Threat response systems and methods
First Claim
1. A method for incident response, comprising:
- receiving, by a security operations system, an alarm in response to a threat detected on a monitored system, wherein the alarm includes characteristics of the threat;
generating, by the security operations system, a record in response to the alarm, wherein the record includes a severity level assigned to the record, wherein the severity level is automatically generated based on a threat level identified in the alarm;
populating, by the security operations system, a form with the characteristics of the threat, wherein the form is associated with the record and selected in response to a type of the threat;
generating, by the security operations system, a workflow, wherein the workflow is customizable, by at least one of adding, removing, or modifying a rule for an action, prior to the security operations system receiving the alarm, wherein the workflow is configured to be automatically executed to address the alarm, and wherein the workflow comprises a first action;
automatically executing, by the security operations system, the first action of the workflow;
receiving, by the security operations system, security contextual data in response to a request including the characteristics of the threat;
updating, by the security operations system, the form to include the security contextual data;
enriching, by the security operations system, the workflow to generate a second action; and
automatically executing, by the security operations system, the second action of the workflow.
5 Assignments
0 Petitions
Accused Products
Abstract
A security operations system may receive an alarm in response to a detected threat. The alarm may include characteristics of the threat. The system may then generate a record in response to the alarm and populate a form with the characteristics of the threat. The form may be associated with the record and selected in response to a type of the threat. The system may further generate a workflow including at least one but potentially multiple actions. The system also receives security contextual information in response to a request including the characteristics of the threat or associated indicators of the threat and then updates the form to include the security contextual information. The security operations system can evaluate contextual information and request additional information, as well as leverage workflow to take iterative changes to rulesets and configurations, to provide additional security protection or gamer additional information on a threat.
-
Citations
20 Claims
-
1. A method for incident response, comprising:
-
receiving, by a security operations system, an alarm in response to a threat detected on a monitored system, wherein the alarm includes characteristics of the threat; generating, by the security operations system, a record in response to the alarm, wherein the record includes a severity level assigned to the record, wherein the severity level is automatically generated based on a threat level identified in the alarm; populating, by the security operations system, a form with the characteristics of the threat, wherein the form is associated with the record and selected in response to a type of the threat; generating, by the security operations system, a workflow, wherein the workflow is customizable, by at least one of adding, removing, or modifying a rule for an action, prior to the security operations system receiving the alarm, wherein the workflow is configured to be automatically executed to address the alarm, and wherein the workflow comprises a first action; automatically executing, by the security operations system, the first action of the workflow; receiving, by the security operations system, security contextual data in response to a request including the characteristics of the threat; updating, by the security operations system, the form to include the security contextual data; enriching, by the security operations system, the workflow to generate a second action; and automatically executing, by the security operations system, the second action of the workflow. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11)
-
-
12. A computer-based system, comprising:
-
a processor;
a tangible, non-transitory memory configured to communicate with the processor, the tangible, non-transitory memory having instructions stored thereon that, in response to execution by the processor, cause a security operations system to perform operations comprising;receiving, by the security operations system, an alarm in response to a threat detected on a monitored system, wherein the alarm includes characteristics of the threat; generating, by the security operations system, a record in response to the alarm, wherein the record includes a severity level assigned to the record, wherein the severity level is automatically generated based on a threat level identified in the alarm; populating, by the security operations system, a form with the characteristics of the threat, wherein the form is associated with the record and selected in response to a type of the threat; generating, by the security operations system, a workflow, wherein the workflow is customizable, by at least one of adding, removing, or modifying a rule for an action, prior to the security operations system receiving the alarm, wherein the workflow is configured to be automatically executed to address the alarm, and wherein the workflow comprises a first action; automatically executing, by the security operations system, the first action of the workflow; receiving, by the security operations system, a security contextual information in response to a request including the characteristics of the threat; updating, by the security operations system, the form to include the security contextual information; enriching, by the security operations system, the workflow to generate a second action; and automatically executing, by the security operations system, the second action of the workflow. - View Dependent Claims (13, 14, 15, 16, 17)
-
-
18. An article of manufacture including a non-transitory, tangible computer readable storage medium having instructions stored thereon that, in response to execution by a security operations system, cause the security operations system to perform operations comprising:
-
receiving, by the security operations system, an alarm in response to a threat detected on a monitored system, wherein the alarm includes characteristics of the threat; generating, by the security operations system, a record in response to the alarm, wherein the record includes a severity level assigned to the record, wherein the severity level is automatically generated based on a threat level identified in the alarm; populating, by the security operations system, a form with the characteristics of the threat, wherein the form is associated with the record and selected in response to a type of the threat; generating, by the security operations system, a workflow, wherein the workflow is customizable, by at least one of adding, removing, or modifying a rule for an action, prior to the security operations system receiving the alarm, wherein the workflow is configured to be automatically executed to address the alarm, and wherein the workflow comprises a first action; automatically executing, by the security operations system, the first action of the workflow; receiving, by the security operations system, security contextual data in response to a request including the characteristics of the threat; updating, by the security operations system, the form to include the security contextual data, enriching, by the security operations system, the workflow to generate a second action; and automatically executing, by the security operations system, the second action of the workflow. - View Dependent Claims (19, 20)
-
Specification