There are two major components of mapping:
A map is a collection of keys and associated values defined in a simple text CSV (comma-separated value) file format. You can enrich your event data by using maps to add additional information such as host and identity details to the incoming events from your source devices. This additional information can be used for advanced correlation and reporting. The system supports several built-in maps as well as custom user-defined maps. For more information, see Using Maps for Event Configuration.
Maps that are defined in Sentinel are stored in two ways:
Built-in maps are stored in the database, updated via APIs in Collector code, and automatically exported the Mapping service.
Custom maps are stored as CSV files and can be updated on the file system or via the Map Data Configuration UI, then loaded by the Mapping service.
In both cases, the CSV files are kept on the central Sentinel server but changes to the maps are distributed to each Collector Manager and applied locally. This distributed processing ensures that mapping activity does not overload the main server.
Event Mapping is a mechanism that allows you to add data to an event by using data already in the event to reference and pull in data from an outside source.
Because virtually any data set can be made into a map, Event Mapping is useful for incorporating data from elsewhere in your organization into the event stream. Some opportunities that Event Mapping provides are:
Regulatory compliance monitoring
Policy compliance
Response prioritization
Enabling security data to be analyzed related to business operations
Enhancing accountability
When an Event Mapping is defined, it is applied system-wide to all events from all Collectors. Sentinel automatically distributes map data to all processes that perform event mappings and also keeps the map data in these processes up-to-date.
Event Mapping has four main parts:
Controller: Stores all map information
Distributor: Automatically redistributes modified maps to those processes that register for the map
Monitor: A monitor to detect changes in map source data
Generator: Generates maps from source data
One application of Event Mapping is Sentinel's Asset Data functionality. Asset information is collected and stored in the Sentinel database asset schema and is represented by a Physical Asset entry. Soft assets, such as services and applications, are represented by an entry that is linked to a Physical Asset. The primary automated update mechanism for asset data is through an asset Collector reading data from a scanner such as Nmap. The asset Collector automates the retrieval of asset information by reading asset data from the scanner and populating the asset schema tables with this data. For Event Mapping, asset information is mapped from the destination IP and source IP.
There are two types of data sources:
External: A Collector populates that value in the event ID.
Referenced from Map: Data is retrieved from a map to populate the event ID.
Figure 11-1 Data Sources
In the above illustration, the SourceAssetName tag is populated from the map called Asset (which has asset.csv as its map data source file). The specific value for SourceAssetName is taken from the AssetName column from the Asset map. The PhysicalAsssetName column is set as the key. When the InitIP tag of the event matches one of the source IP values in the PhysicalAsssetName column of the map, the row with the matching key is used to intersect the AssetName Column. For instance, in the following example the IP address corresponds to AssetName Finance35.
Table 11-1 Populating an Event ID with Data from a Map
PhysicalAssetName |
CustomerID |
MacAddress |
AssetName |
---|---|---|---|
10.0.0.1 |
|
|
Marketing0 |
10.0.0.2 |
|
|
Marketing02 |
10.0.0.3 |
|
|
ProgramMgmt03 |
10.0.0.4 |
|
|
Finance34 |
10.0.0.5 |
|
|
Finance35 |
You can have more than one column set as a key if you do not want the map to be a Range Map (Range Maps can only have one key column, with that column type set to NumberRange). For instance, with column type set to String, the AttackId tag has the DeviceName (name of the security device) and DeviceAttackName columns set as keys and uses the NormalizedAttackID column in the AttackNormalization map for its value. In a row where the DeviceName event ID matches the data in Device map column and the DeviceAttackName matches the data in the AttackSignature map column, the value for AttackId is the value in the NormalizedAttackID column. The configuration for the Event Mapping just described is:
Figure 11-2 Event Mapping Configuration
Table 11-2 Device and Attack Signature Corresponds to Asset Name
Device |
Attack Signature |
Normalized Attack ID |
|
---|---|---|---|
Secure |
BackDoorProbe (TCP 1234) |
3 |
Trojan: Backdoor.Subeven |
Secure |
BackDoorProbe (TCP 1999) |
3 |
Trojan: Backdoor.Subeven |
Dragon |
RWALLD: SYSLOG-FORMAT |
4 |
Sun Microsystems Solaris rwall Elevated |
Snort |
RPC TCP rwalld request |
4 |
Sun Microsystems Solaris rwall Elevated |
Snort |
RPC UDP rwalld request |
4 |
Sun Microsystems Solaris rwall Elevated |
Snort |
WEB-IIS foxweb.dll access |
12 |
Microsoft Exchange Server Arbitrary Code |
RealSecure |
SMTP_Exchange_Verb_DoS |
12 |
Microsoft Exchange Server Arbitrary Code |