For example, Active Views looks at and investigates events in real time; Correlation is where you create rules that tie together event triggers, adding intelligence to event flows; Incidents displays events entered by analysts or alerts triggered by correlation rules.

The iTRAC tab is a workflow tool, tracking incident response processes through event resolution. The Analysis tab handles historical reporting, and the Adivsor tab takes data from VA scanners and IDSes. In addition, this is where you can pick up guidance for remediation.

All of these parts worked quite effectively together, allowing us to see events come in, identify those that appeared to be suspicious and then track and investigate them as the case requires.

The correlation tool was surprisingly easy to use, with a built-in wizard to allow the creation of rules, including more complex chains of triggers. For example, we would set up a simple rule that triggered when there were four failed logins in two minutes. Then we created more interesting combinations reflecting things like IDS events and root login attempts.

We built a simple workflow to track incidents, but be cautioned that workflows can be very complex in th...

A major enhancement since the e-Security acquisition is the ability to track users as well as devices, an important trend in enterprise SIEMs for security and compliance auditing.

ReportingB  
Reports are handled by Crystal Reports, a powerful and popular tool. Sentinel comes with Crystal Server as well as Developer, so you can modify and create your own reports. Sentinel's reporting leaves no event data unseen, and is highly configurable.

Verdict
Sentinel is aimed at very large enterprises, and this is where it is best suited. It can be an extremely powerful tool, if used to its potential, with many features to help automate and analyze all of your enterprise's logs and events.

< PREV PAGE   |   1  |   2  |   NEXT PAGE  >