Sentinel Administration Guide
- Sentinel Administration Guide
- Getting Started
- Understanding Sentinel Applications
- Adding a License Key
- Adding a License Key By Using the Sentinel Main Interface
- Adding a License Key through the Command Line
- Security Considerations
- Basic Security Considerations
- Securing Sentinel Data
- Best Practices
- Network Communication Options
- Sensitive Data Locations
- Implementing Intruder Detection and Lockout Mechanisms
- Applying Updates for Security Vulnerabilities in Embedded Third-Party Products
- Configuring Roles and Users
- Configuring Roles and Users
- Overview
- Creating Roles
- Configuring Password Complexity
- Creating Users
- Authentication Methods
- Enablement Considerations
- LDAP Authentication Against a Single LDAP Server Or Domain
- LDAP Authentication Against Multiple LDAP Servers Or Domains
- Prerequisites for MFA, Kerberos, and OAuth
- Kerberos Authentication
- Multi-factor Authentication
- OAuth Authentication
- Troubleshooting
- Collecting and Routing Event Data
- Configuring Agentless Data Collection
- Before You Begin
- Resolving Hostnames and IP Addresses
- Configuring Data Collection for Syslog Event Sources
- Configuring Data Collection for the Novell Audit Server
- Configuring Data Collection for Other Event Sources
- Managing Event Sources
- Configuring Agent-Based Data Collection
- Configuring ArcSight SmartConnectors for Data Collection
- Managing Event Sources
- Viewing the Event Sources Page
- Filtering Event Sources
- Configuring Event Routing Rules
- Creating an Event Routing Rule
- Ordering Event Routing Rules
- Activating or Deactivating an Event Routing Rule
- Mapping Events
- Overview
- Default Maps
- Accessing Map Definitions
- Adding Map Definitions
- Adding a Number Range Map Definition
- Updating Map Data
- Using Maps for Event Configuration
- Renaming Event Fields
- Linking to Additional Sentinel Systems
- Benefits
- Prerequisite
- Configuring Sentinel Link
- Configuring Data Storage
- Configuring Traditional Storage
- Raw Data Storage
- Event Data
- Configuring Secondary Storage Locations
- Configuring Disk Space Usage
- Verifying and Downloading Raw Data Files
- Configuring Data Synchronization
- Viewing Primary and Secondary Storage Capacity
- Using Sequential-Access Storage for Long Term Data Storage
- Configuring Data Retention Policies
- Rules for Applying a Retention Policy
- Raw Data Retention Policy
- Event Data Retention Policies
- Data Deletion Policy for Traditional Storage
- Data Deletion Policy for Scalable Storage
- Re-indexing Event Data Partitions
- Overview
- Deciding When to Re-Index or Restore Data
- Scheduling Re-indexing
- Scheduling Re-indexing
- Re-indexing By Using the Web Interface (Online Mode)
- Re-Indexing in the Offline Mode
- Migrating Change Guardian Attachment Data
- Overview
- Deciding When to Migrate
- Scheduling Migration of Attachment Data
- Migration using Offline Tool
- Integrating with External Systems
- Configuring Actions
- Overview
- Understanding the Action Manager Interface
- Managing Actions
- Managing Action Plug-Ins
- Configuring Integrators
- Overview
- Managing Integrators
- Managing Integrator Plug-Ins
- Integrating Identity Information
- Overview
- Integration with Identity Management Systems
- Leveraging Identity Information
- Integrating Sentinel with ArcSight Intelligence
- Overview
- Data Ingestion to ArcSight Intelligence
- Retrieving Entity Information from ArcSight Intelligence
- Configuring Threat Intelligence Data Sources
- Adding Threat Intelligence Data Sources
- Understanding How Sentinel Processes Data
- Managing Feeds from Threat Intelligence Solution Pack
- Monitoring Your Network
- Configuring Data Federation
- Overview
- Configuring Servers for Data Federation
- Searching for Events
- Managing the Data Federation Search Results
- Viewing the Search Activities
- Running Reports
- Viewing Alerts
- Editing the Data Source Server Details
- Troubleshooting
- Visualizing IP Flow Communications
- Configuring IP Flow Data Collection
- Visualizing and Analyzing IP Flow Data
- Viewing Compliance to Configuration Policies
- Receiving Compliance Details from Secure Configuration Manager
- Viewing Change Guardian Events
- Configuring Alert Notifications
- Understanding Alerts
- Overview
- Configuring Alert Creation
- Visualizing and Analyzing Alerts
- Managing Alerts
- Managing Solution Packs
- Using Solution Packs
- Overview
- Solution Pack Components
- Using the Import Plug-In Wizard to Import a Solution Pack
- Using the Solution Manager
- Installing and Managing Solution Packs
- Installing an Edited Solution Pack
- Solution Designer
- Creating Solution Packs
- Accessing the Solution Designer
- Creating a Solution Pack
- Adding Content to a Solution Pack
- Initializing Dynamic Lists Through Solution Pack
- Documenting a Solution Pack
- Synchronizing Content
- Handling Inter-control Dependency
- Managing a Solution Pack
- Managing Your Sentinel Environment
- Managing Active Searches and Reports
- Monitoring the Events Per Second Rate
- Viewing the Operational EPS
- Viewing a Graphical Representation of the Events Per Second Rate
- Monitoring Sentinel Health
- Configuring Sentinel for High Availability
- Configuring Alert Generation
- Configuring the Report Retention Period
- Generating a Report in CSV and PDF Format
- Backing Up and Restoring Data
- Parameters for the Backup and Restore Utility Script
- Running the Backup and Restore Utility Script
- Restoring Dashboards After Restoring Data from a Different Sentinel Server
- Updating Sentinel Clients
- Customizing Sentinel Settings
- Customizing OpenSearch Settings in Traditional Storage
- Configuring the Number of Incidents to be Listed in the Incidents List
- Configuring the Number of Alert Trigger Events to be Attached with the Incident
- Optimizing the Operating System
- Configuring the Resources for Event Partition Compression
- Setting the Grace Period to Close Event Data Partitions
- Compressing the Storage Index on Primary Partition
- Configuring Memory for the Sentinel Server
- Setting the Raw Data Limit
- Configuring the Number of Trigger Events to be Associated with a Correlated Event
- Configuring the Number of Trigger Events to be Displayed in the Alert View
- Maintaining Custom Settings in XML Files
- Customizing the Default Search Field
- Configuring the Proxy Port
- Enabling the Use of Special Characters in Event Field Values
- Configuring the Number of User Identities to be Displayed for People Search
- Configuring the Report Generation Idle Timeout Period
- Customizing Incident Probability Refresh Interval
- Rebranding Reports
- Generating an Audit Event when a List Item Expires From a Dynamic List
- Appendix
- Command Line Utilities
- Managing the Sentinel Services
- Sentinel Scripts
- Running the Report Development Utility
- Getting the .jar Version Information
- Changing the Hostname of a Sentinel Server
- Importing or Exporting Event Association Data
- Managing the Internal Database
- Cleaning Up the Internal Database
- Managing the Sentinel Server
- Troubleshooting
- Mitre Fields Become Non-indexed Fields for Admin User in the alert.alert Index
- Collector Manager Logs Display the Copying back to Persist Queue Error
- Event Visualization Dashboards Take a Longer Time to Load Data
- Unable to View Alerts in the Dashboard and Alert Views
- Unable to Connect to Sentinel Agent Manager Database
- Customizing Logging Settings in Sentinel
- Customizing Logging Settings in OpenSearch
- Sentinel Control Center Does Not Launch When Identity Manager Designer is Installed on the Client Computer
- Error While Installing Correlation Rules
- Sentinel High Availability Installation in FIPS 140-2 Mode Displays an Error
- Sentinel Services Might Not Start Automatically After the Installation
- Sentinel Does Not Configure the Sentinel Appliance Network Interface By Default
- New Incoming Alerts Incorrectly Appear to be Selected When You Modify Existing Alerts
- Error When Configuring the NFS Storage After Upgrading Sentinel Appliance to Version 7.3 SP1 and Later
- Cannot Receive Events from Secure Configuration Manager After Upgrading Sentinel to Version 7.3 SP1 and Later
- Cannot Receive Events from Sentinel UNIX Agent 7.4 After Upgrading Sentinel to Version 7.3 SP1 and Later
- Cannot Create Reports by Using Sentinel SDK
- Data Synchronization Fails While Synchronizing IPv6 Addresses in Human Readable Format
- Mapping Conflict Warning in the OpenSearch dashboard Search
- Configuring Sentinel for Multitenancy
- Understanding MSSP Models
- Configuring Multitenancy
- Decommissioning Tenants
- Internal Audit Events
- Authentication Events
- User Management
- Event Router
- Event Source Management - General
- Event Source Management - Event Sources
- Event Source Management - Collectors
- Event Source Management - Event Source Servers
- Event Source Management - Connectors
- Data Objects
- Search
- Data Retention Policy
- Disk Usage Configuration
- Report Definitions and Report Results
- General
- Legal Notice