click the node, then select
or
Click
in the Solution Pack panel heading.If
is not displayed, click the button in the panel heading, then select from the list of options.Specify the new name, then click
to save the change.Select a control in the Solution Pack panel.
Right-click the node, then select
.or
Click the button in the Solution Pack panel heading, then select
.Click
to confirm the deletion of the control.Select
> .or
Right-click the Solution Pack in the Solution Pack panel, then click
.View the details, or change the information displayed.
Type: Specify the type of Solution Pack.
Author: Specify the author of the Solution Pack.
Version: Specify the version of the Solution Pack.
Supported OS Platforms: Specify the platforms where the Solution Pack is supported.
Supported Platforms And Versions: Select
or .If you select
, you must specify the following information:Sentinel: Specify the minimum version of Sentinel that the Solution Pack supports.
Sentinel RD: Specify the minimum version of Sentinel Rapid Deployment (RD) that the Solution Pack supports.
Sentinel Log Manager: Specify the minimum version of Sentinel Log Manager that the Solution Pack supports.
Click
to save any changes you made.You can expand or collapse all nodes at one time, instead of doing it node by node.
In the Solution Pack panel, select the Solution Pack, category, control, or content group.
Right-click the selected item, then select
or .Category, control, and content group nodes can be created in any order and then reordered or moved to a different parent in the hierarchy.
To move a node to another branch in the hierarchy, drag and drop a node to its new parent node. A control can be moved to a new category. A content group can be moved to a new control.
To reorder a node, drag and drop it on top of the node it should appear after in the Solution Pack.