iTRAC Workflows are designed to provide a simple, flexible solution for automating and tracking an enterprise's incident response processes. It leverages Sentinel's internal incident system to track security or system problems from identification (via correlation rules or manual identification) through resolution.
Workflows can be built using manual and automated steps. Advanced features such as branching, time-based escalation, and local variables are supported. Integration with external scripts and plug-ins allows for flexible interaction with third-party systems. Comprehensive reporting allows administrators to understand and fine-tune the incident response processes.
NOTE: Access to manage iTRAC templates, activities, and processes can be enabled on a user-by-user basis by any user with the ability to change user permissions.
The iTRAC system uses three Sentinel objects that may be defined outside the iTRAC framework:
Incident |
Incidents within Sentinel are groups of events that represent an actionable security incident, plus associated state and meta-information. Incidents are created manually or via correlation rules, and can, but don't have to, be associated with a workflow process. They can be viewed on the Incidents tab. |
Activity |
An Activity is a pre-defined automatic unit of work, with defined inputs, command-driven activity, and outputs (e.g., automatically attaching asset data to the incident or sending an e-mail). Activities can be used within workflow templates, triggered by a correlation rule, or executed by a right-click when viewing events. |
Role |
Sentinel users can be assigned to one or more Roles. Manual steps in the workflow processes may be assigned to a Role. |
iTRAC Workflows have four major components that are unique to iTRAC:
Step |
A Step is an individual unit of work within a workflow; there are manual steps, decision steps, command steps, mail steps, and activity-based steps. Each step appears as an icon within a given workflow template. |
Transition |
A Transition defines how the workflow will move from one state (Activity) to another this can be determined by an analyst action, by the value of a variable, or by the amount of time elapsed. . |
Templates |
A Template is a design for a workflow that controls the flow of execution of a process in iTRAC. The template consists of a network of manual and automated Steps. Activities and criteria for transition between them. Workflow templates define how an incident will be responded to once a process based on that template is instantiated (see below). A template may be associated with many incidents. |
Processes |
A process is a specific instance of a workflow template that is actively being tracked by the workflow system. It includes all the relevant information relating to the instance, including the current step in the workflow, the associated incident, the results of Steps, attachments, and notes. Each workflow process is associated to one and only one incident. |