LOG NORMALIZATION IN ENTERPRISE THREAT DETECTION
First Claim
Patent Images
1. A computer-implemented method, comprising:
- prior to runtime as part of a log learning process;
accessing, using a log interpretation controller, a sample log file including a plurality of log entries for log learning;
analyzing each of the plurality of log entries;
assigning a log entry type to each of the plurality of log entries;
assigning a log type and semantic event to each log entry type;
triggering generation of runtime rules for analyzing unknown log entries wherein the runtime rules include characteristics of particular log entry types that allow unique identification of the particular log entry type for a particular unknown log entry; and
loading the generated runtime rules into a runtime parser.
1 Assignment
0 Petitions
Accused Products
Abstract
A sample log file including a plurality of log entries for log learning is accessed, using a log interpretation controller, prior to runtime as part of a log learning process. Each of the plurality of log entries is analyzed. A log entry type is assigned to each of the plurality of log entries. A log type and semantic event are assigned to each log entry type. Generation of runtime rules is triggered for analyzing unknown log entries. The runtime rules include characteristics of particular log entry types that allow unique identification of the particular log entry type for a particular unknown log entry. The generated runtime rules are loaded into a runtime parser.
28 Citations
20 Claims
-
1. A computer-implemented method, comprising:
prior to runtime as part of a log learning process; accessing, using a log interpretation controller, a sample log file including a plurality of log entries for log learning; analyzing each of the plurality of log entries; assigning a log entry type to each of the plurality of log entries; assigning a log type and semantic event to each log entry type; triggering generation of runtime rules for analyzing unknown log entries wherein the runtime rules include characteristics of particular log entry types that allow unique identification of the particular log entry type for a particular unknown log entry; and loading the generated runtime rules into a runtime parser. - View Dependent Claims (2, 3, 4, 5, 6, 7)
-
8. A non-transitory, computer-readable medium storing computer-readable instructions, the instructions executable by a computer and configured to, prior to runtime as part of a log learning process:
-
access, using a log interpretation controller, a sample log file including a plurality of log entries for log learning; analyze each of the plurality of log entries; assign a log entry type to each of the plurality of log entries; assign a log type and semantic event to each log entry type; trigger generation of runtime rules for analyzing unknown log entries wherein the runtime rules include characteristics of particular log entry types that allow unique identification of the particular log entry type for a particular unknown log entry; and load the generated runtime rules into a runtime parser. - View Dependent Claims (9, 10, 11, 12, 13, 14)
-
-
15. A system, comprising:
-
a memory; at least one hardware processor interoperably coupled with the memory and configured to, prior to runtime as part of a log learning process; access, using a log interpretation controller, a sample log file including a plurality of log entries for log learning; analyze each of the plurality of log entries; assign a log entry type to each of the plurality of log entries; assign a log type and semantic event to each log entry type; trigger generation of runtime rules for analyzing unknown log entries wherein the runtime rules include characteristics of particular log entry types that allow unique identification of the particular log entry type for a particular unknown log entry; and load the generated runtime rules into a runtime parser. - View Dependent Claims (16, 17, 18, 19, 20)
-
Specification