Novell Sentinel Software Development Kit

Developing Sentinel Plug-ins

David Corlette
Product Line Lead DCorlette@novell.com

Agenda

Quick Sentinel Intro - Plug-ins The Sentinel Plug-in SDK Collector Development Report Development

Novell, Inc. All rights reserved.

Sentinel Overview

Novell, Inc. All rights reserved.

Inbound/Outbound and Plug-ins

Engine layer backend routing and processing Correlation Custom RuleLG event patterns Correlation Rule Sentinel Core Reporting Jasper-based Plug-ins Script layer simplified parsing, JS support Workflow Action Collector ITRAC Workflow remediation and alerting

Protocol/API connections Java code Connector Integrator Event Source: Applications and devices Event Source Server Event Source
4

Novell, Inc. All rights reserved.

Sentinel provides a modular, pluggable architecture so that the functionality of the base product can be extended by adding new components. Some of these are user-editable.

Sentinel Plug-ins
Collectors are used to parse data received from endpoint systems via Connectors. They implement JavaScript-based code to extract relevant information from the input and reformat the data into the normalized Sentinel event schema. Actions are attached to correlation rules and are executed when those rules fire. Written in JavaScript they can do many different things, but a common use case is to extract data from the event(s) which caused the rule to fire and take action based on that data (alert, forward, etc). Reports pull data from the Sentinel database and/or text files (via Lucene) and present that data on flexible reports along with summaries, charts, and so forth. Sentinel uses Jasper as its core reporting engine and related tools (iReport) to do the actual report design.

Novell, Inc. All rights reserved.

Sentinel Plug-ins
Solution Packs allow you to package related pieces of content into a structured solution broken down into categories and controls. Various plug-ins (Reports, Actions, Integrators) can be included, as well as other native Sentinel content like workflows, correlation rules, filters, and roles (the native content pieces are created within Sentinel itself). The Solution Pack maintains dependencies and versioning for all content components that are included. A simple drag-and-drop tool (Solution Designer) is used to create the Pack, categories, and controls.

Novell, Inc. All rights reserved.

Sentinel Plug-in SDK

Sentinel Plug-in SDK

http://developer.novell.com/wiki/index.php/Develop_to_Sentinel

Documentation provided on the Forge wiki ZIP download and/or SVN repository Mailing lists and other support resources

Novell, Inc. All rights reserved.

Eclipse-based Development

Each Plug-in type is its own project; Ant scripts drive creation and build of plug-ins Creating a Plug-in involves copying a functional template and inserting metadata External tools include: Solution Designer, iReport, OpenOffice

Novell, Inc. All rights reserved.

Ant Targets

Create New Plug-in: copies the template to create a new plug-in Build Test Plug-in: creates a quick development build Build Release Plug-in: creates a full release build Edit Report: creates temporary editable Report and starts iReport to work on it Edit Solution Pack: creates temporary editable Pack and starts Solution Designer to work on it Create Solution Pack Placeholder: creates an empty placeholder Report for use in Solution Packs (full Reports are built during final Solution Pack build) Extract Jasper Parameters: extracts Report parameters from

Jasper file for use in web interface

10

Novell, Inc. All rights reserved.

JavaScript API

JavaScript implementations of Sentinel domain objects:

Event, Record, Identity, Account, Vuln, Customer Collector, Connector, Action, Integrator, EventSource, EventSourceServer DataMap, KeyMap, Session, SQLQuery, File String.trim(), String.insert(), String.parseBase64(), String.parseLDAP(), String.parseNVP() Date (includes full date.js library)

Utility objects:

Extension methods for native JS objects:

11

Novell, Inc. All rights reserved.

Collector Development

Collector Template

13

Novell, Inc. All rights reserved.

Development Process
1) Create the new Collector Plug-in 2) Research the device and collect sample data 3) Debug the Collector to get code samples 4) Develop a parsing plan 5) Write parsing logic and mappings 6) Test 7) Finalize metadata and documentation

14

Novell, Inc. All rights reserved.

Creation, Research, Debug

Use the Create New Plug-in target to create the new Plug-in Collect sample data using the Generic Event Collector

Configure the relevant Connector to the real datasource Edit the Connector and select Save raw data to file

Attach sample data to new Collector using Replay mode Debug to see input structure, copy to code comments

15

Novell, Inc. All rights reserved.

Parsing Plan

Structure of input data

Structured (name-value) or freeform? Fixed fields? Event Ids? Opaque data values to be translated? Is structure always the same or does it vary? Are there classes of events? Do field contents vary dramatically? Multiple possible Connection Methods? Optional fields or output formats?

Variability

Optional features

16

Novell, Inc. All rights reserved.

Parsing Logic

Input

rec object used as input and as temporary output container Rec2Evt.map: DataMap that defines transform of input Record to output Event object protoEvt.map: Used to set static fields in output Event Explicit set: Directly set attributes of output Event (discouraged) Special Event object methods (setTaxonomyKey() and set*Time()) Advanced topics

Four ways to get data in output event

SQLQuery and Session

17

Novell, Inc. All rights reserved.

Test

Development builds using Create Test Plug-in

No prompted questions Skips documentation and Collector Pack Quick import into ESM Debuggable Asks some packaging questions Builds docs and Pack Minifies JavaScript template

Final Release build using Create Release Plug-in

18

Novell, Inc. All rights reserved.

Documentation and Metadata

Documents are auto-built from single source

Template document guides you with themes for each section plugin.pdf is simple help document embedded in Plug-in Full document is external PDF Parameter list can include template or local parameters Each parameter defined in separate XML file Connection methods used to describe Connector interaction Device support used to drive deployment Standard set of controls included, can be extended/trimmed

Plug-in Metadata used for deployment, parameters, etc

Collector Pack

19

Novell, Inc. All rights reserved.

Report Development

Report Template

Includes basic report with complete set of relevant files Covers Sentinel Log Manager (SLM), Sentinel RD, and (new) Identity Manager 4 Localized using standard .properties files Some custom charting types included

21

Novell, Inc. All rights reserved.

Development Process
1) Create the new Report Plug-in 2) Determine how to fetch the data using either a SQL or Lucene query 3) Decide on grouping and categorization (colors) 4) Lay out report fields 5) Add summary charts and tables 6) Add parameters 7) Test 8) Finalize metadata and documentation

22

Novell, Inc. All rights reserved.

Create, Query

Use the same Create New Plug-in target, but for Reports Refer to Sentinel documentation (core product docs and developer wiki under Sentinel Development Topics) for view, field, and schema details Refer to Sentinel and database documentation for SQL and Lucene query language details Run test queries from Sentinel or DB tool Use Edit Report to invoke iReport on temporary Report Plug-in

23

Novell, Inc. All rights reserved.

Grouping and Categorization

Most reports will group data using one of the returned fields use relevant Sentinel fields like InitUserDomain, TargetHostName, etc

In general, reports look at a subset of event types or a single type with multiple outcomes. You can use categorization to color-code events according to those types or outcomes.

24

Novell, Inc. All rights reserved.

Lay Out Report Fields

Our standard is a two-level row with more important data in the top subrow

Typically include domain/container information along with host, user, or data object info Review input events to find which critical data should be displayed Account for extra-long values and nulls

25

Novell, Inc. All rights reserved.

Add Charts

For many reports, quick summary charts, sparklines, and tables can be very useful

For event-based data, reports can run to hundreds of pages consider a summary table at top to display the per-grouping counts Sparklines are great for quick trend analysis Summary counts and pie charts can go at top right

Some useful custom chart formatters are available

26

Novell, Inc. All rights reserved.

Parameters
Parameters for Report Plug-ins is a multi-step process 1) Define and test normal Jasper/iReport parameters as part of the report development process 2) Run Extract Jasper Parameters to extract Jasper parameters into Sentinel Plug-in parameters 3) Edit metadata for Sentinel Plug-in parameters 4) Build Report Plug-in and test parameters in web interface

27

Novell, Inc. All rights reserved.

Test, Docs, and Metadata

Testing can be tricky if the data is rarely seen Can use fake import data to test basic report layout etc Docs work the same as other plug-ins Include a sample output PDF as TemplateReport.pdf in dev directory You can localize the report strings using standard .properties files (TemplateReport.properties, TemplateReport_fr.properties, etc) Make sure supported platforms info is correct

28

Novell, Inc. All rights reserved.

Demo

Q&A

Unpublished Work of Novell, Inc. All Rights Reserved.

This work is an unpublished work and contains confidential, proprietary, and trade secret information of Novell, Inc. Access to this work is restricted to Novell employees who have a need to know to perform tasks within the scope of their assignments. No part of this work may be practiced, performed, copied, distributed, revised, modified, translated, abridged, condensed, expanded, collected, or adapted without the prior written consent of Novell, Inc. Any use or exploitation of this work without authorization could subject the perpetrator to criminal and civil liability.

General Disclaimer
This document is not to be construed as a promise by any participating company to develop, deliver, or market a product. It is not a commitment to deliver any material, code, or functionality, and should not be relied upon in making purchasing decisions. Novell, Inc. makes no representations or warranties with respect to the contents of this document, and specifically disclaims any express or implied warranties of merchantability or fitness for any particular purpose. The development, release, and timing of features or functionality described for Novell products remains at the sole discretion of Novell. Further, Novell, Inc. reserves the right to revise this document and to make changes to its content, at any time, without obligation to notify any person or entity of such revisions or changes. All Novell marks referenced in this presentation are trademarks or registered trademarks of Novell, Inc. in the United States and other countries. All third-party trademarks are the property of their respective owners.