1.5 Sentinel Plug-Ins

Sentinel supports a variety of plug-ins to expand and enhance system functionality. Some of these plug-ins are preinstalled. Additional plug-ins (and updates) are available for download at the Sentinel 6.1 Plug-ins Web site.

Some plugins, such as the Remedy Integrator, the IBM Mainframe Connector, and the Connector for SAP XAL, require an additional license in order to download them.

1.5.1 Collectors

Sentinel collects data from source devices and delivers a richer event stream by injecting taxonomy, exploit detection, and business relevance into the data stream before events are correlated and analyzed and sent to the database. A richer event stream means that data is correlated with the required business context to identify and remediate internal or external threats and policy violations.

Sentinel Collectors can parse data from the following types of devices and more:

  • Intrusion Detection Systems (host)

  • Intrusion Detection Systems (network)

  • Firewalls

  • Operating Systems

  • Policy Monitoring

  • Authentication

  • Routers and Switches

  • VPNs

  • Anti-Virus Detection Systems

  • Web Servers

  • Databases

  • Mainframe

  • Vulnerability Assessment Systems

  • Directory Services

  • Network Management Systems

  • Proprietary Systems

JavaScript Collectors can be written by using the standard JavaScript development tools and the Collector SDK.

1.5.2 Connectors and Integrators

Connectors provide connectivity from the Collector Manager to event sources through standard protocols such as JDBC and Syslog. Events are passed from the Connector to the Collector for parsing.

Integrators enable remediation actions on systems outside of Sentinel. For example, a correlation action can use the SOAP Integrator to initiate a Novell Identity Manager workflow.

The optional Remedy AR Integrator provides the ability to create a Remedy ticket from Sentinel events or incidents. For more information, see Action Manager and Integrator in the Sentinel Rapid Deployment User Guide.

1.5.3 Correlation Rules and Actions

Correlation rules identify important patterns in the event stream. When a correlation rule is triggered, it initiates correlation actions, such as sending e-mail notifications, initiating an iTRAC workflow, or executing an action using an Integrator. For more information, see Correlation Tab in the Sentinel Rapid Deployment User Guide.

1.5.4 Reports

You can run a wide variety of dashboard and operational reports from the Sentinel Rapid Deployment Web interface by using JasperReports. The reports are typically distributed via Solution Packs.

1.5.5 iTRAC Workflows

iTRAC workflows provide consistent, repeatable processes for managing incidents. The workflow templates are typically distributed via Solution Packs. iTRAC is shipped with a set of default templates that you can modify to suit your requirement. For more information, see iTRAC Workflows in the Sentinel Rapid Deployment User Guide.

1.5.6 Solution Packs

Solution Packs are packaged sets of related Sentinel content, such as correlation rules, actions, iTRAC workflows, and reports. Novell provides Solution Packs that focus on specific business needs, such as the PCI-DSS Solution Pack, which addresses compliance with the Payment Card Industry Data Security Standard. Novell also creates Collector packs, which include content focused on a specific event source, such as Windows Active Directory. For more information, see Solution Packs in the Sentinel Rapid Deployment User Guide.