Sentinel is made up of several components:
Data Access Service (DAS)
Sentinel Communication Server
Sentinel Database
Sentinel Collector Manager
Correlation Engine
iTRAC
Crystal Reports Server
Sentinel Advisor and Exploit Detection (optional)
The Data Access Service (DAS) is the primary component used to communicate with the Sentinel database. DAS and other server components work together to store events received from the Collector Managers in the database, filter data, process Active View displays, perform database queries and process results, and manage administrative tasks such as user authentication and authorization.
The iSCALE Message Bus is capable of moving thousands of message packets in a second among the components of Sentinel. This allows independent scaling of components and standards-based integration with external applications.
The Sentinel product is built around a back-end database that stores security events and all of the Sentinel metadata. The events are stored in normalized form, along with asset and vulnerability data, identity information, incident and workflow status, and many other types of data.
Collector Manager manages data collection, monitors system status messages, and performs event filtering as needed. Main functions of the Collector Manager include transforming events, adding business relevance to events through taxonomy, performing global filtering on events, routing events, and sending health messages to the Sentinel server.
The Sentinel Collector Manager can connect directly to the message bus or it can use an SSL proxy.
Correlation adds intelligence to security event management by automating analysis of the incoming event stream to find patterns of interest. Correlation allows you to define rules that identify critical threats and complex attack patterns so that you can prioritize events and initiate effective incident management and response.
Sentinel provides an iTRAC workflow management system to define and automate processes for incident response. Incidents that are identified in Sentinel, either by a correlation rule or manually, can be associated with an iTRAC workflow.
Comprehensive reporting services within the Sentinel Control Center are powered by Crystal Reports Server by Business Objects. Sentinel comes with predefined reports geared toward the most common reporting requests by organizations monitoring their security and compliance postures. Using the Crystal Reports Developer, new or customized reports can also be developed against the Sentinel published report view schema.
Sentinel Advisor is an optional data subscription service that includes known attacks, vulnerabilities, and remediation information. This data, combined with known vulnerabilities and real-time intrusion detection or prevention information from your environment, provide proactive exploit detection and the ability to immediately act when an attack takes place against a vulnerable system.