Sentinel is made up of the following components:
The Sentinel Data Access Service is the primary component used to communicate with the Sentinel database. The Data Access Server and other server components work together to store events received from the Collector Managers into the database, filter data, process Active Views displays, perform database queries and process results, and manage administrative tasks such as user authentication and authorization. For more information, see Data Access Service
in the Sentinel Rapid Deployment Reference Guide.
Sentinel 6.1 Rapid Deployment uses an open source message broker called Apache Active MQ. The message bus is capable of moving thousands of message packets in a second, between the components of Sentinel. Apache Active MQ architecture is built around the Java Message Oriented Middleware (JMOM), which supports asynchronous calls between the client and server applications. Message queues provide temporary storage when the destination program is busy or not connected. For more information, see Communication Server
in the Sentinel Rapid Deployment User Guide
The Sentinel product is built around a back-end database that stores security events and all of the Sentinel metadata. Sentinel 6.1 Rapid Deployment supports PostgreSQL. The events are stored in normalized form, along with asset and vulnerability data, identity information, incident and workflow status, and many other types of data. For more information, see Sentinel Data Manager
in the Sentinel Rapid Deployment User Guide.
The Sentinel Collector Manager manages data collection, monitors system status messages, and performs event filtering as needed. The main functions of the Collector Manager include transforming events, adding business relevance to events through taxonomy, performing global filtering on events, routing events, and sending health messages to the Sentinel server. The Sentinel Collector Manager directly connects to the message bus. For more information, see Collector Manager
in the Sentinel Rapid Deployment User Guide.
The Correlation Engine adds intelligence to security event management by automating analysis of the incoming event stream to find patterns of interest. Correlation allows you to define rules that identify critical threats and complex attack patterns so that you can prioritize events and initiate effective incident management and response. For more information, see Correlation Tab
in the Sentinel Rapid Deployment User Guide.
Sentinel provides an iTRAC workflow management system to define and automate processes for incident response. Incidents that are identified in Sentinel, either by a correlation rule or manually, can be associated with an iTRAC workflow. For more information, see iTRAC Workflows
in the Sentinel Rapid Deployment User Guide.
Sentinel Advisor is an optional data subscription service that includes known attacks, vulnerabilities, and remediation information. This data, combined with known vulnerabilities and real-time intrusion detection or prevention information from your environment, provides proactive exploit detection and the ability to immediately act when an attack takes place against a vulnerable system.
An Advisor data snapshot is installed by default with the Sentinel 6.1 Rapid Deployment installation. You need an Advisor license to subscribe to the ongoing Advisor data updates. For more information, see Advisor Usage and Maintenance
in the Sentinel Rapid Deployment User Guide.
Sentinel Rapid Deployment uses Apache Tomcat as its Web server to allow secure connection to the Sentinel Rapid Deployment Web interface.