Table of Contents
Advertisement
14.3 iTRAC
This section gives and idea relevant to iTRAC.
14.3.1 Instantiating a Process
An iTRAC process can be instantiated in the iTRAC server by associating an iTRAC process to an
incident the following methods:
Associate an iTRAC process to the incident at the time of incident creation
Associate an iTRAC process to incident after an incident has been created
Associate an iTRAC process to an incident as an action when deploying a correlation rule
For more information on association a process to an incident, see
page 65
and
Example Scenario – Creating a Simple Two Tiered iTRAC Process for a Possible
Network Attack
NOTE: To perform all of the scenarios in the iTRAC section, iTRAC scenario sections must be
followed in the order presented.
This discusses how to make a simple two tiered iTRAC Process. The process is flow of steps that
can be taken in the event there is a possible attack on your system.
The example process is:
Asks the question (in the first step – a manual step [Decide if Hacked]), from a preliminary
look has the network been attacked? This leads to a Decision Step.
NOTE: All Decision Steps provide different execution paths depending on the value of the
variable defined in the previous step.
If there has been an attack, go collect necessary data to determine if there has been an attack. If
there is no attack, send an email out to the supervisor that there is not an attack.
The Collect Data step is to review the data to make a better determination if there has been an
attack.
If there has been an attack, take measures to prevent another attack and send an email out to the
supervisor that proper measures have been taken. If there is no attack, send an email out to the
supervisor that there is not an attack.
Figure 14-3
312 Sentinel 6.1 User Guide
Chapter 4, "Incidents Tab," on page
iTRAC Process
Chapter 3, "Correlation Tab," on
93.
Advertisement
Table of Contents
