Event-driven customizable automated workflows for incident remediation
First Claim
1. A computer implemented method for event driven incident response including one or more workflow process instances for handling incident response, each having one or more work-items, the method comprising:
- monitoring network activity for one or more network events;
identifying occurrence of one or more incidents based on the one or more network events;
associating at least one workflow process instance to an identified incident based at least in part on incident details;
determining the work-items to perform based on the workflow process instance, wherein the work-items include one or more user work-items and system work-items;
automatically implementing the one or more system work-item;
notifying a user to complete one or more user work-item; and
tracking progress of the incident'"'"'s workflow process instance based on output from the work-items.
3 Assignments
0 Petitions
Accused Products
Abstract
The invention relates to a system and method for customizing and storing workflow processes for use in remediation incidents such as security events. One aspect of the invention relates to providing tools to enable creation of customized workflow processes for event driven incident remediation, monitoring and analyzing system activity to identify occurrence of incidents, assigning a workflow process to an incident, applying the assigned workflow process to remediate the incident, and tracking and graphically displaying the status of the workflow process, among other things.
-
Citations
56 Claims
-
1. A computer implemented method for event driven incident response including one or more workflow process instances for handling incident response, each having one or more work-items, the method comprising:
-
monitoring network activity for one or more network events; identifying occurrence of one or more incidents based on the one or more network events; associating at least one workflow process instance to an identified incident based at least in part on incident details; determining the work-items to perform based on the workflow process instance, wherein the work-items include one or more user work-items and system work-items; automatically implementing the one or more system work-item; notifying a user to complete one or more user work-item; and tracking progress of the incident'"'"'s workflow process instance based on output from the work-items. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16)
-
-
17. A computer implemented system for event driven incident response including one or more workflow process instances for handling incident response, each having one or more work-items, the system comprising:
-
a network activity monitoring means for monitoring network activity for one or more network events; a correlation engine identifying occurrence of one or more incidents based on the one or more network events; an assignment module for associating at least one workflow process instance to an identified incident based at least in part on incident details; a workflow module determining the work-items to perform based on the workflow process instance, wherein the work-items include one or more user work-items and system work-items; means for automatically implementing the one or more system work-item; means for notifying a user to complete one or more user work-item; and an incident tracking module tracking progress of the incident'"'"'s workflow process instance based on output from the work-items. - View Dependent Claims (18, 19, 20, 21, 22, 23, 24, 25, 26, 27, 28, 29, 30, 31, 32)
-
-
33. A computer implemented method for creating a customized event driven workflow process instance for handling incidents, comprising:
-
selecting two or more of a plurality of work-items to include into a workflow process instance; creating transitions to include in the workflow process instance, the transitions defining a decision process between two or more work-items; verifying workflow process instance as the work-item and the transitions are added to the workflow process instance; storing the verified workflow process instance; - View Dependent Claims (34, 35, 36, 37, 38, 39, 40, 41, 42, 43, 44, 45, 46, 47, 48, 49, 50, 51, 52)
-
-
53. A computer implemented system including a workflow module for creating a customized event driven workflow process instance for handling incidents, comprising:
-
selecting means for selecting two or more of a plurality of work-items to include into a workflow process instance; creating means for creating transitions to include in the workflow process instance, the transitions defining a decision process between two or more work-items; verifying means for verifying workflow process instance as the work-item and the transitions are added to the workflow process instance; and database for storing the verified workflow process instance. - View Dependent Claims (54)
-
-
55. A computer implemented system including a user interface to create and track. workflow process instances for event driven incident remediation, the system comprising:
-
editing means for creating a workflow process instance; storing means for storing one or more workflow process instances; identifying means for identifying one or more incidents assigning means for assigning one or the stored workflow process instances to the identified incident; executing means for executing the workflow process instance; and tracking means for tracking status the assigned workflow process instance.
-
-
56. A computer implemented method for presenting a user interface for creating and tracking workflow process instances for event driven incident remediation, the system comprising:
-
creating a workflow process instance; storing one or more workflow process instances; identifying one or more incidents assigning one or the stored workflow process instances to the identified incident; executing the workflow process instance; and tracking status the assigned workflow process instance.
-
Specification