Sentinel Reviews

NetIQ Sentinel is a security information and event management tool that makes up part of our security solution. We are in the process of migrating to a new solution.

The use cases that it was made for, such as server monitoring, worked very well.

Frankly speaking, we did not find this product to be valuable, at all.

You need a lot of Unix scripting knowledge in order to manage the tool, which is one of the main issues that we faced.

When we integrated with other log management solutions, the password was not there. We also found it very difficult to create a custom password and in the end, we didn't succeed.

Trying to do something new, outside of use cases like server monitoring, was difficult and we could not do much.

I have been working with NetIQ Sentinel for almost two years.

The stability is phenomenal and we never had any issues with downtime or even had to restart.

This product did not scale for us. I'm not saying that it was a problem with the product but we had trouble finding the skills and knowledge required for this tool. As our environment started growing, we had to buy new tools.

We have had a lot of problems and Micro Focus technical support was not able to help us. They may have different levels of support packages available, but in our experience, we had to write two or three emails back and forth before we got anything reasonable in response. With other vendors, we have a technical account manager that we can reach out to when we are having problems. This is completely missing in NetIQ Sentinel.

We are currently in the process of migrating from NetIQ Sentinel to IBM QRadar.

This product had been implemented by somebody else a few years ago, before I joined the company.

We are a small company with an in-house technical services team.

We inquired about getting support from the vendor, Micro Focus, but the cost was very high.

Whether I would recommend this solution to anyone would depend on their environment. Maybe if they have a hybrid cloud environment then they would not have faced the challenges that we did. As it was on-premises and completely owned by us, we had a lot of trouble with managing the tool. Once it is running, it runs well, but when it comes to adding new devices to it, we always faced issues.

I would rate this solution a six out of ten.

On-premises

Sentinel has improved the user experience inside. It is easier to create queries. 

The most valuable feature is the flexible log for identifying security threats inside an application. Sentinel is very good at this. 

The dashboard and customer view should be improved

In the next release, I would like for there to be monitoring inside the sentinel.

I have used NetIQ for 18 months.

Stability is very good.

Scalability is very good.

Their customer support is very good. 

The initial setup was very easy. It took around one or two weeks.

I would rate NetIQ a ten out of ten. 

Public Cloud

Amazon Web Services (AWS)

The query tool of the web UI is so cool! (Lucene-based, filters-based on taxonomy). The web interface gives you the ability to design, at query time, a simple report on the fly.

Support from provider its great, good experience with helpdesk.

Sentinel can help our customers meet PCI, and other requirements based on the reporting and control of related components. Questions like "who has access to that asset" and "who had access in such and such moment" can be solved quickly.

The Java desktop tool and the WMI integration (WECS server architecture).

The integration UI and modules deployment can improve.
In my opinion, the web interface can manage all the functionalities and configurations; no Java desktop app is necessary.

The Java app functions can be migrated to the web interface.
On the other hand, WMI integration, can be improved by removing the WECS collector. Sentinel Node can include all the functions. If an escenary needs more power, just deploy another Sentinel node (all in one) that can help in multiples use cases, not just WECS.

RAM consumition... some JRE problems.. but nothing that cannot be fixed by IT (for example file descriptor limits for Java).

As part of my work, I’m responsible for deployment, tuning, integrating, and using Sentinel for bank projects.
Reporting IDE environments and processes is hard to take responsibility for, but not impossible.
Some functions look great but, in practice, some key limitations turn the process into something opaque.

Java needs a lot of RAM!! Some queries (if you're not careful) can consume lots of memory and destabilize the instance of the product (or OS platform, including RHEL).

We have not had scalability issues. Storage retention policies and schema, online and offline, are very nice.
If Sentinel is integrated with Identity Manager and User Application Portal, the solution runs simply perfect!

In my experience, support really rocks it! I had an opportunity to meet great people, very human and engineers.

Yes.. sure... Syslog!!
SIEM is not a simple logging tool. The big clients (banks, big industries, government, etc.) need a solution according their size.

Just follow the manuals after reading them. Linux knowledge helps, be cause Linux opens your hard mind. It is complex for mortals, familiar for "Linuxers".

Sentinel is not for home use. Others versions are available by the same vendor, like Sentinel Rapid Deployment or Reporting Module that are offered for different needs. In other words, if price is a problem, go open source, not world class tool like Sentinel. NetIQ offers nice licence packages that can adjust better for some clients.

RSA Security Analytics was an option, but as part of NetIQ/Novell Identity Manager Deployment we prefer NetIQ SIEM Tools (integrations capabilities). It depends client needs whether another solution, like RSA Analytics, is the appropriate.

Be careful with requirements, production resources are really needed. Be clear with objectives, and test it before use. Understanding SIEM concepts is basically the goal.

<ul> <li>Correlation Engine simpleness</li> <li>Visual agent deployment</li> <li>Stream based solution performed by iscale bus (no latency due to the database layer) </li> </ul>

<ul> <li>Better security incident analysis</li> <li>New scopes for security events and correlation</li> <li>Better performances on device failures actions</li> </ul>

<ul> <li>Correlation Engine</li> <li>Device support</li> <li>Agent development flexibility</li> </ul>

I worked on version 5 and then 6 for a total of 6 years. My personal score is 4 stars based on my experience with the latest version I worked on (probably version 7 should be much more better.)

On version 5, builder was somewhat unstable during deployment -> workaround strong procedure with too many middle steps of saves.

The wizard agent module is very sensible to network changes and needs a restart on every network change (versions 5 and 6).

I have not seen any issues with scalability.

I had another SIEM installation (nFX) working for another application domain.

Complex but mainly because of all the network variables we had. Imagine to map firewalls rules passively and then request the ability from an external group not really involved in the installation.

Actually we were the system integrator and we provided a large enterprise solution.

Novell SIEM was my second technology of this kind. Previously I experienced the nFX and later even the McAfee ESM and the Splunk ES.

Be aware that without any technical support from NetIQ it could be very hard to administer.

Primarily, I used a NetIQ Sentinel when I worked as a Security Analyst as a tool to collecting and filtering-out logs in order to investigating whether there's something "interesting" i.e. samples of real attack or malware activities. Sentinel is tool that if it's well configured, it remove from view all unnecessary information like logs about that the user opened a window in the system and shows you only needful entries. It removes data that can obscure your perspective and mislead in investigation.

Later, I used a NetIQ Sentinel more "administratively", which means that I created/remove/change a new event source and/or also investigate why they hasn't sent anything to log collector. I can tell that from administration perspective the interface of Sentinel is also very simple to operate and navigate. When interface is intuitive as in case of Sentinel, there's no need a special effort to done your job faster, convenient and with high performance.

Anomaly dashboards, search/filters features.

Anomaly dashboard provides possibility to find 0-day attacks. This feature is built based on the second-search/filters. It's great and very useful, because I would first find out if search/filter can give me the data that I needed. If not, I have possibility to change it, e.g. using regex or do search/filter fine-tuning. And when I have search/filter tested and know that it will catch information that I want see on chart, then I implement search/filter in new Anomaly dashboard.

The great idea is also fact that I can receive anomaly alerts via email. I don't need to watch charts all the time.

For example, from version 7.1 the company where I worked started using an anomaly dashboards. It very convenient, because SOC could and can react on possible attack, which are not seen in alerts made by rules. As I said before, anomaly dashboards can help detect a type of attacks called 0-day attacks. 0-day attack is threat haven't categorized as an attack yet and because of that there is no patch or solution, because it's unknown for systems like IDS/IPS.

I would prefer to extend dashboards part and their functions in Web GUI version, so the charts could be for configurable.

Yes, it has.

~240 mln.

One and a half of year.

No.

No.

8/10.

No.

We are using this solution for logging.

Our environment is an on-premises deployment.

We have a regular database to audit and this solution is able to lock the audit data.

The most valuable feature of this solution is that it provides a central locking system for many event sources.

The web interface needs to be improved, as it has a java-based way to call its controls.

There is no integration in the web-side of the tool.

It is an important requirement to be able to develop collectors because the tool does not provide a portfolio of collectors for systems or devices.

We have been using this solution for approximately fifteen years.

The stability of this tool is good, and we haven't had a big crash.

It is not easy to scale the tool. In the live version, you have the usability tool that is the scaling version of Sentinel, but we do not use it. We have about one hundred people using this solution who feed events into Sentinel to look for anomalies in the database audits.

Technical support for this solution is good.

We did not use another solution prior to this one.

This solution is easy to install. Our initial deployment took approximately three months.

There are a team of four people who maintain this solution.

We used a consultant from NetIQ to assist with our deployment and it was a good experience.

We evaluated three other tools in addition to this one. They were Splunk, ArcSight, and Elasticsearch.  

We are planning on changing tools.

I would rate this solution a four out of ten.

Scalability is the best feature.

It provides real time security event analytics.

Take a look at other vendors like LogRhythm. They are light years ahead of where this product is.

I have used this solution for seven years.

We did have issues with stability. Java is not stable.

We did not have scalability issues.

Support is good, but only for backend support. Both Level-1 and Level-2 support teams are terrible.

We did not have a previous solution.

The setup was complex.

It's probably not a product that I would recommend to anyone.

We did not evaluate other options.

The amount of time spent implementing this solution, tweaking it to suit our needs, and then maintaining it, ended up being the same as building one from scratch, using something like ELK.

Correlation rules - The correlation engine allows our clients to generate rules more efficiently. For example: the company has a policy which said that all connections to the databases can only be done by internal connection. So you can correlate the VPN logs, FW logs, dB logs to alert when this policy has been breached.

Detection of unauthorised access to systems.

10 years

I haven't encountered any issues with deployment

I haven't encountered any issues with stability

I haven't encountered any issues with scalability

Customer Service: Our clients have told us that they like their customer service.Technical Support: I provided technical support to LATAM.

Initial setup was straightforward

I was the implementer

Prepare a plan for short, medium and large implementation. Start with the simple, like so: FW, routers, etc., then move to more complex ones like applications in house.