The following example assumes the following:
A process named iTRAC Process Tutorial has been assigned to your role (analyst)
This is a process created in Example Scenario: Creating a Simple Two-Tiered iTRAC Process for a Possible Network Attack.
All steps within the process belong to the Analyst group
NOTE:If you assign steps to other roles, you need to log out and then log in as a user assigned to that role and accept the process. For simplicity, the following example is assigned to one role.
To run this process, this process must first be assigned to an incident.
To start or terminate a process:
Click the
tab.Click
.Specify the following:
Title: iTRAC Tutorial.
Category: Other.
Responsible: assign this incident to yourself.
Click the
tab, then select .Click Create.
Because this is a tutorial incident and not a true incident, it can be deleted without negatively affecting your Sentinel setup.
From anywhere in the Sentinel GUI, click the Analyst group (yellow bar) under View Work Items.
Your bar might already be partially green, indicating that you have accepted (acquired) an iTRAC Process.
All of the processes assigned to the Analyst role display.
To accept a work item, select
and click .If the View Work Item list bar was yellow as illustrated above, it changes with an addition of a green bar.
Click the green bar under View Work Items. In the Work Items window, click
.The red highlighted step indicates what step this process is currently in.
To start the steps within this process, click the
tab.For this manual step, the variable yes is specified. Providing another value such as no or else (no attack) results in an e-mail that completes the process. For example, if initial assessment is that there is an attack and the hacked variable is equal to yes, you click Complete to complete this step.
In the Work Items window, select the process and click
. The Collect Data step should be highlighted in red. As before, this is a manual step.Click the
tab.Again, the variable page displays. In the previous step of the iTRAC Process, Collect Data is a step to further determine by analyzing the events of interest if an attack has occurred. For example, assume that an attack has occurred. Leave the default value of yes. If this were a real attack, it is beneficial to add clear notes or attachments as to the information about this attack.
Click
.In Work Items window, select the process and click
. The Prevent Future Attacks step should be highlighted in red. As before, this is a manual step.In this manual step, take measures to harden the network to prevent future attacks. When this is done, you should add notes and attachments as to the information about this attack.
Click
.The next step is an automatic e-mail step indicating that proper anti-attack measures have been taken. The iTRAC Process is removed from the Work Items window.
If you go to the Process View window or if you double-click this process, it appears as Complete.
For trademark and copyright information, see Legal Notices.