16.4 Solution Designer

You can use the Solution Designer to package and export different contents, for example, a correlation rule with associated Actions and Dynamic lists and JasperReports. These contents can be selected and packaged in a ZIP file with their respective configuration. You can then view or select the content of the file by using the Solution Manager. For more information on the Solution Manager, see Section 16.2, Solution Manager.

To use the Solution Designer, a user must be assigned Solution Designer permissions under Solution Pack. For more information, see Section 16.1.2, Permissions for Using Solution Packs.

16.4.1 Solution Designer Interface

The Solution Designer is divided into several frames: Content Palette, Content Description, Solution Pack, and Documentation. The Content Palette includes several sections that can be expanded, including Correlation Deployment, Event Enrichment, Workflow Templates, and Reports. The displayed contents are populated from the Sentinel server and can be exported into a Solution Pack.

Table 16-4 Table 14‑4: Solution Designer - User Interface

Frames

Image

Content Palette

Content Description

Solution Pack

Documentation

16.4.2 Connection Modes

Solution Packs can be created or edited in the Solution Designer in connected or offline modes.

In offline mode, there is no connection to an active Sentinel server or its content (such as event enrichment or correlation rules). However, you can perform the following actions:

  • Define the structure of the Solution Pack (including Categories, controls, and content placeholders).

  • Write implementation documentation.

  • Write testing documentation.

  • Add JasperReports available in your local system.

  • Add attachments to any node of the Solution Pack.

In connected mode, all content in the Sentinel system is available. In addition to all of the actions that are available in offline mode, you can also perform the following actions:

  • Add Sentinel content (such as correlation rules and Maps).

  • Replace placeholders with Sentinel content.

To open the Solution Designer in offline mode:

  1. Start the Solution Designer by executing the following command: 

    <install_directory>/bin/solution_designer.sh

    The Sentinel Solution Designer login window is displayed.

  2. Provide your login credentials. Select the Work Offline check box if desired, then click Login. The Solution Designer is displayed.

  3. Open or create a Solution Pack.

    For instructions on creating a Solution Pack see Section 16.4.3, Creating a Solution Pack.

16.4.3 Creating a Solution Pack

Using Solution Designer, you can create a Solution Pack using existing content objects (for example, correlation rules or dynamic lists) from Sentinel. The Solution Designer analyzes the dependencies for a content object and includes all necessary components in the Solution Pack. For example, a correlation rule deployment includes a correlation rule definition and can also include one or more actions and the ability to create an incident using a workflow. The Solution Designer includes the correlation rule, the associated correlation actions, the iTRAC template, and the roles associated with the iTRAC template in the Solution Pack.

NOTE:To add a content object to a Solution Pack, it must already exist in Sentinel. Content objects cannot be created through the Solution Designer.

To create a new Solution Pack:

  1. Open the Solution Designer in either connected or offline mode.

  2. Click File > New. An empty Solution Pack displays in the Solution Pack frame.

  3. Add Categories, controls, content groups, and content placeholders, using the proper procedures for each.

  4. Add file attachments to the hierarchy nodes as desired.

  5. Click File > Save. The Save window displays.

    Provide a name and click Save. The Solution Pack is saved in a .zip or .spz format.

NOTE:Although you can save a Solution Pack with empty placeholders, you cannot install controls in Solution Manager unless all placeholders have been filled with content.

16.4.4 Managing Content Hierarchy Nodes

All content in a Solution Pack is hierarchically organized into categories, controls, and content groups. These nodes in the hierarchy can be added, deleted, renamed, or reordered.

Table 16-5 Adding, Deleting, Renaming, and Reordering the Content Hierarchy

Function

Description

Create

Add a node to the existing control.

Right-click an existing node and select Create, or click Create in the Solution Pack frame. Specify the details and click Create.

Rename

Rename an existing node.

Right-click an existing node and select Rename, or click Rename in the Solution Pack frame. Provide the new name and click OK.

Delete

Delete a category, control, or content group object.

Right-click an existing node and select Delete, or click the Delete option in the Solution Pack frame. The Delete Selected Objects? message displays. Click OK.

View or Edit Properties

View or edit the properties of a Solution Pack, such as the creator.

Click File > Properties from the menu bar or right-click the Solution Pack node and select Properties.

Expand or Collapse Nodes

Expand or collapse all child nodes.

Select the Solution Pack or any category, control, or content group level. Right-click a node and select Expand All or Collapse All.

Move Nodes

category, control, and content group nodes can be created in any order and then reordered or moved to a different parent in the hierarchy.

To move a node to another branch in the hierarchy, drag and drop a node to its new parent node. A control can be moved to a new category. A content group can be moved to a new control.

To reorder a node, drag and drop it on top of the node where it should appear in the Solution Pack.

16.4.5 Adding Content to a Solution Pack

A vital part of creating a Solution Pack is adding content to the controls. Each control can have one or more types of content associated with it.

Sentinel Content

The same general procedure is used to add all types of Sentinel content to a Solution Pack. The Sentinel content options include the following:

  • Correlation rule deployments, including their deployment status (enabled or disabled) and associated correlation rules, correlation actions, and dynamic lists

  • Reports

  • iTRAC workflows, including associated roles

  • Event enrichment, including map definitions and event meta tag configuration

  • Other associated files added when the Solution Pack is created, such as documentation, example report PDFs, or sample map files.

The general steps for Sentinel content are described below.

NOTE:Because dynamic list elements and map data are often highly dependent on the system environment, this data is not included as part of the dynamic list or map definition in the Solution Pack. However, this data can be attached to the Solution Pack as a .csv file.

To add Sentinel content to a control:

  1. Log into Solution Designer in connected mode.

  2. Open or create a Solution Pack.

  3. Click the appropriate panel to display the available reports from the Content Palette: Solution Pack, category, control, content group and contents.

  4. Select the specific content group you want to add.

  5. Select the appropriate control or placeholder and click Add Selected Content. Alternatively, drag and drop the selected content group to the appropriate control or placeholder in the Solution Pack frame.

NOTE:If you try to add preexisting content in Solution Designer by dragging and dropping, the existing content is highlighted. After you drop the content, a message prompt displays, stating existence of similar content.

JasperReports

You can add a JasperReport (.jpz file) from a local file system. Adding a JasperReport is similar to adding other types of contents.

  1. Log into Solution Designer in connected mode or offline mode, then open or create a Solution Pack.

  2. Click the Jasper Report panel in the Content Palette. The Jasper Report Panel expands.

    You are prompted about the availability of Jasper Report file on your local machine.

  3. Select Local Jasper Report Plugin.

  4. In the browser window, browse to the location on your local drive where the report is located.

  5. Select the file (.zip or .jpz file) and click Open.

Placeholders

If the user is working in offline mode or is not ready to associate content with a control, an empty placeholder can be used instead.

To add a placeholder

  1. Click a button in the Content Palette to open the panel for the type of placeholder you want to add: Correlation, Event Enrichment, iTRAC workflow, or report.

  2. Drag and drop the placeholder to the appropriate control in the Solution Pack frame.

  3. Rename it if desired.

To replace a placeholder with content:

  1. Click a button in the Content Palette to open the panel for the type of placeholder you want to replace: Correlation, Event Enrichment, iTRAC workflow, or report.

  2. Drag and drop the appropriate content group from the Content Palette to the placeholder in the Solution Pack frame.

File Attachments

You can attach a file or files to any node in the hierarchy, and they are included in the Solution Pack. These files can include anything useful for a user who must deploy the Solution Kit, such as a PDF view of a report, sample map data for event enrichment, or a script for an Execute Command correlation action. These files can be added, deleted, viewed, renamed, or saved to the local machine.

Table 16-6 File Attachment

Icon

Name

Description

Add File

Adds an attachment to a node. The system prompts for another file if you attempt to add one that is already attached.

Select a node. Click Add a new attachment icon in the Attachments panel. Locate the file, provide a description, and save.

View

Views an attachment.

Select a node, right-click the attachment in the Attachment panel, then select View File. The file displays in the associated application.

N/A

Rename

Renames an attachment.

Select a node, right-click the attachment in the Attachment panel, then select Rename. Specify the new name and click OK.

Delete

Deletes an attachment.

Select a node, right-click the attachment in the Attachment panel, then select Delete. Click OK to delete.

Save

Save a copy of the attachment to the local system.

Select a node, right-click the attachment in the Attachment panel, then and select Save As. Select a file location and click Save.

16.4.6 Documenting a Solution Pack

Implementation Steps

You need to add the steps required to implement the content in the target Sentinel system to the Implementation tab of the Documentation frame. The steps might include instructions for the following types of implementation actions:

  • Populating a .csv file that is used by the mapping service for event enrichment.

  • Enabling auditing on source devices.

  • Copying an attached script for an Execute Command correlation action to the appropriate location on the correlation engines.

After the content implementation, the content should be tested to verify that it is working as expected.

Testing Steps

You need to add the steps required to test the content in the target Sentinel system to the Testing tab of the Documentation frame. The steps can include instructions for the following types of testing activities:

  • Run a report and verify that data is returned.

  • Generate a failed login on a critical server and verify that a correlated event is created and assigned to an iTRAC workflow.

16.4.7 Editing a Solution Pack

A saved Solution Pack can be edited by using the Solution Designer. For information about deploying the changes into an existing system, see Section 16.5, Deploying an Edited Solution Pack.

When an existing Solution Pack is saved, the user has several options:

  • Save: Saves an updated version of the original Solution Pack. If the Solution Pack is re-imported into a Sentinel system, it replaces the old version.

  • Save As: Saves a renamed version of the original Solution Pack. If the Solution Pack is re-imported into a Sentinel system, it replaces the old version.

  • Save As New: Saves a Solution Pack with a new unique identifier. If the Solution Pack is imported into a Sentinel system, it does not impact any previously imported Solution Packs.

To edit a Solution Pack:

  1. Start the Solution Designer by executing one of the following commands: 

    solution_designer.sh (in <install_directory>/bin)

    The Sentinel Solution Designer login window displays.

  2. Provide your login credentials. Select the Work Offline check box if desired, then click Login. The Solution Designer displays.

  3. To edit a Solution Pack, click File > Open. Browse and select the existing Solution Pack ZIP file. Click Open.

  4. To update the Solution Pack with modified content from the source Sentinel system, drag and drop the content from the Content Palette to the appropriate control.

  5. Add or delete controls as necessary.

  6. Click File > Save, Save As, or Save As New, and save the file to the location you want.

    If you selected Save or Save As and some of the content is out of sync, you are prompted to synchronize. See Out Of Sync Statusfor instructions on how to synchronize content.

Out of Sync Content

If the content in the source system is modified, the content in the source system and the content in the original Solution Pack can be out of sync.

  • You can drag and drop the content from the Content Palette onto the control.

  • For simple content with no dependencies, the modified content is immediately updated. For example, a report has no dependencies.

  • For content with dependencies, the dependencies are checked and updates are made when you click Sync All Content or when you save the Solution Pack.

NOTE:In the special case in which an action uses the Send Email action that is included in all Sentinel systems by default, the Send Email action always appears as Out of Sync. This is expected and does not cause an error.