Novell SENTINEL RAPID DEPLOYMENT 6.1 - 12-2009 User Manual page 408

iTRAC's automation framework works using two key components:
s container: Automates the activity's execution for the specified set of steps, based on input
rules
Workflow container: Automates the workflow execution based on activities through a
worklist.
The input rules are based on the XPDL (XML Processing Description Language) standard and
provide a formal model for expressing executable processes in a business enterprise. This standards-
based approach to the implementation of business-specific rules and rule sets ensures future-
proofing of process definitions for customers.
The iTRAC system uses three Sentinel 6.1 Rapid Deployment objects that can be defined outside
this framework:
Incident: Incidents within Sentinel 6 are groups of events that represent an actionable security
incident, associated state, and meta-information. Incidents are created manually or through
correlation rules, and can be associated with a workflow process. They can be viewed on the
Incidents tab.
Activity: An activity is a predefined automatic unit of work, with defined inputs, command-
driven activity and outputs such as automatic attachment of asset data to the incident or
generation of an e-mail. Activities can be used within workflow templates, triggered by a
correlation rule, or executed by a right-click when viewing events.
Role: Users can be assigned to one or more roles, such as Analyst, Admin, and so on. Manual
steps in the workflow processes can be assigned to a role.
Sentinel workflows have four major components that are unique to iTRAC:
Step: A step is an individual unit of work within a workflow; there are manual steps, decision
steps, command steps, mail steps, and activity-based steps. Each step displays as an icon within
a given workflow template.
Transition: A transition defines how the workflow moves from one state (activity) to another
and can be determined by an analyst action, by the value of a variable, or by the amount of time
elapsed.
Templates: A template is a design for a workflow that controls the execution of a process in
Sentinel iTRAC. The template consists of a network of manual and automated steps, activities
and criteria for transition between them. Workflow templates define how to respond to an
incident when a process based on that template is instantiated. A template can be associated
with many incidents.
Processes: A process is a specific instance of a workflow template that is actively being
tracked by the workflow system. It includes all the relevant information relating to the instance,
including the current step in the workflow, the associated incident, and the results of the steps,
attachments and notes. Each workflow process is associated with one incident.
Figure A-16
408 Sentinel 6.1 Rapid Deployment User Guide
iTRAC Workflow