1.2 Sentinel Control Center

Sentinel gathers and correlates security and non-security information from across an organization's networked infrastructure, as well as third-party systems, devices, and applications. Sentinel presents the collected data in the Sentinel Web interface as well as the Sentinel Control Center (SCC).

1.2.1 Accessing the Sentinel Control Center

The SCC is accessed through the Sentinel Web interface.

  1. Log in to the Sentinel Web interface:

    https://<IP_Address/DNS_Sentinel_server:8443>
    

    IP_Address/DNS_Sentinel_server is the IP address or DNS name of the Sentinel server and 8443 is the default port for the Sentinel server.

  2. In the toolbar, click Applications.

  3. Click Launch Control Center.

  4. Click Yes to accept the security certificate.

  5. Specify a username and password of a user that has rights to access the SCC, then click Login.

  6. Click Accept or Accept Permanently to accept the security certificate.

    The Sentinel Control Center launches in a new window.

1.2.2 Using the Sentinel Control Center

The Sentinel Control Center (SCC) provides you a “dockable” framework that allows you to move the pieces of the interface from their default location to user-specific locations for ease of use. The SCC consists of the following components:

Menu Bar

The menu bar has the menus required to navigate, perform activities, and change the appearance of Sentinel Control Center.

The File, Options, Tools, Window, Event Source Management, and Help menus are always available. The availability of other menus depends on your location in the console and the permissions you have.

Tabs

Depending on your access permissions, Sentinel Control Center displays the following tabs:

Active Views

The Active Views tab presents events in near-real time.

In the Active Views tab, you can:

  • View events occurring in near real-time

  • Investigate events

  • Graph events

  • Perform historical queries to collect data for a specified period

  • Invoke right-click functions

  • Initiate manual incidents and remediation workflows

For more information, see Viewing Events in the NetIQ Sentinel 7.0.1 User Guide.

Incidents

An incident is a set of events that requires attention (for example, a possible attack). Incidents centralize the data and typically include a correlated event, the associated events that triggered a Correlation rule, asset details of the affected systems, the vulnerability state of the affected systems, and any remediation information. Incidents can be associated with a remediation workflow in iTRAC, if specified. An incident associated to an iTRAC workflow allows users to track the remediation state of the incident.

In the Incidents tab, you can:

  • Manage incident views

  • View and manage incidents and their associated data

  • Switch between existing incident views

For more information, see Configuring Incidents in the NetIQ Sentinel 7.0.1 User Guide.

iTRAC

iTRAC’s stateful incident remediation workflow capability allows you to incorporate your organization’s incident response processes into Sentinel.

In the iTRAC tab, you can:

  • Create custom workflow templates

  • Edit workflow templates

  • Create custom activities

  • Edit activities

  • Associate activities with workflow steps

  • Initiate and execute Processes

For more information, see Configuring iTRAC Workflows in the NetIQ Sentinel 7.0.1 User Guide.

Advisor

Advisor is an optional module that provides real-time correlation between detected intrusion detection system attacks and vulnerability scan output in order to immediately indicate increased risk to an organization. For more information, see Section 11.0, Configuring Advisor.

Configuration

In the Configuration menu, you can:

Toolbar

The toolbar allows you to perform the tab-specific functions. There are system-wide toolbar buttons that are always displayed. The availability of other toolbar buttons depends on your location in the console and the permissions you have.

System-Wide Toolbar

The system-wide toolbar buttons are always displayed. You use them to perform the following tasks:

Undo layout: Undoes any changes made to the layout of the frames in the UI.

Reset layout: Resets the layout of the frames in the UI to the default layout.

Redo layout: Redoes any changes made to the layout of the frames in the UI.

Help: Launches help.

Till all display windows: Arranges all open windows in a tile configuration.

Cascaded all display windows: Cascades all open windows.

Save user preferences: Saves any user preferences you have defined.

Action debugging: Debugs actions performed by rules.

People Browser: Allows you to search and view user profiles of the identities that have been synchronized from the Identity Management system.

Tab-Specific Toolbar Buttons

Tab-specific toolbar buttons allow you to perform the functions related to each tab.

Active Views > Create Active view: Creates a new Active View of the data.

Active Views > Snapshot: Takes a snapshot of the information displayed in the Active View.

Active Views > Manage columns: Allows you to manage the columns displayed in the Active View.

Incidents > Display incident view manager: Displays the Incident Manager that allows you to view incidents.

Incidents > Create incident: Creates a new incident.

iTRAC > Display process manager: Displays the Process Manager.

iTRAC > Activity manager: Launches the Activity Manager.

iTRAC > Template manager: Launches the Template Manager.

iTRAC > iTRAC role manager: Launches the iTRAC Role Manager.

Advisor > Advisor configuration: Launches a wizard to help configure Advisor.

Configuration > Event configuration: Allows you to configure events.

Configuration > Event actions configuration: Allows you to configure actions that are performed on events.

Configuration > Map data configuration: Allows you to configure enhancements for the data coming into Sentinel.

Configuration > Dynamic lists: Allows you to create dynamic lists that are used within a Correlation Rule.

Configuration > Solution Packs: Launches the Solution Pack Manager.

Configuration > Integrator Manager: Launches the Integrator Manager.

Configuration > Action Manager: Launches the Action Manager.

Configuration > Download Manager: Launches the Download Manager.

Frames

Sentinel provides a framework that allows you to drag frames on the screen to place them in preferred locations. The following buttons display, so you can drag or hide frames:

  • Toggle floating

  • Toggle auto-hide

To drag a frame to any location:

  1. Click the Toggle floating icon on the frame or hold the frame and drag it to the desired location.

To hide a frame:

  1. Click the Toggle auto-hide icon.

    You can undo dragging or reset the location to the default position using the toolbar buttons.

1.2.3 Navigating in the Sentinel Control Center

To navigate by using the toolbar:

  1. Click the desired tab.

  2. Click the toolbar buttons to perform the actions.

To navigate by using the menus:

  1. Click the desired tab.

    If you do not click the desired tab, the menu option is dimmed.

  2. Click the menu relevant to the selected tab.

  3. Select an action you need to perform.

    This procedure is generic for all the tabs in SCC. Specific procedures for tabs are discussed in the relevant sections later in this document.

1.2.4 Changing the Appearance of the Sentinel Control Center

You can change the Sentinel Control Center’s look by:

Changing the Positions of the Tabs

You can change whether the tabs are displayed at the top of the tab frames or at the bottom of the tab frames.

  1. In the Sentinel Control Center menu, click Options > Tab Placement.

  2. Select either Top or Bottom.

Changing How the Windows Are Displayed

You can change how the windows in the SCC are displayed.

Cascading Windows: In the Sentinel Control Center menu, click Windows > Cascade All. All open windows in the right panel cascade.

Tiling Windows: In the Sentinel Control Center menu, click Windows > Tile All, then select the option that meets your requirements:

  • Tile Best Fit

  • Tile Vertical

  • Tile Horizontal

Minimizing Windows: In the Sentinel Control Center menu, click Windows > Minimize All. All open windows in the right panel minimize.

Restoring Windows: In the Sentinel Control Center menu, click Windows > Restore All. All open windows in the right panel are restored to their original size.

Use the Minimize and Restore options provided on the top right corner of the tab to minimize individual tabs.

Closing all Open Windows: In the Sentinel Control Center menu, click Windows > Close All.

1.2.5 Saving User Preferences

If users have permissions to save their workspaces, they can save the following preferences:

  • Permanent windows that are not dependent on data that was available at the time of their original creation.

  • Active Views

  • Summary displays

  • Window positions

  • Window sizes, including the application window

  • Tab positions

  • Whether the Navigator docked or floating, and whether it is showing or hidden

The following preferences are not saved when the user logs out:

  • Snapshots

  • Historical event queries

  • Secondary windows opened from a primary window

  • Column widths in Active Views

To save your preferences:

  1. In the menu, click File > Save Preferences

    or

    Click Save User Preferences in the toolbar.

If you make display changes in the SCC but do not save them, you are prompted to save the changes when you log out of the SCC.

1.2.6 Configuring the Attachment Viewer

The Attachment Viewer allows you to specify which applications open the files attached to Solution Packs.

Adding Applications to the Attachment Viewer

  1. In the Sentinel Control Center menu, click Options > Attachment Viewer Configuration.

  2. Click Add.

  3. Use the following information to identify the attachment in the Attachment Viewer Configuration window:

    Extension: Specify the extension type, such as .doc, .xls, .txt, .html.

    Type: Specify the type of attachment. The default value is DEFAULT.

    Subtype: Specify the subtype of attachment. The default value is DEFAULT.

    Application: Click Browse or type the path and the application to launch the file type, such as notepad.exe for Notepad.

    Parameter: Specify a parameter to pass to the application. The default value is %File%.

  4. Click OK.

  5. Repeat Step 2 through Step 4 for each additional application you want to add.

  6. Click OK to close the Attachment Viewer.

Editing Entries in the Application Viewer

  1. In the Sentinel Control Center menu, click Options > Attachment Viewer Configuration.

  2. Select an item in the Attachment Viewer, then click Edit.

  3. Make any desired changes, then click OK to save the changes.

  4. Click OK to close the Attachment Viewer.

Deleting Entries in the Application Viewer

  1. In the Sentinel Control Center menu, click Options > Attachment Viewer Configuration.

  2. Select the item you want to delete in the Attachment Viewer, then click Delete.

  3. Click OK to close the Attachment Viewer.