Adaptive parsing and normalizing of logs at MSSP
First Claim
1. A security system for a network, comprising:
- an event management center including at least one processor configured to;
receive security logs including security log data from a plurality of monitored devices;
determine whether one or more parsing scripts or rules are available to parse or normalize the security log data in the received security logs; and
if one or more parsing scripts or rules are available;
apply the one or more parsing scripts or rules to the security log data; and
normalize the security log data and organize the normalized securing log data into a structured format; and
if one or more parsing scripts or rules are not available, provide the security data to one or more engines for parsing or normalization thereof, wherein the one or more engines are stored in a memory of or accessible by the at least one processor, and at least one of the engines is configured to;
receive one or more security logs that comprise the security log data in an unrecognized format or include the security log data that is at least partially unpayable by the one or more parsing scripts or rules accessible by the at least one processor;
identify one or more attributes of the security log data;
determine a probability that the one or more identified attributes represent one or more recognized security log entities; and
if the determined probability meets or exceeds a predetermined threshold probability, isolate and/or tag recognized security log entities and organize isolated and/or tagged recognized security log entities into a structured format to generate normalized security logs;
wherein the normalized security logs are reviewable to determine if a security threat has been detected.
1 Assignment
0 Petitions
Accused Products
Abstract
A method of normalizing security log data can include receiving one or more security logs including unstructured data from a plurality of devices and reviewing unstructured data of the one or more security logs. The method also can include automatically applying a probabilistic model of one or more engines to identify one or more attributes or features of the unstructured data, and determine whether the identified attributes or features are indicative of identifiable entities, and tagging one or more identifiable entities of the identifiable entities, as well as organizing tagged entities into one or more normalized logs having a readable format with a prescribed schema. In addition, the method can include reviewing the one or more normalized logs for potential security events.
26 Citations
18 Claims
-
1. A security system for a network, comprising:
-
an event management center including at least one processor configured to; receive security logs including security log data from a plurality of monitored devices; determine whether one or more parsing scripts or rules are available to parse or normalize the security log data in the received security logs; and if one or more parsing scripts or rules are available; apply the one or more parsing scripts or rules to the security log data; and normalize the security log data and organize the normalized securing log data into a structured format; and if one or more parsing scripts or rules are not available, provide the security data to one or more engines for parsing or normalization thereof, wherein the one or more engines are stored in a memory of or accessible by the at least one processor, and at least one of the engines is configured to; receive one or more security logs that comprise the security log data in an unrecognized format or include the security log data that is at least partially unpayable by the one or more parsing scripts or rules accessible by the at least one processor; identify one or more attributes of the security log data; determine a probability that the one or more identified attributes represent one or more recognized security log entities; and if the determined probability meets or exceeds a predetermined threshold probability, isolate and/or tag recognized security log entities and organize isolated and/or tagged recognized security log entities into a structured format to generate normalized security logs; wherein the normalized security logs are reviewable to determine if a security threat has been detected. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
-
-
9. A method of normalizing security log data, comprising:
-
receiving a series of security logs from a plurality of devices; for each security log received, determining whether a parsing script is available to normalize the security log; if a parsing script is available, normalizing the security log with a selected parsing script and placing the security log into a normalized event format for review and detection of a potential security event; if a parsing script is not determined to be available for a security log, routing the unparsed security log to one or more engines, wherein the one or more engines; review unconstructed data of the unparsed security log; identify one or more attributes or features of the unparsed security log; determine, with a prescribed level of confidence, whether the identified attributes or features are indicative of one or more identifiable entities in the security log; tag identifiable entities of the one or more identifiable entities in the security log; and organize the tagged entities into a structured format with a prescribed schema; and
review the normalized security logs to determine potential security events. - View Dependent Claims (10, 11, 12, 13, 14)
-
-
15. A method of normalizing security log data, comprising:
-
receiving one or more security logs including unstructured data from a plurality of devices; reviewing the unstructured data of the one or more security logs to determine whether one or more parsing scripts or rules are available for parsing and/or normalization of the unstructured data; if one or more parsing scripts or rules are available to parse or normalize the unstructured data, applying the one or more parsing scripts or rules to the unstructured data for parsing or normalization of the unstructured data into one or more normalized logs; if one or more parsing scripts or rules are not available, applying a probabilistic model of one or more engines to identify one or more attributes or features of the unstructured data, and determine whether the identified attributes or features are indicative of identifiable entities; tagging one or more identifiable entities of the identifiable entities; organizing tagged entities into one or more normalized logs having a readable format with a prescribed schema; and reviewing the one or more normalized logs for potential security events. - View Dependent Claims (16, 17, 18)
-
Specification