Sentinel provides a powerful set of tools to help you easily find and analyze critical event data. The system is tuned and optimized for maximal efficiency in any particular type of analysis, and methods to easily transition from one type of analysis to another are provided for seamless transitions.
Investigating events in Sentinel often starts with the near real-time Active Views. Although more advanced tools are available, Active Views display filtered event streams along with summary charts that can be used for simple, rough analysis of event trends, event data, and identification of specific events. Over time, you build up tuned filters for specific classes of data, such as output from correlation. You can use Active Views as a dashboard showing an overall operational and security posture.
You can then use the interactive search to perform more detailed analysis of events. This allows you to quickly and easily search for and find data related to a specific query, such as activity by a specific user or on a particular system. By clicking on the event data or using the left-hand refinement pane, you can quickly zero in on specific events of interest.
When analyzing hundreds of events, the reporting capabilities of Sentinel provide custom control over event layout and can display larger volumes of data. Sentinel makes this transition easier by allowing you to transfer the interactive searches built up in the Search interface into a reporting template, which instantly creates a report that displays the same data but in a format better suited for a larger number of events.
Sentinel includes many templates for this purpose. Some templates are tuned to display particular types of information, such as authentication data or user creation, and some are general-purpose templates that allow you to customize groups and columns on the report interactively.
Over time, you will develop commonly-used filters and reports that make your workflows easier. Sentinel fully supports storing this information and distributing it with people in your organization. For more information, see the NetIQ Sentinel 7.1 User Guide.