Alerts based on entities in security information and event management products
First Claim
1. A computer-implemented method, comprising:
- executing an enterprise threat detection (ETD) pattern against received log event data from one or more computing systems;
determining, using the ETD pattern, that an event threshold has been exceeded;
determining affected entities associated with an alert created based on the exceeded threshold, the alert comprising information accumulated for the affected entities;
calculating, at runtime, a severity value of the alert relative to the ETD pattern for each determined entity associated with the alert, the severity value being associated with one or more activity types included in the received log event data;
receiving a selection of a determined entity on which to perform mitigation action activities;
writing mitigation action activities associated with the determined entity into an activity record data record;
closing a mitigation action activity on the determined entity;
determining that all mitigation action activities associated with all entities related to the created alert have been closed; and
closing the created alert.
1 Assignment
0 Petitions
Accused Products
Abstract
An enterprise threat detection (ETD) pattern is executed against received log event data from one or more computing systems. Using the ETD pattern, an event threshold is determined to have been exceeded. Entities associated with an alert created based on the exceeded threshold are determined and, at runtime, a severity value is calculated for each determined entity associated with the alert. A selection is received of a determined entity on which to perform mitigation action activities. Mitigation action activities associated with the determined entity are written into an activity record data record. A mitigation action activity is closed on the determined entity and a determination performed that all mitigation action activities associated with all entities related to the created alert have been closed. The created alert is closed.
-
Citations
20 Claims
-
1. A computer-implemented method, comprising:
-
executing an enterprise threat detection (ETD) pattern against received log event data from one or more computing systems; determining, using the ETD pattern, that an event threshold has been exceeded; determining affected entities associated with an alert created based on the exceeded threshold, the alert comprising information accumulated for the affected entities; calculating, at runtime, a severity value of the alert relative to the ETD pattern for each determined entity associated with the alert, the severity value being associated with one or more activity types included in the received log event data; receiving a selection of a determined entity on which to perform mitigation action activities; writing mitigation action activities associated with the determined entity into an activity record data record; closing a mitigation action activity on the determined entity; determining that all mitigation action activities associated with all entities related to the created alert have been closed; and closing the created alert. - View Dependent Claims (2, 3, 4, 5, 6, 7)
-
-
8. A non-transitory, computer-readable medium storing one or more instructions executable by a computer system to perform operations comprising:
-
executing an enterprise threat detection (ETD) pattern against received log event data from one or more computing systems; determining, using the ETD pattern, that an event threshold has been exceeded; determining affected entities associated with an alert created based on the exceeded threshold, the alert comprising information accumulated for the affected entities; calculating, at runtime, a severity value of the alert relative to the ETD pattern for each determined entity associated with the alert, the severity value being associated with one or more activity types included in the received log event data; receiving a selection of a determined entity on which to perform mitigation action activities; writing mitigation action activities associated with the determined entity into an activity record data record; closing a mitigation action activity on the determined entity; determining that all mitigation action activities associated with all entities related to the created alert have been closed; and closing the created alert. - View Dependent Claims (9, 10, 11, 12, 13, 14)
-
-
15. A computer-implemented system, comprising:
-
a computer memory; and a hardware processor interoperably coupled with the computer memory and configured to perform operations comprising; executing an enterprise threat detection (ETD) pattern against received log event data from one or more computing systems; determining, using the ETD pattern, that an event threshold has been exceeded; determining affected entities associated with an alert created based on the exceeded threshold, the alert comprising information accumulated for the affected entities; calculating, at runtime, a severity value of the alert relative to the ETD pattern for each determined entity associated with the alert, the severity value being associated with one or more activity types included in the received log event data; receiving a selection of a determined entity on which to perform mitigation action activities; writing mitigation action activities associated with the determined entity into an activity record data record; closing a mitigation action activity on the determined entity; determining that all mitigation action activities associated with all entities related to the created alert have been closed; and closing the created alert. - View Dependent Claims (16, 17, 18, 19, 20)
-
Specification