The Sentinel Control Center includes the following functional tabs and interfaces:
The tab presents events in near-real time.
In the tab, you can:
View events occurring in near-real time
Investigate events
Graph events
Perform historical queries to collect data for a specified period
Invoke right-click functions
Initiate manual incidents and remediation workflows
An incident is a set of events that require attention (for example, a possible attack). Incidents centralize the data and are typically made up of a correlated event, the associated events that triggered a correlation rule, asset details of the affected systems, vulnerability state of the affected systems, and any remediation information, if known. Incidents can be associated with a remediation workflow in iTRAC, if specified. An incident associated to an iTRAC workflow allows users to track the remediation state of the incident.
In the tab, you can:
Manage incident views
View and manage incidents and their associated data
Switch between existing incident views
The iTRAC stateful incident remediation workflow capability allows you to incorporate your organization’s incident response processes into Sentinel.
In the tab, you can:
Create custom workflow templates
Edit workflow templates
Create custom activities
Edit activities
Associate activities with workflow steps
Initiate and execute processes
The tab is used to run and save an offline query for later quick retrieval of search results.
Advisor is an optional module that provides real-time correlation between detected intrusion detection system attacks and vulnerability scan output in order to immediately indicate increased risk to an organization.
The tab provides you access to perform the administrative actions and configuration settings in Sentinel. In the tab, you can:
Create and modify filters
Use filters to format data
Use filters to determine event routing
View system statistics about the Data Access Service
Start and stop system components
Configure Sentinel event fields
Configure the mapping service
Create new options for right-click event menus
Aggregate data for reporting
Create users and assign them to roles for workflows
Manage user sessions
The tab provides an interface to create and deploy rules to detect suspicious or malicious patterns of events.
In the tab, you can:
Create and edit rules
Deploy/undeploy rules
Add an action and associate it to a rule
Configure dynamic lists
The Event Source Management (ESM) interface is available through the Sentinel Control Center menu. It allows you to manage and monitor connections between Sentinel and its event sources by using Sentinel Connectors and Sentinel Collectors.
In the ESM, you can:
Import/export Connectors and Collectors from and to the centralized repository available in ESM
Add/edit connections to event sources through the configuration wizards
View the real-time status of the connections to event sources
Monitor data flowing through the Collectors and Connectors
The Collectors parse the data and deliver a richer event stream by injecting taxonomy, exploit detection, and business relevance into the data stream before events are correlated and analyzed and sent to the database.
The Connectors use industry standard methods to connect to the data source to get raw data.
You can use the Solution Packs interface through the menu in the Sentinel Control Center. Solution Packs provide a framework within which sets of content can be packaged into controls, each of which is designed to enforce a specific business or technical policy.
The Sentinel integration framework for identity management systems provides functionality on several levels. When identity integration is implemented, you can:
Look up the following information about a user from the Identity Browser:
Contact information
Accounts associated with that user
Most recent authentication events
Most recent access events
Most recent permissions changes
Look up user information by right-clicking an event