7.1 Overview

There are two major components of mapping:

7.1.1 Maps

A map is a collection of keys and associated values defined in a simple text CSV (comma-separated value) file format. You can enrich your event data by using maps to add additional information such as host and identity details to the incoming events from your source devices. This additional information can be used for advanced correlation and reporting. The system supports several built-in maps as well as custom user-defined maps. For more information, see Section 7.9, Using Maps for Event Configuration.

Maps that are defined in Sentinel are stored in two ways:

  • Built-in maps are stored in the database, updated via APIs in Collector code, and automatically exported the Mapping service.

  • Custom maps are stored as CSV files and can be updated on the file system or via the Map Data Configuration UI, then loaded by the Mapping service.

In both cases, the CSV files are kept on the central Sentinel server but changes to the maps are distributed to each Collector Manager and applied locally. This distributed processing ensures that mapping activity does not overload the main server.

7.1.2 Mapping Events

Event Mapping is a mechanism that allows you to add data to an event by using data already in the event to reference and pull in data from an outside source.

Because virtually any data set can be made into a map, Event Mapping is useful for incorporating data from elsewhere in your organization into the event stream. Some opportunities that Event Mapping provides are:

  • Regulatory compliance monitoring

  • Policy compliance

  • Response prioritization

  • Enabling security data to be analyzed related to business operations

  • Enhancing accountability

When an Event Mapping is defined, it is applied system-wide to all events from all Collectors. Sentinel automatically distributes map data to all processes that perform event mappings and also keeps the map data in these processes up-to-date.

Event Mapping has four main parts:

  • Controller: Stores all map information

  • Distributor: Automatically redistributes modified maps to those processes that register for the map

  • Monitor: A monitor to detect changes in map source data

  • Generator: Generates maps from source data

One application of Event Mapping is Sentinel's Asset Data functionality. Asset information is collected and stored in the Sentinel database asset schema and is represented by a Physical Asset entry. Soft assets, such as services and applications, are represented by an entry that is linked to a Physical Asset. The primary automated update mechanism for asset data is through an asset Collector reading data from a scanner such as Nmap. The asset Collector automates the retrieval of asset information by reading asset data from the scanner and populating the asset schema tables with this data. For Event Mapping, asset information is mapped from the destination IP and source IP.

There are two types of data sources:

  • External: A Collector populates that value in the event ID.

  • Referenced from Map: Data is retrieved from a map to populate the event ID.

Figure 7-1 Data Sources

In the above illustration, the SourceAssetName tag is populated from the map called Asset (which has asset.csv as its map data source file). The specific value for SourceAssetName is taken from the AssetName column from the Asset map. The PhysicalAsssetName column is set as the key. When the InitIP tag of the event matches one of the source IP values in the PhysicalAsssetName column of the map, the row with the matching key is used to intersect the AssetName Column. For instance, in the following example the IP address corresponds to AssetName Finance35.

Table 7-1 Populating an Event ID with Data from a Map

PhysicalAssetName

CustomerID

MacAddress

AssetName

10.0.0.1

 

 

Marketing0

10.0.0.2

 

 

Marketing02

10.0.0.3

 

 

ProgramMgmt03

10.0.0.4

 

 

Finance34

10.0.0.5

 

 

Finance35

You can have more than one column set as a key if you do not want the map to be a Range Map (Range Maps can only have one key column, with that column type set to NumberRange). For instance, with column type set to String, the AttackId tag has the DeviceName (name of the security device) and DeviceAttackName columns set as keys and uses the NormalizedAttackID column in the AttackNormalization map for its value. In a row where the DeviceName event ID matches the data in Device map column and the DeviceAttackName matches the data in the AttackSignature map column, the value for AttackId is the value in the NormalizedAttackID column. The configuration for the Event Mapping just described is:

Figure 7-2 Event Mapping Configuration

Table 7-2 Device and Attack Signature Corresponds to Asset Name

Device

Attack Signature

Normalized Attack ID

 

Secure

BackDoorProbe (TCP 1234)

3

Trojan: Backdoor.Subeven

Secure

BackDoorProbe (TCP 1999)

3

Trojan: Backdoor.Subeven

Dragon

RWALLD: SYSLOG-FORMAT

4

Sun Microsystems Solaris rwall Elevated

Snort

RPC TCP rwalld request

4

Sun Microsystems Solaris rwall Elevated

Snort

RPC UDP rwalld request

4

Sun Microsystems Solaris rwall Elevated

Snort

WEB-IIS foxweb.dll access

12

Microsoft Exchange Server Arbitrary Code

RealSecure

SMTP_Exchange_Verb_DoS

12

Microsoft Exchange Server Arbitrary Code