Sentinel is a Security Information and Event Management solution that receives information from many sources throughout an enterprise, standardizes it, prioritizes it and presents it to you to make threat, risk and policy related decisions. The Sentinel Control Center (SCC) is the main user interface for viewing and interacting with this data.
Sentinel gathers and correlates security and non-security information from across an organization's networked infrastructure, as well as third-party systems, devices and applications. Sentinel presents the collected data in a more sensible GUI, identifies security or compliance issues, and tracks remediation activities, streamlining previously error-prone processes and building a more rigorous and secure management program.
The Sentinel Control Center includes the following functional tabs and interfaces:
The Active Views tab presents events in near-real time.
In the Active Views tab, you can:
View events occurring in near real-time
Investigate events
Graph events
Perform historical queries to collect data for a specified period
Invoke right-click functions
Initiate manual incidents and remediation workflows
An incident is a set of events that require attention (for example, a possible attack). Incidents centralize the data and typically comprise a correlated event, the associated events that triggered a correlation rule, asset details of the affected systems, vulnerability state of the affected systems and any remediation information, if known. Incidents can be associated with a remediation workflow in iTRAC, if specified. An incident associated to an iTRAC workflow allows users to track the remediation state of the incident.
In the Incidents Tab, you can:
Manage incident views
View and manage incidents and their associated data
Switch between existing incident views
iTRAC’s stateful incident remediation workflow capability allows you to incorporate your organization’s incident response processes into Sentinel.
In the iTRAC tab, you can:
Create custom workflow templates
Edit workflow templates
Create custom activities
Edit activities
Associate activities with workflow steps
Initiate and execute Processes
The Analysis tab is the historical reporting interface for Sentinel. Reports are published on a Web server and can be rendered in the analysis tab or in an external browser. You can also run and save an Offline Query for later quick retrieval of search results.
Advisor is an optional module that provides real-time correlation between detected IDS attacks and vulnerability scan output in order to immediately indicate increased risk to an organization.
In the Advisor tab, you can view the products that Novell supports for Advisor and also the status of the last five Advisor feed files that have been processed or are being processed.
The Admin tab provides you access to perform the administrative actions and configuration settings in Sentinel. In the Admin tab, you can:
Configure connection to Crystal Reports
Create and modify filters
Use filters to format data
Use filters to determine event routing
View system statistics about the Data Access Service
Start and Stop system components
Configure Sentinel event fields
Configure the mapping service
Create new options for right-click event menus
Aggregate data for reporting
Create users and assign them to roles for workflows
Manage user sessions
The Correlation tab provides an interface to create and deploy rules to detect suspicious or malicious patterns of events.
In the Correlation tab, you can:
Create and edit rules
Deploy/Undeploy rules
Add an action and associate it to a rule
Configure dynamic lists
The Event Source Management (ESM) interface is available through the Sentinel Control Center menu. It allows you to manage and monitor connections between Sentinel and its event sources using Sentinel Connectors and Sentinel Collectors.
In the ESM, you can:
Import/export Connectors and Collectors from/to the centralized repository available in ESM
Add/edit connections to event sources through the configuration wizards
View the real-time status of the connections to event sources
Monitor data flowing through the Collectors and Connector
The Collectors parse the data and deliver a richer event stream by injecting taxonomy, exploit detection and business relevance into the data stream before events are correlated and analyzed and sent to the database.
The Connectors use industry standard methods to connect to the data source to get raw data.
You can use the Solution Packs interface through the Tools menu in Sentinel Control Center. Solution Packs provide a framework within which sets of content can be packaged into controls, each of which is designed to enforce a specific business or technical policy.
Novell Sentinel 6.1 provides an integration framework for identity management systems. This integration provides functionality on several levels. With the Identity Browser you can:
Look up the following information about a user:
Contact information
Accounts associated with that user
Most recent authentication events
Most recent access events
Most recent permissions changes
Lookup from events