5.7 Activities

An Activity is very similar to a Command Step, except that Activities are reusable and cannot use input or output variables. The Activities pane shows a library of user-defined, reusable Activities that can reduce the amount of configuration necessary when building Templates.

Activities are exported or imported as xml files. These files can be exported or imported from one system to another.

Figure 5-3 Activity Pane

iTRAC Activities can be used in iTRAC templates to define a workflow step, or they can be manually executed from within an Incident. Sentinel provides three types of actions that can be used to build Activities:

5.7.1 Incident Command Activity

An Incident Command Activity enables you to launch a specific command with or without arguments. The following fields from the incident associated with the workflow process can be used as input to the command:

  • DIP [Target IP]

  • DIP : Port

  • RT1 (DeviceAttackName)

  • SIP [Initiator IP]

  • SIP : Port

  • Text (incident information in name value pair format)

NOTE:The command (or a batch file or script that refers to the command) must be stored in the %ESEC_HOME%\config\exec or $ESEC_HOME/config/exec directory on the iTRAC workflow server, usually the same machine where the Data Access Server (DAS) is installed.

5.7.2 Incident Internal Activity

An Incident Internal Activity enables you to mail and/or attach information from the Sentinel database to the incident associated with the workflow process. Each of these options has a prerequisite:

  • Vulnerability for the Initiator IP address (SIP) or the Target IP address (DIP): This requires that you run a vulnerability scanner and bring the results of the scan into Sentinel using a Vulnerability (or “information”) Collector

  • Advisor attack-related data: This requires the purchase and installation of the optional Advisor data subscription service.

  • Asset data: This requires that you run an asset management tool such as NMAP and bring the results into Sentinel using an Asset Collector.

To send mail messages from within the Sentinel Control Center, you must have an SMTP Integrator that is configured with connection information and with the property SentinelDefaultEMailServer set to “true”.

5.7.3 Incident Composite Activity

An Incident Composite Activity enables combine one or more existing Command and Internal activities.

5.7.4 Creating iTRAC Activities

To create an iTRAC Activity:

  1. Click iTRAC tab.

  2. In the Navigator, click iTRAC Administration > Activity Manager or click the Add button in the Activity Pane.

  3. Highlight an existing activity and click > Add button. Activity Wizard window displays.

  4. Select an Activity type: Command, Internal, or Composite.

  5. Provide a name and description for this activity. Click Next.

  6. Configure the necessary settings for the type of activity you chose.

    • Incident Command Activity

      • In the Command Arguments Wizard, specify the Command.

      • Provide the Arguments for this command. You can select None, Incident Output (Values from the Drop-down list), or provide Custom values.

      • Click Next.

      • You can configure an Incident Command Activity to email the output to a specific address and/or attach the output to the incident associated with the workflow process in this window.

      • Select Mail and specify the To and From email address and Subject.

      • Select Attach to Incident, if required.

      • Click Next.

      • View and confirm the details you chose in the Summary page and click Finish.

    • Incident Internal Activity

      • In the Command Arguments wizard, specify the Command.

      • Provide the Arguments for this command. You can select None, Incident Output (Values from the Drop-down list), or specify Custom values.

        Click Next.

      • Select your options (Mail and attach).

      • If you select Mail, you are prompted to provide To, From email address and Subject. Provide this information and click Next.

      • View and confirm the details you chose in the Summary page and click Finish.

    • Incident Composite Activity

      • Select the activities from the list of available activities and click Next.

      View and confirm the details you chose in the Summary page and click Finish.

5.7.5 Managing Activities

After creating an Activity, you can modify, import or export it.

Modifying Activities

To modify an Activity:

  1. Click the iTRAC tab.

  2. In the Navigator, click iTRAC Administration > Activity Manager.

  3. Highlight activity that needs modification and click View/Edit. Edit Activity window displays.

  4. Edit information in General, Attachment and Mail tabs.

  5. Click OK.

Exporting Activities

To export an Activity:

  1. Click iTRAC tab.

  2. In the Navigator, click iTRAC Administration > Activity Manager.

  3. Click Import/Export Activity icon. Import/Export Wizard window displays.

  4. Select Export Activity and click Explore.

  5. Navigate to where you want save your exported file.

  6. Click Next.

  7. Select one or more activities to be exported.

  8. Click Next and click Finish.

Importing Activities

To import an Activity:

  1. Click iTRAC tab.

  2. In the Navigator, click iTRAC Administration > Activity Manager.

  3. Click Import/Export Activity icon. Import/Export Wizard window displays.

  4. Select Import Activity and click Explore.

  5. Navigate to your import file. Click Import.

  6. Click Next. You will see a list of activities that are imported.

  7. Click Next and click Finish.