Sentinel 8.3 includes new features and resolves several previous issues.
Many of these improvements were made in direct response to suggestions from our customers. We thank you for your time and valuable input. We hope you continue to help us ensure that our products meet all your needs. You can post feedback in the Sentinel forum, our online community that also includes product information, blogs, and links to helpful resources. You can also share your ideas for improving the product in the Ideas Portal.
The documentation for this product is available in HTML and PDF formats on a page that does not require you to log in. If you have suggestions for documentation improvements, click the comment icon on any page in the HTML version of the documentation posted at the Sentinel Documentation page. To download this product, see the Product Download website.
The following sections outline the key features provided by this version, as well as issues resolved in this release:
Section 1.1, Performance Improvements in the Security Intelligence Dashboard
Section 1.5, Sentinel Now Stores Security Intelligence Data, Alerts Data, and So On in PostgreSQL
Section 1.7, Ability to Analyze if an Event Has Arrived Late
Section 1.10, Ability to Generate an Audit Event When a List Item in a Dynamic List Expires
This release includes the following performance improvements in the Security Intelligence dashboard:
Historical data loads faster.
Baseline creation happens faster.
For the Moving Average comparison type, the delay during subsequent anomaly detection has been reduced and anomaly detection is now consistent.
For the Threshold comparison type, the actual count of anomalies and the search count are now consistent.
For better user experience, the Real Time Views is now available on My Sentinel, in addition to Sentinel Main.
For better user experience, the Alert Views is now available on My Sentinel, in addition to Sentinel Main. The following enhancements are available only when you access Alert Views from Real Time Views on your home page:
The Alert ID is now displayed as one of the alert columns and you can click it to view the details of an alert.
Ability to copy alert links from an alert view and easily share it with others. To share, you can select the alerts you want to share, click Copy Alert link, and share the alert link.
Ability to filter alerts using either an alert field or a combination of various alert fields.
Ability to customize the columns in an alert view. You can now display the columns you require and hide the columns you do not want to display. After you modify the columns, other users will see the modified columns instead of the default columns of the same alert view.
Ability to exporting the required alerts to a CSV file.
For more information about working with an alert view, see Working with Alert Views in the Sentinel User Guide.
Sentinel now provides the following permissions for non-administrator users:
Create and use Alert Views
In prior versions of Sentinel, the Allow users to manage alerts permission allowed users to manage both alerts and alert views. In Sentinel 8.3, the new permission Create and use Alert Views allows users to create private alert views and view shared alert views. The Allow users to manage alerts permission allows users to manage only alerts and not alert views.
After you select this permission, you can assign the following permissions:
Share Alert Views: Allows users to share their alert views as follows:
Users of the default tenant can share their alert views with users of the same tenant or other tenants.
Users of a non-default tenant can share their alert views with other users of the same tenant.
Edit Alert Views: Assigns the Share Alert Views permission and allows users to edit shared alert views as follows:
Users of the default tenant can edit shared alert views.
Users of a non-default tenant can edit shared alert views except public alert views.
Create and use Event Views: Allows users to create private event views and view shared event views.
After you select this permission, you can assign the following permissions:
Share Event views: Allows users to share their event views as follows:
Users of the default tenant can share their event views with users of the same tenant or other tenants.
Users of a non-default tenant can share their event views with other users of the same tenant.
Edit Event Views: Assigns the Share Event Views permission and allows users to edit shared event views as follows:
Users of the default tenant can edit shared event views.
Users of a non-default tenant can edit shared event views except public event views.
Edit Home Dashboard: Assigns the Share dashboard permission and allows users to edit shared dashboards as follows:
Users of the default tenant can edit shared dashboards.
Users of a non-default tenant can edit shared dashboards except public dashboards.
Share Home Dashboard: Allows users to share their dashboards as follows:
Users of the default tenant can share their dashboards with users of the same tenant or other tenants.
Users of a non-default tenant can share their dashboards with other users of the same tenant.
You must assign these permissions to a role manually. For more information about assigning these permissions to a role, see Creating Roles in the Sentinel Administration Guide.
Fresh installations of Sentinel now stores Security Intelligence data, alerts data, and so on in PostgreSQL instead of MongoDB.
If you are upgrading from a prior version of Sentinel, you must first migrate this data to PostgreSQL and then upgrade Sentinel.
For more information about migrating data and upgrading Sentinel, see the following chapters in the Sentinel Installation and Configuration Guide depending on your Sentinel deployment:
You can now generate a report in CSV format. To generate a report in CSV format, select Reports and Searches > Run. Select CSV from the Report Format drop-down list and click Run.
A new event field named EventTimeDelta displays the difference between the time when the event was generated (ObserverEventTime) and the time when Sentinel processes the event (SentinelProcessingTime). This field allows you to easily analyze if an event has arrived late. You can create correlation rules to filter events based on the time difference quickly and accurately.
Sentinel can now collect events from Kaspersky DB using SmartConnector.
Reporting has been enhanced in the following ways:
Sentinel now provides a new report Sentinel Core Event Source Audit to view event sources that are active, inactive, and removed during a specified time period. You can also configure the report to display only the event sources of a specific status.
When creating or running a report, you can now select the following time slice options from the Date Range drop-down list: Last 24 Hours, Last 7 Days, Last 30 Days, and Last 60 Minutes.
You can now configure Sentinel to trigger an audit event when a list item expires from a dynamic list. For more information about triggering an audit event, see Generating an Audit Event when a List Item Expires From a Dynamic List in the Sentinel Administration Guide.
Sentinel is now certified on the following platforms:
Traditional installation
Red Hat Enterprise Linux Server 8 64-bit
Red Hat Enterprise Linux Server 8.1 64-bit
Red Hat Enterprise Linux Server 7.7 64-bit
SUSE Linux Enterprise Server (SLES) 15 64-bit
SUSE Linux Enterprise Server 15 SP1 64-bit
New installations of Sentinel 8.3 include new and updated versions of Sentinel plug-ins. These versions include the latest software fixes, documentation updates, and enhancements for the plug-in. For more information, see the specific plug-in documentation on the Sentinel Plug-ins Website.
When you upgrade Sentinel, plug-ins such as Universal Common Event Format Collector 2011.1r4, Syslog Connector 2020.1r1, and Agent Manager Connector 2020.1r1 are upgraded to the latest version. These plug-ins include the following enhancements:
Universal Common Event Format Collector 2011.1r4: The collector can now collect events from Kaspersky DB using SmartConnector.
Syslog Connector 2020.1r1: You can now use regular expressions to match the AppID of the event to the AppID of a collector when you configure the Connector to route events based on the unique application IDs.
Agent Manager Connector 2020.1r1: You can now match the AppID of an event to a regular expression either in the Sentinel Agent Manager Connector or the respective Collector, when configuring data collection based on matching application IDs.
To upgrade other plug-ins to the latest version, download the desired plug-in from the Sentinel Plug-ins Website. For more information, refer to the specific plug-in documentation.
Sentinel no longer includes NetFlow. Therefore, you can uninstall any existing NetFlow Collector Managers because you will not require these any more.
Only the following feeds are now supported for Threat Intelligence Sources: Abuse.ch Feodo Tracker and Abuse.ch SSL Blacklist.
Sentinel 8.3 includes software fixes that resolve the following issues:
When Clearing Up Primary Storage, Sentinel Clears the Storage Space Twice Instead of Once
Syslog Integrator Parses Values of an Event to a Field That is Not in The List of CEF Fields
Cannot Edit or Delete a Correlation Rule with Special Characters
Unable to Install Open-vm-tools on an Appliance Due to Missing Packages
Correlation Sequence Rule Does Not Fire Correctly When Subrules Have the Same Criteria
CreatedDate and ModifiedDate Fields of Correlation Rule are Not Available in the REST API
Some Events Do Not Contain the InitiatorUserName field in the Audit event
Starting, Stopping or Restarting of a Collector, Connector, or an Event Source Logs an Exception
Issue: When configuring Collectors or Connectors, you can specify letters, negative values, or zero as the time period in the Alert if no data received in specified time period (Time in Seconds) field. (Bug 1140021)
Fix: Sentinel now allows you to enter only positive values in the Alert if no data received in specified time period (Time in Seconds) field. If you enter an invalid value, Sentinel displays a message stating that the value is invalid.
Issue: When clearing up primary storage, Sentinel clears the storage space twice instead of once. This leads to deletion of double the amount of data than the expected amount data to be deleted. (Bug 1130108)
Fix: When clearing up primary storage, Sentinel now clears the storage space only once and deletes only the required amount of data.
Issue: When the ExtendedInformation (ei) field in Sentinel is converted to CEF, it is not mapped in the CEF event. (Bug 1143287)
Fix: The ExtendedInformation (ei) field is now included when an event is forwarded from Sentinel in CEF.
Issue: When forwarding events in CEF, the Syslog Integrator parses an event value to the dvhost field, which is not in the list of CEF fields. (Bug 1143290)
Fix: The dvhost field is now renamed to dvchost. The dvchost field is displayed in the list of CEF fields and the Syslog Integrator parses values to this field.
Issue: When creating a free-form rule, you can create a correlation rule that contains regular expression with more than two consecutive question marks (?) which makes it an invalid regular expression. (Bug 1136581)
Fix: Sentinel allows you to create a correlation rule only if the regular expression is valid. If the regular expression is invalid, Sentinel displays an error and does not allow you to save the correlation rule.
Issue: When trying to install open-vm-tools on the Sentinel server and Collector Manager, an error message displays stating that dependent packages are missing. (Bug 1153959)
Fix: Install the dependent packages provided as a patch. For more information, see the Knowledge Base Article 7024280.
Issue: When subrules of a Sequence rule have the same criteria, the subrule fires based on the sequence of sub-rules and not the sequence of events.(Bug 1106118)
Fix: A Sequence correlation rule will fire in the order of the subrules irrespective of the filter criteria it holds. When multiple subrules have the same criteria, all the subsequent subrules are also considered for the correlation rule to fire.
The REST API includes the ModifiedDate and CreatedDate fields each correlation rule with the correct date and time. (Bug 1163137)
All the events now contain the details of the InitiatorUserName.(Bug 1158183)
You can now successfully generate reports consisting of multiple pages. (Bug 1160542)
Issue: Starting, stopping, or restarting a collector, connector or an event source logs an exception. This leads to too many exceptions being logged in the Sentinel log files.(Bug 1165444)
Fix: Starting, stopping or restarting a collector, connector or an event source does not log exceptions.
For more information about hardware requirements, supported operating systems, and browsers, see the Sentinel System Requirements.
WARNING:
Do not upgrade from RHEL version 7.7 to version 8.x because this is not supported by Red Hat. For more information, see the RedHat documentation.
If you want to upgrade RHEL 7.6 to 8.x, you must first upgrade the current Sentinel installation to 8.3 and then upgrade the operating system to 8.x. Do not upgrade the operating system before upgrading Sentinel because this can corrupt your Sentinel installation or deployment.
For information about installing Sentinel 8.3, see the Sentinel Installation and Configuration Guide.
You can upgrade to Sentinel 8.3 only from Sentinel 8.2 or later.
You must upgrade Sentinel only after you migrate the alerts data and Security Intelligence data from MongoDB to PostgreSQL. The data migration process is different for each Sentinel deployment. Therefore, read the relevant sections carefully to migrate data before you upgrade Sentinel.
IMPORTANT:
NetFlow capabilities are removed when you upgrade to Sentinel 8.3. Therefore, you will lose any NetFlow data collected prior to the upgrade to 8.3.
If you upgrade from Sentinel 8.2 or 8.2 P1 to 8.3, you must manually assign the Send events and attachments permission to non-administrator users who send events or attachments to Sentinel. Unless you assign this permission, Sentinel will no longer receive events and attachments from Change Guardian and Secure Configuration Manager.
You need not reassign this permission if you are upgrading from 8.2 SP1 or 8.2 SP2 to 8.3.
You do not have to enable IP Flow after you upgrade because IP Flow is now enabled by default.
After you upgrade, you can do the following:
The data in MongoDB is now redundant because Sentinel 8.3 and later will store data only in PostgreSQL. To clear up the disk space, delete this data.
In prior versions of Sentinel, the Allow users to manage alerts permission allowed users to manage both alerts and alert views. In Sentinel 8.3, the Allow users to manage alerts permission allows users to manage only alerts and not alert views. To enable users to manage alert views, you must assign the Create and use Alert Views permission.
For information about upgrading to Sentinel 8.3, see Upgrading Sentinel in the Sentinel Installation and Configuration Guide.
Micro Focus strives to ensure our products provide quality solutions for your enterprise software needs. The following known issues are currently being researched. If you need further assistance with any issue, please contact Technical Support.
The Java 8 update included in Sentinel might impact the following plug-ins:
Cisco SDEE Connector
SAP (XAL) Connector
Remedy Integrator
For any issues with these plug-ins, we will prioritize and fix the issues according to standard defect-handling policies. For more information about support polices, see Support Policies.
Section 5.1, Unable to View Storage Capacity Forecasting Chart
Section 5.2, Unavailability of Sharing Permissions for Tenant Users
Section 5.3, Error When Launching a Kibana Dashboard After Upgrading Sentinel
Section 5.6, Sentinel 8.2 Appliance in Microsoft Hyper-V Server 2016 Does Not Start When You Reboot
Section 5.7, Error When Upgrading to Sentinel 8.2 HA Appliance
Section 5.9, Usability Issues in the Appliance Installation Screens
Section 5.11, SSDM Displays an Exception When Deleting Events Whose Retention Period Has Expired
Section 5.13, Agent Manager Requires SQL Authentication When FIPS 140-2 Mode is Enabled
Section 5.14, Sentinel High Availability Installation in Non-FIPS 140-2 Mode Displays an Error
Section 5.16, Sentinel Does Not Process Threat Intelligence Feeds In FIPS Mode
Issue: In Sentinel Main > Storage > Health, the Storage Capacity Forecasting chart is not available. This is because Zulu OpenJDK does not include the necessary fonts. (Bug 1146879)
Workaround: Use the following commands to install the fonts:
yum install fontconfig
yum install dejavu
Issue: When you select a tenant while creating a role, there are no permissions listed under Sharing for tenant users.(Bug 1163847)
Workaround: None. Ignore the Sharing label for tenant users.
Issue: Launching a Kibana dashboard displays the following message: No default index pattern. You must select or create one to continue. (Bug 1163143)
Workaround: To set a Kibana index pattern as the default index pattern:
Select any of the following:
alerts.alerts
security.events.normalized_*
Click Set as Default.
Issue: The Select All <number of alerts> Alerts > Copy Alert Link option does not work in Firefox and Edge. (Bug 1162070)
Workaround: Perform the following steps:
Manually select all the alerts on each page of the alert view using the check box that allows you to select all the alerts.
Click Copy Alert Link.
Paste it in the desired application.
Issue: The installer halts at the installation in progress screen and does not display the login screen even though the installation is complete.
Workaround: Reboot the virtual machine and launch Sentinel, Collector Manager, or Correlation Engine. (Bug 1134657)
Issue: In Hyper-V Server 2016, Sentinel appliance does not start when you reboot it and displays the following message:
A start job is running for dev-disk-by\..
This issue occurs because the operating system modifies the disk UUID during installation. Therefore, during reboot it cannot find the disk.
(Bug 1097792)
Workaround: Manually modify the disk UUID. For more information, see Knowledge Base Article 7023143.
Issue: When you upgrade to Sentinel 8.2 HA appliance, Sentinel displays the following error:
Installation of novell-SentinelSI-db-8.2.0.0-<version> failed:
with --nodeps --force) Error: Subprocess failed. Error: RPM failed: Command exited with status 1.
Abort, retry, ignore? [a/r/i] (a):
(Bug 1099679)
Workaround: Before you respond to the above prompt, perform the following:
Start another session using PuTTY or similar software to the host where you are running the upgrade.
Add the following entry in the /etc/csync2/csync2.cfg file:
/etc/opt/novell/sentinel/config/configuration.properties
Remove the sentinel folder from /var/opt/novell:
rm -rf /var/opt/novell/sentinel
Return to the session where you had initiated the upgrade and enter r to proceed with the upgrade.
Issue: Installation of Collector Manager and Correlation Engine appliance fails in MFA mode if the operating system language is other than English. (Bug 1045967)
Workaround: Install Collector Manager and Correlation Engine appliances in English. After the installation is complete, change the language as needed.
Issue: The Next and Back buttons in the appliance installation screens do not appear or are disabled in some cases, such as the following:
When you click Back from the Sentinel precheck screen to edit or review the information in the Sentinel Server Appliance Network Settings screen, there is no Next button to proceed with the installation. The Configure button allows you to only edit the specified information.
If you have specified incorrect network settings, the Sentinel Precheck screen indicates that you cannot proceed with the installation due to incorrect network information. There is no Back button to go to the previous screen to modify the network settings.
(Bug 1089063)
Workaround: Restart the appliance installation.
Issue: Sentinel displays the following message during start up in the server.log file:
Value for attribute rv43 is too long
(Bug 1092937)
Workaround: Ignore the exception. Although the message is displayed, Sentinel works as expected.
Issue: When there is a large number of events whose retention period has expired and SSDM tries to delete those events from Elasticsearch, the following exception is displayed in the server.log file:
java.net.SocketTimeoutException: Read timed out
(Bug 1088511)
Workaround: Ignore the exception. This exception occurs due to the time taken to delete the large amount of data. Although the exception is displayed, SSDM successfully deletes the events from Elasticsearch.
Issue: If you manually install and enable time synchronization in open-vm-tools, they periodically synchronize time between the Sentinel appliance (guest) and the VMware ESX server (host). These time synchronizations can result in moving the guest clock either behind or ahead of the ESX server time. Until the time is synchronized between the Sentinel appliance (guest) and the ESX server (host), Sentinel does not process events. As a result, a large number of events are queued up in the Collector Manager, which may eventually drop events once it reaches its threshold. To avoid this issue, Sentinel disables time synchronization by default in the open-vm-tools version available in Sentinel. (Bug 1099341)
Workaround: Disable time synchronization. For more information about disabling time synchronization, see Disabling Time Synchronization.
Issue: When FIPS 140-2 mode is enabled in Sentinel, using Windows authentication for Agent Manager causes synchronization with the Agent Manager database to fail. (Bug 814452)
Workaround: Use SQL authentication for Agent Manager.
Issue: The Sentinel High Availability installation in non-FIPS 140-2 mode completes successfully but displays the following error twice:
/opt/novell/sentinel/setup/configure.sh: line 1045: [: too many arguments
(Bug 810764)
Workaround: The error is expected and you can safely ignore it. Although the installer displays the error, the Sentinel High Availability configuration works successfully in non-FIPS 140-2 mode.
Issue: While using Keytool command, the following warning is displayed: The JKS keystore uses a proprietary format. It is recommended to migrate to PKCS12which is an industry standard format using "keytool -importkeystore -srckeystore /<sentinel_install_directory>/etc/opt/novell/sentinel/config/.webserverkeystore.jks -destkeystore /<sentinel_install_directory>/etc/opt/novell/sentinel/config/.webserverkeystore.jks -deststoretype pkcs12". (Bug 1086612)
Workaround: The warning is expected and you can safely ignore it. Although the warning is displayed, Keytool command works as expected.
Issue: In FIPS mode, when processing out-of-the-box threat Intelligence feeds from URLs, Sentinel displays the following error: Received fatal alert: protocol_version. This issue occurs because the out-of-the-box threat feeds now support only TLS 1.2, which does not work in FIPS mode. (Bug 1086631)
Workaround: Perform the following:
Click Sentinel Main > Integration > Threat Intelligence Sources.
Edit each URL to change the protocol from http to https.
Issue: In multi-factor authentication mode, if you log out of Sentinel Main you do not get logged out of Sentinel dashboards and vice versa. This is due to an issue in the Advanced Authentication Framework. (Bug 1087856)
Workaround: Until a fix is available in the Advanced Authentication Framework, refresh the screen to view the login screen.
For specific product issues, contact Micro Focus Support at https://www.microfocus.com/support-and-services/.
Additional technical information or advice is available from several sources:
Product documentation, Knowledge Base articles, and videos: https://www.microfocus.com/support-and-services/
The Micro Focus Community pages: https://www.microfocus.com/communities/
© Copyright 2001-2020 Micro Focus or one of its affiliates.
The only warranties for products and services of Micro Focus and its affiliates and licensors (“Micro Focus”) are set forth in the express warranty statements accompanying such products and services. Nothing herein should be construed as constituting an additional warranty. Micro Focus shall not be liable for technical or editorial errors or omissions contained herein. The information contained herein is subject to change without notice.
For additional information, such as certification-related notices and trademarks, see http://www.microfocus.com/about/legal/.