A vital part of creating a Solution Pack is adding content to the controls. Each control can have one or more types of content associated with it.
The same general procedure is used to add all types of Sentinel content to a Solution Pack. The Sentinel content palette includes the following:
Actions
Correlation Rule deployments, including their deployment status (enabled or disabled) and associated Correlation rules, Correlation Actions, and Dynamic Lists
Event Actions
Reports
Filters
Searches
iTRAC workflows, including associated roles
Event enrichment, including map definitions and event metatag configuration
Other associated files added when the Solution Pack is created, such as documentation, example report PDFs, or sample map files.
To add Sentinel content to a control:
Access the Solutions Designer.
Open or create a Solution Pack.
Click the appropriate panel to display the available content:
Actions
Correlation
Event Actions
Event Enrichment
Filters
iTRAC
Jasper Reports
Searches
Drag the item and drop it into the control.
If you try to drag and drop pre-existing content in the Solution Designer, the existing content is highlighted. After you drop the content, a message prompt indicates that similar content exists.
You can set properties to a content to indicate it is designed for specific Sentinel platforms. Content that is designed in newer versions of Sentinel might not be supported in older versions because of changes in the Sentinel schema. If you try to install a Control on an unsupported Sentinel platform, the installation does not proceed and shows an “Out of date” error.
To set the properties:
Right-click a content, then select Properties.
(Conditional) For Correlation rules, select Automatically deploy during installation to deploy Correlation rules automatically during the solution pack installation.
Select Minimum Required Versions, and then specify the Sentinel versions.
Click Apply.
If the user is not ready to associate content with a control, an empty placeholder can be used instead.
Click the Correlation, Event Actions, Actions, Filters, Event Enrichment, iTRAC, or Jasper Report button in the Content Palette to open the panel for the type of placeholder you want to add.
Drag and drop the placeholder to the appropriate control in the Solution Pack panel.
Rename the placeholder, if desired.
To replace a placeholder with content:
Click the Correlation, Event Actions, Filters, Event Enrichment, iTRAC, or Jasper Report button in the Content Palette to open the panel for the type of placeholder you want to add.
Drag and drop the appropriate Content Group from the Content Palette to the placeholder in the Solution Pack panel or select the appropriate Content Group, then click Add Selected Content.
You can set properties for placeholders to indicate whether a placeholder is designed for specific Sentinel platforms. Placeholders that are designed in newer versions of Sentinel might not be supported in older versions because of changes in the Sentinel schema. If you try to install a placeholder on an unsupported Sentinel platform, the install does not proceed and shows an “Out of date” error.
To set the properties:
Right-click the placeholder, then select Properties.
Select Minimum Required Versions, then specify the Sentinel versions.
Click Apply.
You can attach a file or files to any node in the hierarchy. The content in the attachment is included in the Solution Pack. These files can include anything useful for a user who must deploy the Solution Pack, such as a PDF view of a report, sample map data for event enrichment, or a script for an Execute Command Correlation Action. These files can be added, deleted, viewed, renamed, or saved to the local machine.