To use the range map functionality, a map definition can have one key column of type NumberRange and zero or more other key columns of type String. For example, you can create a map that lists the allowed maintenance time for each individual server in an enterprise, for which you need to match both the hostname and the time range. If there are any other key columns, or if the key column is of a different type, the mapping service does not consider the map to be a range map.
To create a range map, select a single column to be the key of the map and select NumberRange as the type of the column. The format of the data in a column of type NumberRange must be ām-nā, where m is the minimum number in the range and n is the maximum number in the range (for example, 10-200). The maximum number in the range is not included in the range (m,n). This means a range of 10-200 only uses numbers equal to 10 to 199. An example set of data has the first column defined as the key column:
1-2,AA 2-4,AA 4-12,BB 10-20,BB 30-31,BB 100-200,AA 110-120,CC
When the source CSV file is loaded into the system, any common or overlapping number ranges are collapsed into a single entry as follows:
Table 11-3 Transformation
FROM |
TO |
---|---|
1-2, AA |
1-4, AA |
2-4, AA |
4-20, BB |
4-12, BB |
30-31, BB |
10-20, BB |
100-110, AA |
30-31, BB |
110-120, CC |
100-200, AA |
120-200, AA |
110-120, CC |
|
Figure 11-3 Number Range Map Definition
An example event configuration on the above map might look like this:
Figure 11-4 Event Configuration
In the scenario above, CustomerVar97 must contain a numeric value. That value is compared against each NumberRange defined in the RangeMap until a match is found. The corresponding row from the map is returned and used to set CustomerVar89, as follows:
CustomerVar97 = 1; CustomerVar89 will be set to AA CustomerVar97 = 4; CustomerVar89 will be set to BB CustomerVar97 = 300; CustomerVar89 will not be set
For Sentinel event fields that are defined as having an IP address or Date datatype, Sentinel internally converts those fields to an integer representation of the values of that field.
Fields that are defined as IP address fields are:
SourceIP (sip)
TargetIP (dip)
SourceTranslateIP (sxip)
TargetTranslateIP (dxip)
ObserverIP (obsip)
Fields that are defined as Data fields are:
EventTime (dt)
ObserverEventTime (det)
SentinelProcessTime (spt)
BeginTime (bngt)
EndTime (endt)
CustomerVar11 to CustomerVar20 (cv11 to cv20)
ReservedVar11 to ReservedVar20 (rv11 to rv20)
IP address ranges are automatically converted into decimal integer ranges. The following example shows a numerical range equivalent to an IP range of 10.0.0.0 to 10.0.2.255.
167772160-167772415,AAA 167772416-167772671,BBB 167772672-167772927,CCC
Using the same setup as the previous example, if:
In Key Configuration, the Event ID used for comparison is set to TargetIP for the range Map Key field.
The Map column returned from the map to set CustomerVar89 is defined as a value, as displayed in the second column below.
If an event contains a target IP of 10.0.1.14 (equivalent to numerical value of 167772430), the output for column CustomerVar89 within the event is BBB.
Dates are represented as an integer number of seconds since midnight January 1, 1970. Data and time ranges can be used in maps in a similar fashion as the IP address sample above.
Sentinel supports the following number ranges:
Range from negative number to negative number (for example, -234-34)
Range from negative number to positive number (for example, -234-34)
Range from positive number to positive number (for example, 234-236)
Single number range (negative) (for example, -234). In this case, the min and the max will both be -234.
Single number range (positive) (for example, 234). In this case, the min and the max will both be 234.
Range from negative number to max number (for example, -234-). In this case, the min will be -234 and the max will be (2^63 - 1).
Range from positive number to max number (for example, 234-). In this case, the min will be 234 and the max will be (2^63 - 1).
NOTE:In all cases, the min must be less than or equal to the max (for example, ā-234- -235ā is NOT valid).