Sentinel 8 Enterprise Administration
Course 3159

Sentinel Enterprise Administration is covered in this course. Also covered is scalable storage.

 

Course Information

Delivery Method: Self-Study Kit

Course Duration: 4 days

Course Level: Beginner

Key Objectives

The key objectives of the course is after this course, you will be able to:

  • Understand the dataflow of Sentinel
  • Discuss the different installation types
  • Define the several different types of use cases
  • List the new features of version 8.0
  • Discuss the latest license agreement type
  • List the data sources and data flow
  • Discuss factors of Sentinel sizing related to various networks
  • Create active views and apply filters in the control center
  • Understand the parameters of active views
  • Create event views and apply filters in the web UI
  • Create Users and Roles
  • Set LDAP Settings
  • Define Security
  • Setup Active User Sessions
  • Discuss Internal Data Stores
  • Define Data Retention
  • Discuss Remote Storage
  • Use the Event Source Management (ESM) user interface
  • Create an event source
  • Perform a Running Search
  • Define a Search Filters
  • Define Report Definitions
  • Perform a Distributed Search
  • Discuss White Label Template
  • Create active views and apply filters in the control center
  • Understand the parameters of active views
  • Create event views and apply filters in the web UI
  • Understand the parameters of event views
  • Discuss Correlated Event Output
  • Discuss Correlation Wizard
  • Define Correlation Logic
  • Define Creating Correlations
  • List Constructs and Operators
  • Creating Actions
  • Adding an Action to a correlation
  • Discuss Action panels
  • Define Action Execution Criteria
  • Understand Incident Management
  • Create a new incident
  • Review new incidence
  • Discuss iTRAC
  • Define Process and Work Management
  • List the ITRAC life cycle (steps and transitions)
  • Define Role Management
  • Discuss the differences between a Managed and a Unmanaged Windows Agent
  • Define Central Computer and Discovery rules
  • Discuss the Windows Agent Administrator (Wizard)
  • Define Data Mapping
  • Describe how to Add a Map
  • Discuss Meta-tag References
  • Perform an Anomaly Setup
  • Define Alerts
  • Discuss Role-based Access Control (RBAC)
  • Define Alert Creation
  • Discuss Real-time Alert Views
  • Define Alert Dashboards
  • Define NetFlow
  • Discuss NetFlow User Proxy
  • Install the NetFlow Collector
  • Discuss Trend Analysis
  • Create a Baseline
  • Determine Anomaly Detection

Audience Summary

The course is designed for Sentinel administrators and support personnel familiar with Windows, Domain Controllers, and Networking.

Course Outline

Module 1: What is Sentinel?

  • Architecture
  • Markets
  • Sentinel Log Manager
  • Security Event and Incident Management
  • Use Cases
  • Sentinel 8.0 Updates
  • Licensing Updates
  • Instructor Demonstration

Module 2: Planning

  • Data Sources and Flow
  • High Availability
  • Sizing

Module 3: Installation

  • Installation Options
  • Open Virtualization Format (OVF) and Appliance Updates
  • Steps for Installation Demo
  • Installation Lab

Module 4: Event Views

  • Active Views
  • Event Views
  • Active Views Demonstration
  • Lab: Active Views and Event Views

Module 5: Setting Up Users

  • Configuring LDAP
  • Configuring User Security
  • Configuring Password Complexity
  • Viewing Active User Sessions
  • Setting Up Users Demo
  • Setting Up Users Lab

Module 6: Storage

  • Internal Data Stores
  • Data Retention
  • Remote Configuration
  • Storage Demo
  • Storage Lab

Module 7:Event Collection

  • Event Source Management (ESM) Interface
  • ESM Components
  • Creating an Event Source
  • Event Source Management Demo
  • Event Source Management Lab

Module 8:Searching and Reporting

  • Running a Search
  • Search Filters
  • Running a Report
  • Scheduling a Report
  • Report Definitions
  • Distributed Search
  • White Label Template
  • Searching and Reporting Demo
  • Searching and Reporting Lab

Module 09:Multitenancy

  • Managed Security Service Providers
  • Multitenancy
  • MSSP Enhancements
  • Tenant
  • Multitenancy Demo

Module 10: Correlation

  • Correlated Event Output
  • Creating Correlations
  • Constructs
  • Correlation Demo
  • Correlation Lab

Module 11: Taking Action on Events

  • Creating Actions
  • Taking Action
  • Actions Panel
  • Taking Actions on Events Demo
  • Taking Actions on Events Lab

Module 12: Incident Response

  • iTRAC
  • Process Management
  • Incident Response Demo
  • Incident Response Lab

Module 13: Sentinel Agent Manager (SAM)

  • Windows Agent
  • Central Computers & Discovery Rules
  • Windows Agent Administrator
  • Sentinel Agent Manager Demo
  • Sentinel Agent Manager Lab

Module 14: Adding Event Context

  • Adding Event Context Demo
  • Adding Event Context Lab

Module 15: Security Intelligence

  • Trend Analysis
  • Baseline
  • Anomaly Detection
  • Security Intelligence in 7.4
  • Security Intelligence Lab

Module 16: Alerts

  • Alerts
  • Alert Dashboards
  • Investigating Alerts Demo
  • Investigating Alerts Lab

Module 17: NetFlow

  • NetFlow
  • Real-Time Monitoring
  • Moving Updates

Module 18: Anomaly Setup

  • Anomaly Setup Lab

Module 19: Scalable Storage

  • High Level Design
  • Installation and Configuration
  • Sentinel Scalable Data Manager
  • Role Based Access Control
  • Event visualization
  • Sizing and Hardware Recommendations

Course Prerequisites

Prerequisites are an understanding of Windows, Networking, and Active Directory.