Sentinel Reviews

Primarily, I used a NetIQ Sentinel when I worked as a Security Analyst as a tool to collecting and filtering-out logs in order to investigating whether there's something "interesting" i.e. samples of real attack or malware activities. Sentinel is tool that if it's well configured, it remove from view all unnecessary information like logs about that the user opened a window in the system and shows you only needful entries. It removes data that can obscure your perspective and mislead in investigation.

Later, I used a NetIQ Sentinel more "administratively", which means that I created/remove/change a new event source and/or also investigate why they hasn't sent anything to log collector. I can tell that from administration perspective the interface of Sentinel is also very simple to operate and navigate. When interface is intuitive as in case of Sentinel, there's no need a special effort to done your job faster, convenient and with high performance.

Anomaly dashboards, search/filters features.

Anomaly dashboard provides possibility to find 0-day attacks. This feature is built based on the second-search/filters. It's great and very useful, because I would first find out if search/filter can give me the data that I needed. If not, I have possibility to change it, e.g. using regex or do search/filter fine-tuning. And when I have search/filter tested and know that it will catch information that I want see on chart, then I implement search/filter in new Anomaly dashboard.

The great idea is also fact that I can receive anomaly alerts via email. I don't need to watch charts all the time.

For example, from version 7.1 the company where I worked started using an anomaly dashboards. It very convenient, because SOC could and can react on possible attack, which are not seen in alerts made by rules. As I said before, anomaly dashboards can help detect a type of attacks called 0-day attacks. 0-day attack is threat haven't categorized as an attack yet and because of that there is no patch or solution, because it's unknown for systems like IDS/IPS.

I would prefer to extend dashboards part and their functions in Web GUI version, so the charts could be for configurable.

Yes, it has.

~240 mln.

One and a half of year.

No.

No.

8/10.

No.

Sentinel's GUI design is similar to Microsoft Windows. If you are comfortable with using Windows, you will be comfortable using Sentinel because their icons are similar. Sentinel's integration is pretty easy.

Sentinel's management is very easy because Microsoft guides everything through icons, design, and documentation. The solution's model is pretty good. The solution's Kusto Query Language (KQL) execution time is pretty good.

One good thing I like about Sentinel is its automation. You can automatically respond to the incident via the logic app. You don't need to know about coding and complexity. Everyone who uses Sentinel in my circle has been praising the solution.

Creating a drag-and-drop dashboard or workbook in Sentinel is a little more complex compared to other tools like LogRhythm and IBM QRadar.

I have been working with Sentinel for almost three years.

Sentinel is a very, very scalable solution. People are now migrating towards Sentinel. Around seven to eight of our customers are using Sentinel.

Since Sentinel is under Microsoft's management, they are responsible for scaling the solution. Sentinel is very scalable. It will automatically scale up, and it will automatically scale down when there is no requirement.

Sometimes, you come across people unfamiliar with the solution, but most of the time, Microsoft support is pretty good.

Sentinel's initial setup is not very easy. You will have to perform some steps, but everything is guided properly. They will tell you what is your next step.

It is a little bit complex when it comes to custom integrations, and you need to understand a little bit of Azure architecture to meet those integrations. However, it is easier for basic integration with well-known devices like Windows and Linux.

I haven't been in those situations where I had to deploy Sentinel, but I know from experience that deploying the solution will take one to two days.

You have to buy your subscription on Azure since it's a cloud-based solution. After getting your subscription, you will need to make sure that you are also subscribing to Sentinel Service, which is on Azure.

Then, you have to create the log analytics workspace, include that workspace under the subscription, and start integrating the log sources via data connectors. You will see those logs in the Sentinel. It takes 15 to 20 minutes to get your Sentinels, and then you can use those data connectors to integrate the logs.

Sentinel is a subscription-based solution. You will have to pay weekly or monthly costs based on your deal with your Azure cloud provider.

Sentinel is a cloud-based solution.

I would recommend users to use Sentinel. If users are paying for the service, they should make sure to use each and everything they know about it. Users should not pay for things that they are not using. Sentinel has a lot of potential that people don't know.

Overall, I rate Sentinel eight and a half out of ten.

<ul> <li>Correlation Engine simpleness</li> <li>Visual agent deployment</li> <li>Stream based solution performed by iscale bus (no latency due to the database layer) </li> </ul>

<ul> <li>Better security incident analysis</li> <li>New scopes for security events and correlation</li> <li>Better performances on device failures actions</li> </ul>

<ul> <li>Correlation Engine</li> <li>Device support</li> <li>Agent development flexibility</li> </ul>

I worked on version 5 and then 6 for a total of 6 years. My personal score is 4 stars based on my experience with the latest version I worked on (probably version 7 should be much more better.)

On version 5, builder was somewhat unstable during deployment -> workaround strong procedure with too many middle steps of saves.

The wizard agent module is very sensible to network changes and needs a restart on every network change (versions 5 and 6).

I have not seen any issues with scalability.

I had another SIEM installation (nFX) working for another application domain.

Complex but mainly because of all the network variables we had. Imagine to map firewalls rules passively and then request the ability from an external group not really involved in the installation.

Actually we were the system integrator and we provided a large enterprise solution.

Novell SIEM was my second technology of this kind. Previously I experienced the nFX and later even the McAfee ESM and the Splunk ES.

Be aware that without any technical support from NetIQ it could be very hard to administer.

Sentinel has improved the user experience inside. It is easier to create queries. 

The most valuable feature is the flexible log for identifying security threats inside an application. Sentinel is very good at this. 

The dashboard and customer view should be improved

In the next release, I would like for there to be monitoring inside the sentinel.

I have used NetIQ for 18 months.

Stability is very good.

Scalability is very good.

Their customer support is very good. 

The initial setup was very easy. It took around one or two weeks.

I would rate NetIQ a ten out of ten. 

Public Cloud

Amazon Web Services (AWS)

The query tool of the web UI is so cool! (Lucene-based, filters-based on taxonomy). The web interface gives you the ability to design, at query time, a simple report on the fly.

Support from provider its great, good experience with helpdesk.

Sentinel can help our customers meet PCI, and other requirements based on the reporting and control of related components. Questions like "who has access to that asset" and "who had access in such and such moment" can be solved quickly.

The Java desktop tool and the WMI integration (WECS server architecture).

The integration UI and modules deployment can improve.
In my opinion, the web interface can manage all the functionalities and configurations; no Java desktop app is necessary.

The Java app functions can be migrated to the web interface.
On the other hand, WMI integration, can be improved by removing the WECS collector. Sentinel Node can include all the functions. If an escenary needs more power, just deploy another Sentinel node (all in one) that can help in multiples use cases, not just WECS.

RAM consumition... some JRE problems.. but nothing that cannot be fixed by IT (for example file descriptor limits for Java).

As part of my work, I’m responsible for deployment, tuning, integrating, and using Sentinel for bank projects.
Reporting IDE environments and processes is hard to take responsibility for, but not impossible.
Some functions look great but, in practice, some key limitations turn the process into something opaque.

Java needs a lot of RAM!! Some queries (if you're not careful) can consume lots of memory and destabilize the instance of the product (or OS platform, including RHEL).

We have not had scalability issues. Storage retention policies and schema, online and offline, are very nice.
If Sentinel is integrated with Identity Manager and User Application Portal, the solution runs simply perfect!

In my experience, support really rocks it! I had an opportunity to meet great people, very human and engineers.

Yes.. sure... Syslog!!
SIEM is not a simple logging tool. The big clients (banks, big industries, government, etc.) need a solution according their size.

Just follow the manuals after reading them. Linux knowledge helps, be cause Linux opens your hard mind. It is complex for mortals, familiar for "Linuxers".

Sentinel is not for home use. Others versions are available by the same vendor, like Sentinel Rapid Deployment or Reporting Module that are offered for different needs. In other words, if price is a problem, go open source, not world class tool like Sentinel. NetIQ offers nice licence packages that can adjust better for some clients.

RSA Security Analytics was an option, but as part of NetIQ/Novell Identity Manager Deployment we prefer NetIQ SIEM Tools (integrations capabilities). It depends client needs whether another solution, like RSA Analytics, is the appropriate.

Be careful with requirements, production resources are really needed. Be clear with objectives, and test it before use. Understanding SIEM concepts is basically the goal.

Scalability is the best feature.

It provides real time security event analytics.

Take a look at other vendors like LogRhythm. They are light years ahead of where this product is.

I have used this solution for seven years.

We did have issues with stability. Java is not stable.

We did not have scalability issues.

Support is good, but only for backend support. Both Level-1 and Level-2 support teams are terrible.

We did not have a previous solution.

The setup was complex.

It's probably not a product that I would recommend to anyone.

We did not evaluate other options.

The amount of time spent implementing this solution, tweaking it to suit our needs, and then maintaining it, ended up being the same as building one from scratch, using something like ELK.

We are using this solution for logging.

Our environment is an on-premises deployment.

We have a regular database to audit and this solution is able to lock the audit data.

The most valuable feature of this solution is that it provides a central locking system for many event sources.

The web interface needs to be improved, as it has a java-based way to call its controls.

There is no integration in the web-side of the tool.

It is an important requirement to be able to develop collectors because the tool does not provide a portfolio of collectors for systems or devices.

We have been using this solution for approximately fifteen years.

The stability of this tool is good, and we haven't had a big crash.

It is not easy to scale the tool. In the live version, you have the usability tool that is the scaling version of Sentinel, but we do not use it. We have about one hundred people using this solution who feed events into Sentinel to look for anomalies in the database audits.

Technical support for this solution is good.

We did not use another solution prior to this one.

This solution is easy to install. Our initial deployment took approximately three months.

There are a team of four people who maintain this solution.

We used a consultant from NetIQ to assist with our deployment and it was a good experience.

We evaluated three other tools in addition to this one. They were Splunk, ArcSight, and Elasticsearch.  

We are planning on changing tools.

I would rate this solution a four out of ten.

Correlation rules - The correlation engine allows our clients to generate rules more efficiently. For example: the company has a policy which said that all connections to the databases can only be done by internal connection. So you can correlate the VPN logs, FW logs, dB logs to alert when this policy has been breached.

Detection of unauthorised access to systems.

10 years

I haven't encountered any issues with deployment

I haven't encountered any issues with stability

I haven't encountered any issues with scalability

Customer Service: Our clients have told us that they like their customer service.Technical Support: I provided technical support to LATAM.

Initial setup was straightforward

I was the implementer

Prepare a plan for short, medium and large implementation. Start with the simple, like so: FW, routers, etc., then move to more complex ones like applications in house.