NetIQ Sentinel v7.1
Strengths: A good list of compliance reporting, and integration with other products.
Weaknesses: Unclear extra fees and some difficulty knowing how to use filters.
Verdict: This is a good, industrial-strength product.
NetIQ's SIEM helps to quickly identify and respond to threats and to simplify management and compliance reporting. It delivers scalable log collection, aggregation, correlation, and analysis and reporting capabilities through flexible deployment options. Events are collected, securely transmitted to a Sentinel server, parsed, normalized, tagged and then routed for correlation and archiving. The log archive is a compressed, high-performing, two-tier file store. Policies allow important and frequently queried information to be stored on expensive, higher performing disks and less critical information on inexpensive remote storage. Sentinel provides for seamless reporting across these stores to address log-retention requirements with online storage. Log archive components can be deployed in a federated model to address regulatory, political and network-connectivity constraints. The offering includes a set of out-of-the-box reports and report templates.
Analysis of events is provided through anomaly detection, threat correlation and dynamic search. Correlation rules and baselines are created by dragging and dropping event fields into selection boxes. The correlation rules are created on a cross-platform basis, removing the need for deep expertise in event types of each event source. Sentinel also supports user-activity monitoring, allowing the user-review activity in the context of the user involved and their role in the organization. To identify threats, Sentinel Advisor correlates information from IPS/IDS systems against known vulnerabilities. When an incident is identified, the organization can manage the incident within the context process based on third party or custom systems, such as ticketing systems.
Documentation came on a USB adapter. The virtual appliance that was to be used to install the product was not on the USB device. The support rep verified this and recommended we use the company's cloud solution. Reviewing the documents supplied by NetIQ made it clear that the standard installation and configuration would be an easy task. Minimum system requirements typically include a virtual machine on a laptop. Depending on the scope of the evaluation and the Encapsulated PostScript (EPS) and storage needs, a similar approach could be used. Sentinel documentation describes a minimum configuration as a single server with four cores, 500GB disk and 6GB RAM.
Support includes several options, and for some packages it was difficult for us to determine the actual service and fee schedules. NetIQ recommends potential users go to the website for more information. The following information is summarized to try and clarify the information provided. All packages have access to phone and email support, access to the company's website resources, a knowledge base and a FAQ list
Basic no-cost support is offered. Options include access to the product knowledge base and support forums with access to online documentation. Standard maintenance provides 12/5 aid. The fees vary depending on the customer contract. Multiple options for fee-based assistance are available depending. Priority maintenance provides 24/7 support in addition to standard maintenance.
The overall value for the money spent was good.