Novell SENTINEL RAPID DEPLOYMENT 6.1 - 12-2009 User Manual page 405

Organizations can deploy multiple correlation engines, each on its own server, without the need
to replicate configurations or add databases. Independent scaling of components provides cost-
effective scalability and performance.
The correlation engine can add events to incidents after an incident has been determined.
Users are encouraged to use a metric called Event Rules per Second (ERPS). ERPS is the measure
of the number of events that can be examined by a correlation rule per second. This measure is a
good performance indicator because it estimates the impact on performance when two factors
intersect: events per second and number of rules in use.
Dynamic Lists
Dynamic lists are distributed list structures that can be used for storing elements and performing fast
lookups on those elements. These lists can store a set of strings such as IP addresses, server names,
or usernames. Examples of dynamic lists include:
Terminated user list
Suspicious user watch list
Privileged user watch list
Authorized ports and services list
Authorized server list
In all cases, correlation rules might reference named dynamic lists to perform lookups on list
members. For example, a rule can be written to identify a file access event from a user who is not a
member of the Authorized Users list. Additionally, correlation actions integrate with the dynamic
list module to add or remove elements from a list. The combination of lookups and automated
actions on the same list provides a powerful feedback mechanism used to identify complex
situations.
Workflow Service (iTRAC)
The Workflow Service receives triggers on incident creation and initiates workflow processes based
on predefined workflow templates. It manages the life cycle of these processes by generating work
items or executing activities. This service also maintains a history of completed processes that can
be used for auditing incident responses.
Event Visualization
Active Views , the interactive graphical user interface for event visualization, provides an
TM
integrated security management dashboard with a comprehensive set of real-time visualization and
analytical tools to facilitate threat detection and analysis. Users can monitor events in real time and
perform instant drill-downs from seconds to hours in the past. A wide array of visualization charts
and aids allow monitoring of information through 3D bar, 2D stacked, line and ribbon chart
representation and others. Additional valuable information can be viewed from the Active Views
dashboard, including notification of asset exploits (exploit detection), viewing asset information,
and graphical associations between pertinent source IPs and destination IPs.
Because Active Views uses the ActiveMQ architecture, analysts can quickly drill down for further
analysis because Active Views provides direct access to the real-time memory-resident event data,
which easily handles thousands of events per second without any performance degradation. Data is
Sentinel 6.1 Rapid Deployment Architecture 405