SYSTEM AND METHOD FOR CORRELATING LOG DATA TO DISCOVER NETWORK VULNERABILITIES AND ASSETS
First Claim
1. A system for correlating log data to discover vulnerable network assets, wherein the system comprises a log correlation engine having one or more processors configured to:
- receive one or more logs that contain events describing observed activity in a network;
determine that the one or more logs contain at least one event that matches a regular expression in at least one correlation rule associated with the log correlation engine that indicates a vulnerability;
obtain information about the indicated vulnerability from at least one data source cross-referenced in the at least one correlation rule; and
generate a report that the indicated vulnerability was discovered in the network, wherein the report includes the information about the indicated vulnerability obtained from the at least one data source cross-referenced in the at least one correlation rule.
3 Assignments
0 Petitions
Accused Products
Abstract
The system and method described herein relates to a log correlation engine that may cross-reference or otherwise leverage existing vulnerability data in an extensible manner to support network vulnerability and asset discovery. In particular, the log correlation engine may receive various logs that contain events describing observed network activity and discover a network vulnerability in response to the logs containing at least one event that matches a regular expression in at least one correlation rule associated with the log correlation engine that indicates a vulnerability. The log correlation engine may then obtain information about the indicated vulnerability from at least one data source cross-referenced in the correlation rule and generate a report that the indicated vulnerability was discovered in the network, wherein the report may include the information about the indicated vulnerability obtained from the at least one data source cross-referenced in the correlation rule.
-
Citations
30 Claims
-
1. A system for correlating log data to discover vulnerable network assets, wherein the system comprises a log correlation engine having one or more processors configured to:
-
receive one or more logs that contain events describing observed activity in a network; determine that the one or more logs contain at least one event that matches a regular expression in at least one correlation rule associated with the log correlation engine that indicates a vulnerability; obtain information about the indicated vulnerability from at least one data source cross-referenced in the at least one correlation rule; and generate a report that the indicated vulnerability was discovered in the network, wherein the report includes the information about the indicated vulnerability obtained from the at least one data source cross-referenced in the at least one correlation rule. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
-
-
11. A method for correlating log data to discover vulnerable network assets, comprising:
-
receiving, at a log correlation engine, one or more logs that contain events describing observed activity in a network; determining, at the log correlation engine, that the one or more logs contain at least one event that matches a regular expression in at least one correlation rule associated with the log correlation engine that indicates a vulnerability; obtaining, at the log correlation engine, information about the indicated vulnerability from at least one data source cross-referenced in the at least one correlation rule; and generating a report that the indicated vulnerability was discovered in the network, wherein the report includes the information about the indicated vulnerability obtained from the at least one data source cross-referenced in the at least one correlation rule. - View Dependent Claims (12, 13, 14, 15, 16, 17, 18, 19, 20)
-
-
21. A computer-readable storage medium having computer-executable instructions stored thereon for correlating log data to discover vulnerable network assets, wherein executing the computer-executable instructions a processor causes the processor to:
-
receive one or more logs that contain events describing observed activity in a network; determine that the one or more logs contain at least one event that matches a regular expression in at least one correlation rule associated with a log correlation engine that indicates a vulnerability; obtain information about the indicated vulnerability from at least one data source cross-referenced in the at least one correlation rule; and generate a report that the indicated vulnerability was discovered in the network, wherein the report includes the information about the indicated vulnerability obtained from the at least one data source cross-referenced in the at least one correlation rule. - View Dependent Claims (22, 23, 24, 25, 26, 27, 28, 29, 30)
-
Specification