Environment
Situation
Resolution
In order for collectors to provide the
information necessary to generate compliance reports, Sentinel must
first be updated with asset data. What follows is the current
recommended method to populate this data.
Prerequisites:
- One needs to possess an asset system which generates asset data.
- By utilizing the mapping service in Sentinel 5, asset data can be exported to and distributed to all the agent managers to enrich the event stream. The external data can be delivered to the Sentinel system by the creation of a properly formatted asset.csv file that resides on the Sentinel server machine running Das Query.
Steps to generate and verify asset.csv file:
- Write a script to extract information from the asset sytem to generate asset data as a comma delimited file (no header). See below for the column definition of Asset CSV Columns.
- Launch SDM, go to Mapping->Maps->e-Security
- Drop asset.csv file in
$ESEC_HOME/sentinel/bin/map_data (Solaris) or %ESEC_HOME%\sentinel\bin\map_data
(Windows) on the Sentinel Server (the server running the Das
Query).
- After generating the file, it is recommended to use the update functionality of SDM to take a look at how your data looks after being generated into Mapping Data. In the Update Dialog, the "New” tab displays the data from the file you selected by using the Browse Button. The "Current” tab displays the data that is on the DAS server already. When you click OK on the Update Dialog, SDM will upload the data displayed in the New tab to the DAS server, effectively replacing the data displayed in the Current tab.
It is recommended that the importing of the external asset information happen on a daily basis, depending on how often asset information changes in your environment. Once the file is modified the mapping service distributes the changes to all the active agent managers.
The asset.csv file is stored in the EVT_ASSET table by the mapping service.
Background Knowledge:
The asset data from an external system can be mapped into the Sentinel system by constructing the asset.csv file. The asset.csv file is located in $ESEC_HOME/sentinel/bin/map_data or %ESEC_HOME%\sentinel\bin\map_data (Windows). The file is a comma-separated value file. The asset.csv file contains the following columns:
Asset CSV Columns
CustomerId (integer) |
PhysicalAssetName (255) |
AssetName (255) |
MacAddress (100) |
NetworkIdentity (255) |
AssetCategory (100) |
EnvironmentIdentity (255) |
AssetValue (50) |
Criticality (50) |
Sensitivity (50) |
Building (255) |
Room (100) |
RackNumber (50) |
City (100) |
State (100) |
Country (100) |
ZipCode (50) |
AssetOwner (255) |
AssetMaintainer (255) |
BusinessUnit (100) |
LineOfBusiness (100) |
Division (100) |
Department (100) |
Link ID (PhysicalAssetId) or external (100) |
Asset CSV Column Descriptions
CustomerId is expected to be an integer,
all the other fields are variable length character strings. The sizes are in parenthesis in the Asset
CSV Columns table above.
CustomerId: Unless you are operating as an
MSSP, set CustomerId to 1.
PhysicalAssetName: Populate this to with
the IP address of your host.
AssetName: May be left blank.
LinkId: May be left blank.
Asset Event Definition
The mapping engine client in agent manager will populate the fields defined in the Asset Event Definition table below. It uses the source IP field (sip) to populate the source asset fields RV56-RV76 and the destination IP field (dip) to populate the destination asset fields RV78-RV98. RV77 and RV99 are filled in automatically with the i.d. of the asset from the EVT_ASSET table. The LinkId field is not mapped – this field could be used to store a key value to access your external data.
Source Asset | Destination Asset | ||
RV56 | AssetName | RV78 | AssetName |
RV57 | MacAddress | RV79 | MacAddress |
RV58 | NetworkIdentity | RV80 | NetworkIdentity |
RV59 | AssetCategory | RV81 | AssetCategory |
RV60 | EnvironmentIdentity | RV82 | EnvironmentIdentity |
RV61 | AssetValue | RV83 | AssetValue |
RV62 | Criticality | RV84 | Criticality |
RV63 | Sensitivity | RV85 | Sensitivity |
RV64 | Building | RV86 | Building |
RV65 | Room | RV87 | Room |
RV66 | RackNumber | RV88 | RackNumber |
RV67 | City | RV89 | City |
RV68 | State | RV90 | State |
RV69 | Country | RV91 | Country |
RV70 | ZipCode | RV92 | ZipCode |
RV71 | AssetOwner | RV93 | AssetOwner |
RV72 | AssetMaintainer | RV94 | AssetMaintainer |
RV73 | BusinessUnit | RV95 | BusinessUnit |
RV74 | LineOfBusiness | RV96 | LineOfBusiness |
RV75 | Division | RV97 | Division |
RV76 | Department | RV98 | Department |
RV77 | SourceAssetId | RV99 | DestinationAssetId |
Asset Example Data
As we currently have a limitation where we cannot attach a file to a TID, below is an excerpt from an example asset.csv. NOTE, the header in asset.csv is for demonstration purposes - the real asset.csv should not have the header at all. For easier reading, copy the text below into a text file. View it with a text editor and turn off word wrap:
CustomerId,PhysicalAssetName,AssetName,MacAddress,NetworkIdentity,AssetCategory,EnvironmentIdentity,AssetValue,Criticality,Sensitivity,Building,Room,RackNumber,City,State,Country,ZipCode,AssetOwner,AssetMaintainer
,BusinessUnit,LineOfBusiness,Division,Department,Link ID
(PhysicalAssetId or external Id)
1,192.168.0.1,,04:23:A3:44:65:78,UNKNOWN,DESKTOP,UNKNOWN,UNKNOWN,UNKNOWN,UNKNOWN,HQ,700,1,Vienna,VA,USA,22182,,,,,,,A99B97B8-3931-1028-909F-000C29772C5B
1,devbox01,,04:23:A3:44:65:78,UNKNOWN,DESKTOP,UNKNOWN,UNKNOWN,UNKNOWN,UNKNOWN,HQ,700,1,Vienna,VA,USA,22182,,,,,,,A99B97B8-3931-1028-909F-000C29772C5B
1,192.168.0.3,,04:23:A3:44:65:80,UNKNOWN,DESKTOP,UNKNOWN,UNKNOWN,UNKNOWN,UNKNOWN,HQ,702,3,Vienna,VA,USA,22182,,,,,,,A99B97B8-3931-1028-90A7-000C29772C5B
1,devbox03,,04:23:A3:44:65:80,UNKNOWN,DESKTOP,UNKNOWN,UNKNOWN,UNKNOWN,UNKNOWN,HQ,702,3,Vienna,VA,USA,22182,,,,,,,A99B97B8-3931-1028-90A7-000C29772C5B