Method for automated SIEM custom correlation rule generation through interactive network visualization

US 10,404,751 B2
Filed: 04/21/2017
Issued: 09/03/2019
Est. Priority Date: 02/15/2017
Status: Active Grant

First Claim

Patent Images

1. A method for automated Security Information and Event Management (STEM) custom correlation rule generation, comprising:

receiving log data from a plurality of endpoints in a network;

receiving input data about the network from a user by;

providing one or more questions to the user as part of an installation process for a SIEM system, wherein the one or more questions relate to one or more of;

a network zone;

an endpoint in the network;

oran address; and

receiving the input data from the user in response to the one or more questions;

generating a preliminary visualization of the network based on the log data and the input data;

displaying the preliminary visualization to the user;

receiving drag-and-drop input from the user modifying one or more entities in the preliminary visualization;

generating, based on the preliminary visualization and the drag-and-drop input, a visualization of the network;

automatically generating, based on the visualization, one or more SIEM custom correlation rules;

receiving event data from the plurality of endpoints; and

applying the one or more SIEM custom correlation rules to the event data in order to determine whether to trigger one or more actions.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

The present disclosure provides a dynamic method for automated Security Information and Event Management (SIEM) custom correlation rule generation through the use of an interactive network visualization. The visualization is based on log data received from network endpoints and inputs received from a user, and is provided to the user for feedback before the SIEM custom correlation rules are automatically generated based on the visualization. The automatically generated SIEM custom correlation rules are then used to determine whether to trigger actions based on event data received from the network endpoints.

10 Citations

20 Claims

1. A method for automated Security Information and Event Management (STEM) custom correlation rule generation, comprising:
- receiving log data from a plurality of endpoints in a network;
  
  receiving input data about the network from a user by;
  
  providing one or more questions to the user as part of an installation process for a SIEM system, wherein the one or more questions relate to one or more of;
  
  a network zone;
  
  an endpoint in the network;
  
  oran address; and
  
  receiving the input data from the user in response to the one or more questions;
  
  generating a preliminary visualization of the network based on the log data and the input data;
  
  displaying the preliminary visualization to the user;
  
  receiving drag-and-drop input from the user modifying one or more entities in the preliminary visualization;
  
  generating, based on the preliminary visualization and the drag-and-drop input, a visualization of the network;
  
  automatically generating, based on the visualization, one or more SIEM custom correlation rules;
  
  receiving event data from the plurality of endpoints; and
  
  applying the one or more SIEM custom correlation rules to the event data in order to determine whether to trigger one or more actions.
- View Dependent Claims (2, 3, 4, 5, 6, 7)
- - 2. The method of claim 1, further comprising:
    - receiving changes to the visualization from the user;
      
      generating an updated visualization based on the changes; and
      
      automatically updating the one or more SIEM custom correlation rules based on the updated visualization.
  - 3. The method of claim 2, wherein the drag-and-drop input and the changes are provided by the user through a graphical user interface.
  - 4. The method of claim 1, wherein the input data comprises one or more of:
    - an IP address of a network device;
      
      network zone information; and
      
      network host information.
  - 5. The method of claim 1, wherein the log data from an endpoint of the plurality of endpoints comprises one or more of:
    - a source IP address of incoming traffic at the endpoint;
      
      a destination IP address of outgoing traffic from the endpoint;
      
      a source port of incoming traffic at the endpoint;
      
      a destination port of outgoing traffic from the endpoint; and
      
      identifying information of one or more applications executing on an endpoint of the plurality of endpoints.
  - 6. The method of claim 1, wherein the input data comprises an indication that an IP address belongs to a suspicious entity.
  - 7. The method of claim 1, wherein the one or more actions comprise generating at least one of:
    - an alert; and
      
      a notification.

8. A system comprising:
- one or more processors; and
  
  memory storing one or more applications that, when executed on the one or more processors, perform a method for automated Security Information and Event Management (STEM) custom correlation rule generation, comprising;
  
  receiving log data from a plurality of endpoints in a network;
  
  receiving input data about the network from a user by;
  
  providing one or more questions to the user as part of an installation process for a SIEM system, wherein the one or more questions relate to one or more of;
  
  a network zone;
  
  an endpoint in the network;
  
  oran address; and
  
  receiving the input data from the user in response to the one or more questions;
  
  generating a preliminary visualization of the network based on the log data and the input data;
  
  displaying the preliminary visualization to the user;
  
  receiving drag-and-drop input from the user modifying one or more entities in the preliminary visualization;
  
  generating, based on the preliminary visualization and the drag-and-drop input, a visualization of the network;
  
  automatically generating, based on the visualization, one or more STEM custom correlation rules;
  
  receiving event data from the plurality of endpoints; and
  
  applying the one or more SIEM custom correlation rules to the event data in order to determine whether to trigger one or more actions.
- View Dependent Claims (9, 10, 11, 12, 13, 14)
- - 9. The system of claim 8, wherein the method further comprises:
    - receiving changes to the visualization from the user;
      
      generating an updated visualization based on the changes; and
      
      automatically updating the one or more SIEM custom correlation rules based on the updated visualization.
  - 10. The system of claim 9, wherein the drag-and-drop input and the changes are provided by the user through a graphical user interface.
  - 11. The system of claim 8, wherein the input data comprises one or more of:
    - an IP address of a network device;
      
      network zone information; and
      
      network host information.
  - 12. The system of claim 8, wherein the log data from an endpoint of the plurality of endpoints comprises one or more of:
    - a source IP address of incoming traffic at the endpoint;
      
      a destination IP address of outgoing traffic from the endpoint;
      
      a source port of incoming traffic at the endpoint;
      
      a destination port of outgoing traffic from the endpoint; and
      
      identifying information of one or more applications executing on an endpoint of the plurality of endpoints.
  - 13. The system of claim 8, wherein the input data comprises an indication that an IP address belongs to a suspicious entity.
  - 14. The system of claim 8, wherein the one or more actions comprise generating at least one of:
    - an alert; and
      
      a notification.

15. A non-transitory computer-readable storage medium containing instructions that, when executed by one or more processors, perform a method for automated Security Information and Event Management (STEM) custom correlation rule generation, comprising:
- receiving log data from a plurality of endpoints in a network;
  
  receiving input data about the network from a user by;
  
  providing one or more questions to the user as part of an installation process for a SIEM system, wherein the one or more questions relate to one or more of;
  
  a network zone;
  
  an endpoint in the network;
  
  oran address; and
  
  receiving the input data from the user in response to the one or more questions;
  
  generating a preliminary visualization of the network based on the log data and the input data;
  
  displaying the preliminary visualization to the user;
  
  receiving drag-and-drop input from the user modifying one or more entities in the preliminary visualization;
  
  generating, based on the preliminary visualization and the drag-and-drop input, a visualization of the network;
  
  automatically generating, based on the visualization, one or more STEM custom correlation rules;
  
  receiving event data from the plurality of endpoints; and
  
  applying the one or more SIEM custom correlation rules to the event data in order to determine whether to trigger one or more actions.
- View Dependent Claims (16, 17, 18, 19, 20)
- - 16. The non-transitory computer-readable storage medium of claim 15, wherein the method further comprises:
    - receiving changes to the visualization from the user;
      
      generating an updated visualization based on the changes; and
      
      automatically updating the one or more SIEM custom correlation rules based on the updated visualization.
  - 17. The non-transitory computer-readable storage medium of claim 16, wherein the drag-and-drop input and the changes are provided by the user through a graphical user interface.
  - 18. The non-transitory computer-readable storage medium of claim 15, wherein the input data comprises one or more of:
    - an IP address of a network device;
      
      network zone information; and
      
      network host information.
  - 19. The non-transitory computer-readable storage medium of claim 15, wherein the log data from an endpoint of the plurality of endpoints comprises one or more of:
    - a source IP address of incoming traffic at the endpoint;
      
      a destination IP address of outgoing traffic from the endpoint;
      
      a source port of incoming traffic at the endpoint;
      
      a destination port of outgoing traffic from the endpoint; and
      
      identifying information of one or more applications executing on an endpoint of the plurality of endpoints.
  - 20. The non-transitory computer-readable storage medium of claim 15, wherein the input data comprises an indication that an IP address belongs to a suspicious entity.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Intuit, Inc.
Original Assignee
Intuit, Inc.
Inventors
Rajkumar, Vishal
Primary Examiner(s)
Giddins, Nelson

Application Number

US15/493,308
Publication Number

US 20180234457A1
Time in Patent Office

865 Days
Field of Search
US Class Current
CPC Class Codes

H04L 41/0631   using root cause analysis; ...

H04L 41/0654   using network fault recover...

H04L 41/0816   the condition being an adap...

H04L 41/0876   Aspects of the degree of co...

H04L 41/0889   Techniques to speed-up the ...

H04L 41/12   Discovery or management of ...

H04L 41/22   comprising specially adapte...

H04L 63/0263   Rule management

H04L 63/1408   by monitoring network traff...

H04L 63/20   for managing network securi...

Method for automated SIEM custom correlation rule generation through interactive network visualization

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

10 Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Method for automated SIEM custom correlation rule generation through interactive network visualization

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

10 Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links