Sentinel provides a powerful set of tools to help you find and analyze critical event data easily. Sentinel optimizes the system for maximum efficiency in any type of analysis, and provides methods to transition from one type of analysis to another easily, for seamless transitions.
Investigating events in Sentinel often starts with the near real-time Event Views. Although more advanced tools are available, Event Views display filtered event streams along with summary charts that you can use for simple, quick analysis of event trends and event data, and identification of specific events. Over time, you can build up tuned filters for specific classes of data, such as output from correlation. You can use Event Views as a dashboard, which shows an overall operational and security posture.
You can then use the interactive search to perform detailed analysis of events. This allows you to quickly and easily search for and find data related to a specific query, such as activity by a specific user or on a specific system. By clicking on the event data or using the left-hand refinement pane, you can zero in on specific events of interest quickly.
When analyzing hundreds of events, the reporting capabilities of Sentinel provide custom control over event layout and can display large volumes of data. Sentinel makes this transition easier, by allowing you to transfer the interactive searches built up in the Search interface into a reporting template. This instantly creates a report that displays the same data but in a format better suited for a larger number of events.
Sentinel includes many reporting templates for this purpose. There are two types of reporting templates:
Templates that are fine-tuned to display particular types of information, such as authentication data or user creation.
General purpose templates that allow you to customize groups and columns on the report interactively.
Over time, you will develop commonly-used filters and reports that make your workflows easier. Sentinel supports storing this information and distributing it with people in your organization. For more information, see the Sentinel User Guide.