Aegis ‘Depot’ Activity – Aegis Activities for Sentinel and Change Guardian
Following on from part 1 of the Sentinel Activities for Aegis, part 2 brings with it some specifics for Change Guardian, enhanced activity outputs and improved error handling for JSON serialization.
As mentioned in part 1 ( here ) , the Change Guardian Product backend is based on Sentinel so the first bundle of activities, login, logoff and Get Sentinel Event can be directly used on Change Guardian. The other activities relate to alerts, and on a Change Guardian system, there are no alerts so will not work. You'll get an error something like this if you try and run them:
Sentinel error : ('HTTP error : (400) BadRequest BadData : Object type 'alert-search' not found.')
You'll also probably have noticed that the activity bundle provided no way to search for Sentinel events, and relied on Alert attribute to point you to the events. So for Change Guardian to work, we'd clearly need to be able to search for Change Guardian events.
Search for Change Guardian Events
Configuration wise, the search for CG events activity is exactly the same as the search for sentinel alerts activity.
There is one difference though to how the Filter works compared to the filters as defined in the Change Guardian Console in that the activity will always only include results which match
pn:"NetIQ Change Guardian"
in addition to the provided filter. So the filter in the screenshot becomes :
pn:"NetIQ Change Guardian" AND sev:5
The output of the activity is :
The output is the list of URLs to matching events.
There is also an output for the number of results so you can check this before trying to do something with the results, which is especially useful if there are o results returned.
This output has also been added to the Search for Sentinel Alerts activity in this update.
Updates to Get Alert and Get Event Activities
Both the Get Alert and Get Event activities now also output the raw JSON message returned from Sentinel/Change Guardian from which the activity parameter outputs are derived. This can be used to verify the outputs are parsed correctly or indeed if the JSON is formatted as expected.
The Error Handling of the activity is also improved, mainly around returning more informational messages when there is a problem with JSON serialization which led to workflow 'hanging' in the previous version. Errors now also return the raw JSON. So if you hit an issue where errors result handing the JSON result please let me know!
Activity Installation Instructions are here:
** Important ** If you already have the Depot_Sentinel_3000_0_1 applied, you will need to deploy activity module updates to update existing activities in your workflow, otherwise some activities will not work as expected.
Depot_Sentinel_3000_0_1 is not a pre-requisite for Depot_Sentinel_3000_0_2.