Product Description

For IT Security professionals overwhelmed with the challenges and complexity of monitoring and managing security events, Sentinel is a powerfully simple Security Information and Event Management solution that simplifies threat detection and speeds analysis and response, helping security personnel to safeguard sensitive data and assets, ease demonstration of compliance, and strengthen security operations.

Sentinel makes it easier to identify threats to sensitive data and assets by providing actionable security intelligence, enriching security events with environmental context, and enabling rapid response and remediation. With integrated, one-click search and reporting, Sentinel lowers the time, cost, and effort of complying with data access regulations while delivering improved, real-time visibility into your overall strength of security and state of compliance.

Key Features

  • Security Management and Compliance Monitoring
    Sentinel provides integrated, automated real-time security management and compliance monitoring across all systems and networks while allowing you to demonstrate and monitor compliance with internal policies and government regulations such as PCI, Sarbanes-Oxley, HIPAA, GLBA, FISMA, and others.
  • Anomaly Detection
    Sentinel allows you to identify anomalies in their environment by establishing specific baselines respective to your unique IT environment to deliver better intelligence and faster detection of anomalous activities. Baselining and trending allows you to view patterns of historical activities and to develop models of typical IT activities to spot new, potentially harmful trends. You can tune your environment's baselines to detect anomalous events, as well as see how your security and compliance posture changes over a period of time.
  • High Performance Two-Tiered Storage
    Sentinel implements an efficient, file-based event storage tier optimized for long-term archival of events. The event store provides 10:1 compression, fully supports indexed searches, and speeds up relevant reporting tasks, while providing you the flexibility to store some or all of your events in a back-end traditional relational database store.
  • Graphical Rule-Builder
    Sentinel allows you to quickly build event correlation rules directly from the events collected in your environment. Additionally, you can test rules prior to deployment to reduce false-positive alerting, improve event correlation capabilities, and ultimately deliver improved exploit detection capabilities.
  • Distributed Search
    Sentinel enables organizations that have deployed several instances of Sentinel or Sentinel Log Manager in different locations to search events not only on their local Sentinel servers but also on the existing Sentinel and Sentinel Log Manager servers from a single, centralized console.
  • Agent-Based or Agentless Data Collection
    Sentinel provides you the flexibility to use either agent-based or agentless data collection for your Windows, UNIX, and iSeries event sources. You can determine which method to use for each event source based on the needs of your environment.

System Requirements

For the most recent information about system requirements, see the Sentinel Installation Guide on the Sentinel Documentation Web site.

Downloading and Installing Sentinel

The Sentinel 7.1.1 release offers several different packages for installing various components of the system. The simplest installation consists of a single all-in-one server installation; more complex deployments may add additional servers for data collection, agent management, and/or analytics. Sentinel is also offered as a soft appliance, which eliminates the need to purchase, install, and manage a separate operating system.

This is a high-level overview of the installation process for typical customers. For more details and alternatives, see the Sentinel Documentation Web site.

  1. Download the main Sentinel installation file named sentinel_server* to the host where you will install Sentinel and unpack it into a temporary directory using a Linux-compatible utility.
  2. Run the Sentinel installation, and follow the on-screen prompts to install the Sentinel Server, including a local Collector Manager and Correlation Engine. For more information about installing Sentinel, see the Sentinel Installation Guide on the Sentinel Documentation Web site.
  3. Identify the set of sources from which you want to collect event data, and configure them to deliver events to Sentinel. Sentinel supports data collection from many sources using Collector and Connector plug-ins. It also supports specialized agent-based data collection for Windows and UNIX-type data sources. Many of the plug-ins to support data collection are bundled with Sentinel, but you can download additional options and updates from the Sentinel Plug-ins website or create your own using the Sentinel Plug-in SDK.
    1. To use Sentinel plug-ins for any supported device, deploy the associated Collector and Connector from the Sentinel Plug-ins website. Each supported product has an associated Collector that understands the data format generated by that source. See the documentation provided with each Collector for details on how to configure the associated product and Sentinel data collection components to deliver events to Sentinel.
    2. To use agent-based event collection for Windows, UNIX, or IBM i sources, deploy Sentinel Agent Manager to act as a proxy for those agents. You can download the Sentinel Agent Manager from within the Sentinel Web console, or from this page (file Agent_Manager*). For more information about installing Sentinel Agent Manager, see the Agent Manager Installation Guide on the Sentinel Documentation Web site.
      1. Windows Agents are included in the Sentinel Agent Manager download and are managed by Sentinel Agent Manager itself, so no additional components are necessary.
      2. UNIX Agents are delivered separately, and require a separate NetIQ UNIX Agent Manager to manage the configuration of the UNIX Agents. Download the UNIX Agent Trial, unpack it into a directory, then unpack the compressed ISO file. Either mount the ISO or write it to a CD, then look in the Documentation folder and open the SM_UNIX_Agent_Guide.pdf. Follow the instructions for configuring the UNIX Agent to send events to Security Manager, but replace 'Security Manager' with 'Sentinel Agent Manager' wherever it appears.
      3. IBM i Agents come as part of the NetIQ Security Solutions for iSeries - the Agent portion does not require a separate license. For more information, see the Auditing iSeries Log Data section of the Installation Guide; you will need to configure the Agent Communication Subsystem (PSECONFIG) and start the ZPSE subsystem, but replace 'Security Manager' with 'Sentinel Agent Manager' in the instructions.
  4. To scale data collection, consider deploying one or more additional Collector Managers. Installers for additional Collector Managers can be downloaded from directly within the product.
  5. Perform additional configuration using information from the Sentinel Documentation Web site for details.
    1. Configure the event routing rules and data retention policies to define where data is stored (or sent) and for how long.
    2. Deploy analytic rules to automatically detect activity of interest in the enterprise. Attach automated actions to those rules as needed.
    3. Customize the environment by creating filters, refining reports, adding contextual data, and so on.
  6. To scale real-time correlation analytics, consider deploying one or more additional Correlation Engines. You can download installers for additional Correlation Engines from directly within the Sentinel Web console.

Known Issues

For the list of known issues, see the Sentinel 7.1.1 Release Notes on the Sentinel Documentation Web site.