Alerts based on entities in security information and event management products

US 10,534,908 B2
Filed: 12/06/2016
Issued: 01/14/2020
Est. Priority Date: 12/06/2016
Status: Active Grant

First Claim

Patent Images

1. A computer-implemented method, comprising:

executing an enterprise threat detection (ETD) pattern against received log event data from one or more computing systems;

determining, using the ETD pattern, that an event threshold has been exceeded;

determining affected entities associated with an alert created based on the exceeded threshold, the alert comprising information accumulated for the affected entities;

calculating, at runtime, a severity value of the alert relative to the ETD pattern for each determined entity associated with the alert, the severity value being associated with one or more activity types included in the received log event data;

receiving a selection of a determined entity on which to perform mitigation action activities;

writing mitigation action activities associated with the determined entity into an activity record data record;

closing a mitigation action activity on the determined entity;

determining that all mitigation action activities associated with all entities related to the created alert have been closed; and

closing the created alert.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

An enterprise threat detection (ETD) pattern is executed against received log event data from one or more computing systems. Using the ETD pattern, an event threshold is determined to have been exceeded. Entities associated with an alert created based on the exceeded threshold are determined and, at runtime, a severity value is calculated for each determined entity associated with the alert. A selection is received of a determined entity on which to perform mitigation action activities. Mitigation action activities associated with the determined entity are written into an activity record data record. A mitigation action activity is closed on the determined entity and a determination performed that all mitigation action activities associated with all entities related to the created alert have been closed. The created alert is closed.

Citations

20 Claims

1. A computer-implemented method, comprising:
- executing an enterprise threat detection (ETD) pattern against received log event data from one or more computing systems;
  
  determining, using the ETD pattern, that an event threshold has been exceeded;
  
  determining affected entities associated with an alert created based on the exceeded threshold, the alert comprising information accumulated for the affected entities;
  
  calculating, at runtime, a severity value of the alert relative to the ETD pattern for each determined entity associated with the alert, the severity value being associated with one or more activity types included in the received log event data;
  
  receiving a selection of a determined entity on which to perform mitigation action activities;
  
  writing mitigation action activities associated with the determined entity into an activity record data record;
  
  closing a mitigation action activity on the determined entity;
  
  determining that all mitigation action activities associated with all entities related to the created alert have been closed; and
  
  closing the created alert.
- View Dependent Claims (2, 3, 4, 5, 6, 7)
- - 2. The computer-implemented method of claim 1, wherein the threshold is defined as an absolute value or determined relatively using statistical methods.
  - 3. The computer-implemented method of claim 1, comprising writing the created alert into an alert data store.
  - 4. The computer-implemented method of claim 1, wherein entities include at least one of a user or a computing system.
  - 5. The computer-implemented method of claim 1, comprising initiating display of a list of the determined entities prioritized by the severity calculated for each determined entity.
  - 6. The computer-implemented method of claim 1, comprising writing information about the latest activity data record associated with the determined entity to the alert stored in an alert data store.
  - 7. The computer-implemented method of claim 1, wherein closing the created alert can be performed manually or automatically.

8. A non-transitory, computer-readable medium storing one or more instructions executable by a computer system to perform operations comprising:
- executing an enterprise threat detection (ETD) pattern against received log event data from one or more computing systems;
  
  determining, using the ETD pattern, that an event threshold has been exceeded;
  
  determining affected entities associated with an alert created based on the exceeded threshold, the alert comprising information accumulated for the affected entities;
  
  calculating, at runtime, a severity value of the alert relative to the ETD pattern for each determined entity associated with the alert, the severity value being associated with one or more activity types included in the received log event data;
  
  receiving a selection of a determined entity on which to perform mitigation action activities;
  
  writing mitigation action activities associated with the determined entity into an activity record data record;
  
  closing a mitigation action activity on the determined entity;
  
  determining that all mitigation action activities associated with all entities related to the created alert have been closed; and
  
  closing the created alert.
- View Dependent Claims (9, 10, 11, 12, 13, 14)
- - 9. The non-transitory, computer-readable medium of claim 8, wherein the threshold is defined as an absolute value or determined relatively using statistical methods.
  - 10. The non-transitory, computer-readable medium of claim 8, further comprising one or more instructions to write the created alert into an alert data store.
  - 11. The non-transitory, computer-readable medium of claim 8, wherein entities include at least one of a user or a computing system.
  - 12. The non-transitory, computer-readable medium of claim 8, comprising one or more instructions to initiate display of a list of the determined entities prioritized by the severity calculated for each determined entity.
  - 13. The non-transitory, computer-readable medium of claim 8, comprising one or more instructions to write information about the latest activity data record associated with the determined entity to the alert stored in an alert data store.
  - 14. The non-transitory, computer-readable medium of claim 8, wherein closing the created alert can be performed manually or automatically.

15. A computer-implemented system, comprising:
- a computer memory; and
  
  a hardware processor interoperably coupled with the computer memory and configured to perform operations comprising;
  
  executing an enterprise threat detection (ETD) pattern against received log event data from one or more computing systems;
  
  determining, using the ETD pattern, that an event threshold has been exceeded;
  
  determining affected entities associated with an alert created based on the exceeded threshold, the alert comprising information accumulated for the affected entities;
  
  calculating, at runtime, a severity value of the alert relative to the ETD pattern for each determined entity associated with the alert, the severity value being associated with one or more activity types included in the received log event data;
  
  receiving a selection of a determined entity on which to perform mitigation action activities;
  
  writing mitigation action activities associated with the determined entity into an activity record data record;
  
  closing a mitigation action activity on the determined entity;
  
  determining that all mitigation action activities associated with all entities related to the created alert have been closed; and
  
  closing the created alert.
- View Dependent Claims (16, 17, 18, 19, 20)
- - 16. The computer-implemented system of claim 15, wherein the threshold is defined as an absolute value or determined relatively using statistical methods.
  - 17. The computer-implemented system of claim 15, further configured to write the created alert into an alert data store.
  - 18. The computer-implemented system of claim 15, wherein entities include at least one of a user or a computing system.
  - 19. The computer-implemented system of claim 15, further configured to:
    - initiate display of a list of the determined entities prioritized by the severity calculated for each determined entity; and
      
      write information about the latest activity data record associated with the determined entity to the alert stored in an alert data store.
  - 20. The computer-implemented system of claim 15, wherein closing the created alert can be performed manually or automatically.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
SAP SE
Original Assignee
SAP SE
Inventors
Nos, Kathrin
Primary Examiner(s)
Gee, Jason K

Application Number

US15/370,084
Publication Number

US 20180157835A1
Time in Patent Office

1,134 Days
Field of Search
US Class Current
CPC Class Codes

G06F 21/552 involving long-term monitor...

G06F 21/554 involving event detection a...

Alerts based on entities in security information and event management products

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Alerts based on entities in security information and event management products

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links