By default, Sentinel provides the most common threat intelligence data sources. You can add your own data sources as necessary. To add threat intelligence data sources, navigate to Sentinel Main and click Integration > Threat Intelligence Sources.
You can add threat intelligence data sources from any of the following sources:
URL: Specify the URL from where you want to download threat intelligence information. Since these data sources are updated at regular intervals by external sources, you can configure Sentinel to download the data at regular intervals. You can use the URL option for data feeds that are open and do not require authentication. For commercial data feeds that require authentication, use the File configuration option described below.
Some of the data source URLs including the ones that are available out-of-the-box use HTTPS connection to download the feeds from their data source server. If Sentinel is in FIPS mode, the certificates used by the data source server for secure communication must be added to the Sentinel FIPS keystore database.
Download the certificates from the data source server and save them in individual files with the .cer extension.
Import the certificates into the Sentinel FIPS keystore.
For more information about importing the certificate, see Importing Certificates into FIPS Keystore Database
in the NetIQ Sentinel Installation and Configuration Guide.
File: If you want to subscribe to commercial feeds that require authentication, you can download feeds at regular intervals to a file and use that file as the data source. For Sentinel to process the data, you must place the file in the <sentinel_data_directory>/data/feed_data directory and then add the file as a data source.
You can use the following file formats:
CSV: Allows you to assign threat types and reputation score to individual IP addresses.
TXT: Allows you to specify only a list of IP addresses.
Sentinel processes the data in the file the first time you add it as a data source and thereafter every time you update the file or the data source.
Threat Plug-in: You can create your own plug-ins by using the preview version of the Sentinel SDK, which is available on the Sentinel Plug-ins Website.
NOTE:If you are using the curl command in the plug-in to download data from the data source, ensure that the curl package version is minimum curl4-7.37.0-28.1.x86_64. The plug-in does not work if your operating system has a lower version of this package. For example, as of the publication date of this document, SLES 11 SP4 has a lower version of the curl package. SLES 12 SP1 and later have the required version of the curl package.
While adding a data source, you can select an appropriate threat type for the data source. By default, Sentinel populates several common threat types in a drop-down list from which you can select. You can also add your own threat type to the list by updating the configuration.properties file as follows:
Log in to the Sentinel server as the novell user.
Open the /etc/opt/novell/sentinel/config/configuration.properties file.
Add the feeds.custom.threattypes property with the desired value as follows:
feeds.custom.threattypes=<threat_type>
Where <threat_type> is the name of the threat type you want to add. You can add multiple threat types separated by a comma.
Restart the Sentinel server.