System and method of aggregating and consolidating security event data
First Claim
1. In an information technology system, the information technology system having at least one computational engine available for processing security event data, a method for processing security event data comprising:
- a. software encoding machine-readable instructions to execute the security event processing, the instructions organized into modules;
b. providing the instructions to the information technology system;
c. determining the number of computational engines available for security event processing;
d. tasking each available computational engine with executing at least one module; and
e. processing a plurality of events.
3 Assignments
0 Petitions
Accused Products
Abstract
A method and system are provided that enable the processing of security event data is provided. In a first version, instructions for processing security event data are software encoded in separate modules. The software is organized into discrete modules and executed by an information technology system. The software as executed identifies the computational engines of the information technology available for processing the security event data and assigns modules to specific computational engines. A plurality of events stored in a buffer are processed sequentially through two or more modules. The results of each processing of an event by a module are recorded in an extended event structure and made accessible to a successive module. The location of the buffer storing an event is available for overwriting after the event has been fully processed.
22 Citations
25 Claims
-
1. In an information technology system, the information technology system having at least one computational engine available for processing security event data, a method for processing security event data comprising:
-
a. software encoding machine-readable instructions to execute the security event processing, the instructions organized into modules;
b. providing the instructions to the information technology system;
c. determining the number of computational engines available for security event processing;
d. tasking each available computational engine with executing at least one module; and
e. processing a plurality of events. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 20)
-
-
12. In an information technology system, the information technology system having at least a first and a second computational engine, a method for processing security events, comprising:
-
a. providing a plurality of events to the information technology system, each event having an event type;
b. identifying all events having an identical event type designator; and
c. processing each event sequentially through at least two threads, each thread comprising at least one module and each thread executed by a separate computational engine. - View Dependent Claims (13, 14, 15, 16, 17, 18, 19)
-
-
21. In an information technology system, a method for sequentially processing an event through a sequentially ordered series of stages, the sequentially ordered series of stages to be applied in a pre-established sequence to the event in order from lower to higher, comprising:
-
a. associating a stage index with an event, and the stage index for indicating a next higher ordered stage;
b. examining the stage index to identify the next higher ordered stage; and
c. inhibiting the application of all stages other than the next higher ordered stage to the event - View Dependent Claims (22, 23, 24)
-
-
25. In an information technology system, the information technology having a secondary memory, a method for checkpointing information related to the processing of events by a sequentially ordered series of stages, comprising:
-
a. providing a checkpoint event, the checkpoint event for directing the information technology system to checkpoint information related to a stage applied to the checkpoint event;
b. processing the checkpoint event through the series of stages in the sequential order; and
c. checkpointing each stage when each stage is applied to the checkpoint event, wherein information associated with each stage is stored in the secondary memory.
-
Specification