iTRAC workflows are designed to provide a simple, flexible solution for automating and tracking an enterprise’s incident response processes. iTRAC leverages Sentinel’s internal incident system to track security or system problems from identification (through correlation rules or manual identification) through resolution.
Workflows can be built using manual and automated steps. Advanced features such as branching, time-based escalation, and local variables are supported. Integration with external scripts and plug-ins allows for flexible interaction with third-party systems. Comprehensive reporting allows administrators to understand and fine-tune the incident response processes.
NOTE:Access to manage iTRAC templates, activities, and processes can be enabled on a user-by-user basis by any user with the ability to change user permissions.
The iTRAC system uses three Sentinel objects that can be defined outside the iTRAC framework:
Incident: Incidents within Sentinel are groups of events that represent an actionable security incident, plus associated state and meta-information.
Incidents are created manually or through Correlation rules.They can be associated with a workflow process. They can be viewed on the Incidents tab.
Activity: An activity is a predefined automatic unit of work, with defined inputs, command-driven activity, and outputs (for example, automatically attaching asset data to the incident or sending an e-mail).
Activities can be included in a workflow template and executed during workflow processes, or they can be executed within an incident.
Role: Sentinel users can be assigned to one or more roles. Manual steps in the workflow processes can be assigned to a role. For more information, see Managing iTRAC Roles.
iTRAC workflows have four major components that are unique to iTRAC:
Step: A step is an individual unit of work within a workflow; including manual steps, decision steps, command steps, mail steps, and activity-based steps. Each step displays as an icon within a given workflow template.
Transition: A transition defines how the workflow moves from one state (activity) to another. A transition is determined by an analyst action, by the value of a variable, or by the amount of time elapsed.
Templates: A template is a design for a workflow that controls the flow of execution of a process in iTRAC. The template consists of a network of manual and automated steps that combine activities and criteria for transition between the steps.
Workflow templates define how an incident is responded to after a process based on that template is instantiated. A template can be associated with many incidents.
Processes: A process is a specific instance of a workflow template that is actively being tracked by the workflow system. It includes all the relevant information for the instance, including the current step in the workflow, the associated incident, the results of steps, attachments, and notes. Each workflow process is associated to one incident.
NOTE:On a system with 16GB of RAM and 8 core CPU, you can run a maximum of 1000 processes on a single Sentinel server instance.