Sentinel gathers and correlates security and non-security information from across an organization's networked infrastructure, as well as third-party systems, devices, and applications. Sentinel presents the collected data in the Sentinel Web interface as well as the Sentinel Control Center (SCC).
The SCC is accessed through the Sentinel Web interface.
Log in to the Sentinel Web interface:
https://<IP_Address/DNS_Sentinel_server:8443>
IP_Address/DNS_Sentinel_server is the IP address or DNS name of the Sentinel server and 8443 is the default port for the Sentinel server.
In the toolbar, click
.Click
.Click
to accept the security certificate.Specify a username and password of a user that has rights to access the SCC, then click
.Click
or to accept the security certificate.The Sentinel Control Center launches in a new window.
The Sentinel Control Center (SCC) provides you a “dockable” framework that allows you to move the pieces of the interface from their default location to user-specific locations for ease of use. The SCC consists of the following components:
The menu bar has the menus required to navigate, perform activities, and change the appearance of Sentinel Control Center.
The
, , , , , and menus are always available. The availability of other menus depends on your location in the console and the permissions you have.Depending on your access permissions, Sentinel Control Center displays the following tabs:
The Active Views tab presents events in near-real time.
In the Active Views tab, you can:
View events occurring in near real-time
Investigate events
Graph events
Perform historical queries to collect data for a specified period
Invoke right-click functions
Initiate manual incidents and remediation workflows
For more information, see Viewing Events
in the NetIQ Sentinel 7.1 User Guide.
An incident is a set of events that requires attention (for example, a possible attack). Incidents centralize the data and typically include a correlated event, the associated events that triggered a Correlation rule, asset details of the affected systems, the vulnerability state of the affected systems, and any remediation information. Incidents can be associated with a remediation workflow in iTRAC, if specified. An incident associated to an iTRAC workflow allows users to track the remediation state of the incident.
In the
tab, you can:Manage incident views
View and manage incidents and their associated data
Switch between existing incident views
For more information, see Configuring Incidents
in the NetIQ Sentinel 7.1 User Guide.
iTRAC’s stateful incident remediation workflow capability allows you to incorporate your organization’s incident response processes into Sentinel.
In the
tab, you can:Create custom workflow templates
Edit workflow templates
Create custom activities
Edit activities
Associate activities with workflow steps
Initiate and execute Processes
For more information, see Configuring iTRAC Workflows
in the NetIQ Sentinel 7.1 User Guide.
Advisor is an optional module that provides real-time correlation between detected intrusion detection system attacks and vulnerability scan output in order to immediately indicate increased risk to an organization. For more information, see Section 11.0, Configuring Advisor.
In the
menu, you can:Configure Events
For more information, see Section 7.0, Mapping Events.
Configure Event Actions
For more information, see Configuring Event Actions
in the NetIQ Sentinel 7.1 User Guide.
Configure the mapping service
For more information, see Section 7.0, Mapping Events.
Configure dynamic lists
For more information, see Configuring Dynamic Lists
in the NetIQ Sentinel 7.1 User Guide.
Configure Solution Packs
For more information, see Section 16.0, Using Solution Packs.
Configure Integrators
For more information, see Section 10.0, Configuring Integrators.
Configure Actions
For more information, see Section 9.0, Configuring Actions.
Configure the Download Manager
For more information, see Section 12.0, Using the Download Manager.
The toolbar allows you to perform the tab-specific functions. There are system-wide toolbar buttons that are always displayed. The availability of other toolbar buttons depends on your location in the console and the permissions you have.
The system-wide toolbar buttons are always displayed. You use them to perform the following tasks:
Undo layout: Undoes any changes made to the layout of the frames in the UI.
Reset layout: Resets the layout of the frames in the UI to the default layout.
Redo layout: Redoes any changes made to the layout of the frames in the UI.
Help: Launches help.
Till all display windows: Arranges all open windows in a tile configuration.
Cascaded all display windows: Cascades all open windows.
Save user preferences: Saves any user preferences you have defined.
Action debugging: Debugs actions performed by rules.
People Browser: Allows you to search and view user profiles of the identities that have been synchronized from the Identity Management system.
Tab-specific toolbar buttons allow you to perform the functions related to each tab.
Active Views > Create Active view: Creates a new Active View of the data.
Active Views > Snapshot: Takes a snapshot of the information displayed in the Active View.
Active Views > Manage columns: Allows you to manage the columns displayed in the Active View.
Incidents > Display incident view manager: Displays the Incident Manager that allows you to view incidents.
Incidents > Create incident: Creates a new incident.
iTRAC > Display process manager: Displays the Process Manager.
iTRAC > Activity manager: Launches the Activity Manager.
iTRAC > Template manager: Launches the Template Manager.
iTRAC > iTRAC role manager: Launches the iTRAC Role Manager.
Advisor > Advisor configuration: Launches a wizard to help configure Advisor.
Configuration > Event configuration: Allows you to configure events.
Configuration > Event actions configuration: Allows you to configure actions that are performed on events.
Configuration > Map data configuration: Allows you to configure enhancements for the data coming into Sentinel.
Configuration > Dynamic lists: Allows you to create dynamic lists that are used within a Correlation Rule.
Configuration > Solution Packs: Launches the Solution Pack Manager.
Configuration > Integrator Manager: Launches the Integrator Manager.
Configuration > Action Manager: Launches the Action Manager.
Configuration > Download Manager: Launches the Download Manager.
Sentinel provides a framework that allows you to drag frames on the screen to place them in preferred locations. The following buttons display, so you can drag or hide frames:
Toggle floating
Toggle auto-hide
To drag a frame to any location:
Click the
icon on the frame or hold the frame and drag it to the desired location.To hide a frame:
Click the
icon.You can undo dragging or reset the location to the default position using the toolbar buttons.
To navigate by using the toolbar:
Click the desired tab.
Click the toolbar buttons to perform the actions.
To navigate by using the menus:
Click the desired tab.
If you do not click the desired tab, the menu option is dimmed.
Click the menu relevant to the selected tab.
Select an action you need to perform.
This procedure is generic for all the tabs in SCC. Specific procedures for tabs are discussed in the relevant sections later in this document.
You can change the Sentinel Control Center’s look by:
You can change whether the tabs are displayed at the top of the tab frames or at the bottom of the tab frames.
In the Sentinel Control Center menu, click
> .Select either
or .You can change how the windows in the SCC are displayed.
Cascading Windows: In the Sentinel Control Center menu, click
> . All open windows in the right panel cascade.Tiling Windows: In the Sentinel Control Center menu, click
> , then select the option that meets your requirements:Tile Best Fit
Tile Vertical
Tile Horizontal
Minimizing Windows: In the Sentinel Control Center menu, click
> . All open windows in the right panel minimize.Restoring Windows: In the Sentinel Control Center menu, click
> . All open windows in the right panel are restored to their original size.Use the Minimize and Restore options provided on the top right corner of the tab to minimize individual tabs.
Closing all Open Windows: In the Sentinel Control Center menu, click
> .If users have permissions to save their workspaces, they can save the following preferences:
Permanent windows that are not dependent on data that was available at the time of their original creation.
Active Views
Summary displays
Window positions
Window sizes, including the application window
Tab positions
Whether the Navigator docked or floating, and whether it is showing or hidden
The following preferences are not saved when the user logs out:
Snapshots
Historical event queries
Secondary windows opened from a primary window
Column widths in Active Views
To save your preferences:
In the menu, click
>or
Click
in the toolbar.If you make display changes in the SCC but do not save them, you are prompted to save the changes when you log out of the SCC.
The Attachment Viewer allows you to specify which applications open the files attached to Solution Packs.
In the Sentinel Control Center menu, click
> .Click
.Use the following information to identify the attachment in the Attachment Viewer Configuration window:
Extension: Specify the extension type, such as .doc, .xls, .txt, .html.
Type: Specify the type of attachment. The default value is DEFAULT.
Subtype: Specify the subtype of attachment. The default value is DEFAULT.
Application: Click notepad.exe for Notepad.
or type the path and the application to launch the file type, such asParameter: Specify a parameter to pass to the application. The default value is %File%.
Click
.Repeat Step 2 through Step 4 for each additional application you want to add.
Click
to close the Attachment Viewer.In the Sentinel Control Center menu, click
> .Select an item in the Attachment Viewer, then click
.Make any desired changes, then click
to save the changes.Click
to close the Attachment Viewer.In the Sentinel Control Center menu, click
> .Select the item you want to delete in the Attachment Viewer, then click
.Click
to close the Attachment Viewer.