Application Integration; Time; A.3.4 Application Integration; A.3.5 Time - Novell SENTINEL RAPID DEPLOYMENT 6.1 - 12-2009 User Manual

takes the data from the source system, performs the transformations, and presents the events for later
analysis, visualization, and reporting purposes. The framework delivers the following components
and benefits:
Collectors: Parse and normalize events from various systems.
Connectors: Connect to the data source to get raw data.
Taxonomy: Allows data from disparate sources to be categorized consistently.
Filtering: Eliminates irrelevant data at the point of collection, saving bandwidth and disk
space.
Business relevance: Offers a way to enrich event data with valuable information.
Collector Builder: An integrated development environment for building custom Collectors to
collect from unique or proprietary systems.
Live view: User interface for managing live event sources.
Scratch pad: User interface for offline design of event source configuration.

A.3.4 Application Integration

External application integration through standard APIs is central to Sentinel. For example, when
dealing with a third party trouble-ticketing system, Sentinel 6 can open an initial ticket in its own
iTRAC workflow remediation system. Sentinel then uses bidirectional API to communicate with
TM
the other trouble-ticketing systems, such as Remedy* and HP OpenView's ServiceDesk*, allowing
straightforward integration with external systems.
The API is Web Services-based and therefore allows any external systems that are SOAP-aware to
take advantage of pervasive integration with the Sentinel system.

A.3.5 Time

The time of an event is very critical to its processing. It is important for reporting and auditing
purposes as well as for real time processing. The correlation engine processes time-ordered streams
of events and detects patterns within events as well as temporal patterns in the stream. However, the
device generating the event might not know the real time when the event is generated. In order to
accommodate this, Sentinel allows two options in processing alerts from security devices: trust the
time the device reports and use that as the time of the event, or do not trust the device time and
instead stamp the event at the time it is first processed by Sentinel by the Collector.
Sentinel is a distributed system and is made up of several processes that can be in different parts of
the network. In addition, there can be some delay introduced by the device. In order to accommodate
this, the Sentinel processes reorder the events into a time ordered stream before processing.
The following illustration explains the concept of Sentinel Time.
394 Sentinel 6.1 Rapid Deployment User Guide