Novell SENTINEL RAPID DEPLOYMENT 6.1 - 12-2009 User Manual page 402

Common Services
All of the components in this Collection and Enrichment layer are driven by a set of common
services. These utility services form the fabric of the data collection and data enrichment and assist
in filtering the noise from the information (through global filters), applying user-defined tags to
enrich the events information (through business relevance and taxonomy mapping services), and
governing the data Collectors' functions (through command and control services).
"Taxonomy" on page 402
"Business Relevance" on page 402
"Exploit Detection" on page 403
Taxonomy
Nearly all security products produce events in different formats and with varying content. For
example, Windows and Solaris* report a failed login differently.
Sentinel's taxonomy automatically translates heterogeneous product data into meaningful terms,
which allows for a real-time homogeneous view of the entire network security. Sentinel taxonomy
formats and filters raw security events before adding event context to the data stream. This process
formats all the security data in the most optimal structure for processing by the Sentinel Correlation
engine, as you can see in the following diagram.
Figure A-12
Business Relevance
Sentinel injects business-relevant contextual data directly into the event stream. It includes up to 135
customizable fields where users can add asset specific information such as business unit, owner,
asset value, and geography. After this information is added into the system, all other components can
take advantage of the additional context.
Figure A-13
402 Sentinel 6.1 Rapid Deployment User Guide
Sentinel Taxonomy
Injecting Business Relevance