Sentinel Installation and Configuration Guide

  Sentinel Installation and Configuration Guide
    Understanding Sentinel
      What is Sentinel?
        Challenges of Securing an IT Environment
        The Solution That Sentinel Provides
      How Sentinel Works
        Event Sources
        Sentinel Event
        Collector Manager
        ArcSight SmartConnectors
        Agent Manager
        Sentinel Data Routing and Data Storage
        Event Visualizations
        Correlation
        Security Intelligence
        Incident Remediation
        iTrac Workflows
        Actions and Integrators
        Searching
        Reports
        Identity Tracking
        Event Analysis
    Planning Your Sentinel Installation
      Implementation Checklist
      Understanding License Information
        Sentinel Licenses
      Meeting System Requirements
        Connector and Collector System Requirements
        Virtual Environment
      Deployment Considerations
        Data Storage Considerations
        Advantages of Distributed Deployments
        All-In-One Deployment
        One-Tier Distributed Deployment
        One-Tier Distributed Deployment with High Availability
        Two-Tier and Three-Tier Distributed Deployment
        Three-Tier Deployment with Scalable Storage
      Deployment Considerations for FIPS 140-2 Mode
        FIPS Implementation in Sentinel
        FIPS-Enabled Components in Sentinel
        Data Connections Affected by FIPS Mode
        Implementation Checklist
        Deployment Scenarios
      Ports Used
        Sentinel Server Ports
        Collector Manager Ports
        Correlation Engine Ports
        Scalable Storage Ports
      Installation Options
        Traditional Installation
        Appliance Installation
    Installing Sentinel
      Installation Overview
      Installation Checklist
      Installing and Configuring Elasticsearch
        Prerequisites
        Installing and Configuring Elasticsearch
        Securing Data in Elasticsearch
        Performance Tuning for Elasticsearch
        Redeploying Elasticsearch Security Plug-In
      Installing and Setting Up Scalable Storage
        Installing and Configuring CDH
        Enabling Scalable Storage
      Traditional Installation
        Performing Interactive Installation
        Performing a Silent Installation
        Installing Sentinel as a Non-root User
      Appliance Installation
        Prerequisites
        Installing the Sentinel ISO Appliance
        Installing the Sentinel OVF Appliance
        Post-Installation Configuration for the Appliance
      Installing Additional Collectors and Connectors
        Installing a Collector
        Installing a Connector
      Verifying the Installation
    Configuring Sentinel
      Configuring Time
        Understanding Time in Sentinel
        Configuring Time in Sentinel
        Configuring Delay Time Limit for Events
        Handling Time Zones
      Securing Data in Elasticsearch
      Enabling Event Visualization
        Prerequisite
        Enabling Event Visualization
      Modifying the Configuration after Installation
      Configuring Out-of-the-Box Plug-Ins
        Viewing the Preinstalled Plug-Ins
        Configuring Data Collection
        Configuring Solution Packs
        Configuring Actions and Integrators
      Enabling FIPS 140-2 Mode in an Existing Sentinel Installation
        Enabling Sentinel Server to Run in FIPS 140-2 Mode
        Enabling FIPS 140-2 Mode on Remote Collector Managers and Correlation Engines
      Operating Sentinel in FIPS 140-2 Mode
        Configuring Distributed Search in FIPS 140-2 Mode
        Configuring LDAP Authentication in FIPS 140-2 Mode
        Updating Server Certificates in Remote Collector Managers and Correlation Engines
        Configuring Sentinel Plug-Ins to Run in FIPS 140-2 Mode
        Importing Certificates into FIPS Keystore Database
        Reverting Sentinel to Non-FIPS Mode
      Adding a Consent Banner
      Limiting the Number of Concurrent Active Sessions
      Ending Inactive Sessions
    Upgrading Sentinel
      Implementation Checklist
      Prerequisites
        Saving the Custom Configuration Information
        Extending the Retention Period for Event Associations Data
        Pre-Upgrade Configuration for SSDM
        Change Guardian Integration
      Upgrading Sentinel Traditional Installation
        Upgrading Sentinel
        Upgrading Sentinel as a Non-root User
        Upgrading the Collector Manager or the Correlation Engine
        Upgrading the Operating System
      Upgrading the Sentinel Appliance
        Upgrading to Sentinel 8.2
        Upgrading the Operating System to SLES 12 SP3
        Upgrading Sentinel to 8.2 Patch Update 1 or 8.2 Service Pack 1
        Upgrading Sentinel to 8.2 Service Pack 2 or Later
        Upgrading the Operating System to SLES 12 SP4 or Later
        Applying Operating System Patches
      Post-Upgrade Configurations
        Securing Data in Elasticsearch
        Configuring Event Visualizations
        Configuring IP Flow Data Collection
        Post-Upgrade Configuration for Sentinel Scalable Data Manager
        Adding the JDBC DB2 Driver
        Configuring Data Federation Properties in Sentinel Appliance
        Registering Sentinel Appliance for Updates
        Updating External Databases for Data Synchronization
        Re-authenticating Sentinel in Multi-Factor Authentication Mode
        Updating Permissions for Users Who Send Data from Other Integrated Products to Sentinel
      Upgrading Sentinel Plug-Ins
    Migrating Data from Traditional Storage
      Migrating Data to Scalable Storage
        Data You Can Migrate
        Migrating Configuration Data
        Migrating Event Data and Raw Data
        Migrating Alerts and NetFlow Data
        Updating Sentinel Clients
        Importing ESM Configuration
      Migrating Data to Elasticsearch
      Migrating Data
    Deploying Sentinel for High Availability
      Concepts
        External Systems
        Shared Storage
        Service Monitoring
        Fencing
      System Requirements
      Installation and Configuration
        Initial Setup
        Shared Storage Setup
        Sentinel Installation
        Cluster Installation
        Cluster Configuration
        Resource Configuration
        Secondary Storage Configuration
      Configuring Sentinel HA as SSDM
      Upgrading Sentinel in High Availability
        Prerequisites
        Upgrading a Traditional Sentinel HA Installation
        Upgrading a Sentinel HA Appliance Installation
      Backup and Recovery
        Backup
        Recovery
     Appendices
      Troubleshooting
        Failed Installation Because of an Incorrect Network Configuration
        The UUID Is Not Created for Imaged Collector Managers or Correlation Engine
        Sentinel Main Interface is Blank in Internet Explorer After Logging in
        Sentinel Does Not Launch in Internet Explorer 11 in Windows Server 2012 R2
        Sentinel Cannot Run Local Reports with Default EPS License
        Synchronization Needs to be Started Manually in Sentinel High Availability After You Convert the Active Node to FIPS 140-2 Mode
        Sentinel Main Interface Displays Blank Page After Converting to Sentinel Scalable Data Manager
        The Event fields Panel is Missing in the Schedule Page When Editing Some Saved Searches
        Sentinel Does Not Return Any Correlated Events When You Search for Events for the Deployed Rule with the Default Fire Count Search
        Security Intelligence Dashboard Displays Invalid Baseline Duration When Regenerating a Baseline
        Sentinel Server Shuts Down When Running a Search If There Are Large Number of Events in a Single Partition
        Error While Using the report_dev_setup.sh Script to Configure Sentinel Ports for Firewall Exceptions on Upgraded Sentinel Appliance Installations
      Uninstalling
        Uninstallation Checklist
        Uninstalling Sentinel
        Post-Uninstallation Tasks
    Legal Notice