METHOD FOR AUTOMATED SIEM CUSTOM CORRELATION RULE GENERATION THROUGH INTERACTIVE NETWORK VISUALIZATION

US 20180234457A1
Filed: 04/21/2017
Published: 08/16/2018
Est. Priority Date: 02/15/2017
Status: Active Grant

First Claim

Patent Images

1. A method for automated Security Information and Event Management (SIEM) custom correlation rule generation, comprising:

receiving log data from a plurality of endpoints in a network;

receiving input data about the network from a user;

generating a preliminary visualization of the network based on the log data and the input data;

displaying the preliminary visualization to the user;

receiving feedback from the user about the preliminary visualization;

generating, based on the preliminary visualization and the feedback, a visualization of the network;

automatically generating, based on the visualization, one or more SIEM custom correlation rules;

receiving event data from the plurality of endpoints;

applying the one or more SIEM custom correlation rules to the event data in order to determine whether to trigger one or more actions.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

The present disclosure provides a dynamic method for automated Security Information and Event Management (SIEM) custom correlation rule generation through the use of an interactive network visualization. The visualization is based on log data received from network endpoints and inputs received from a user, and is provided to the user for feedback before the SIEM custom correlation rules are automatically generated based on the visualization. The automatically generated SIEM custom correlation rules are then used to determine whether to trigger actions based on event data received from the network endpoints.

Citations

20 Claims

1. A method for automated Security Information and Event Management (SIEM) custom correlation rule generation, comprising:
- receiving log data from a plurality of endpoints in a network;
  
  receiving input data about the network from a user;
  
  generating a preliminary visualization of the network based on the log data and the input data;
  
  displaying the preliminary visualization to the user;
  
  receiving feedback from the user about the preliminary visualization;
  
  generating, based on the preliminary visualization and the feedback, a visualization of the network;
  
  automatically generating, based on the visualization, one or more SIEM custom correlation rules;
  
  receiving event data from the plurality of endpoints;
  
  applying the one or more SIEM custom correlation rules to the event data in order to determine whether to trigger one or more actions.
- View Dependent Claims (2, 3, 4, 5, 6, 7)
- - 2. The method of claim 1, further comprising:
    - receiving changes to the visualization from the user;
      
      updating the visualization based on the changes;
      
      automatically updating the one or more SIEM custom correlation rules based on the updated visualization.
  - 3. The method of claim 2, wherein the feedback and the changes are provided by the user through a graphical user interface.
  - 4. The method of claim 1, wherein the input data comprises one or more of:
    - an IP address of a network device;
      
      network zone information; and
      
      network host information.
  - 5. The method of claim 1, wherein the log data from an endpoint of the plurality of endpoints comprises one or more of:
    - a source IP address of incoming traffic at the endpoint;
      
      a destination IP address of outgoing traffic from the endpoint;
      
      a source port of incoming traffic at the endpoint;
      
      a destination port of outgoing traffic from the endpoint; and
      
      identifying information of one or more applications executing on an endpoint of the plurality of endpoints.
  - 6. The method of claim 1, wherein the input data is received from the user in response to one or more prompts provided to the user.
  - 7. The method of claim 1, wherein the one or more actions comprise generating at least one of:
    - an alert; and
      
      a notification.

8. A system comprising:
- one or more processors; and
  
  memory storing one or more applications that, when executed on the one or more processors, perform a method for automated Security Information and Event Management (SIEM) custom correlation rule generation, comprising;
  
  receiving log data from a plurality of endpoints in a network;
  
  receiving input data about the network from a user;
  
  generating a preliminary visualization of the network based on the log data and the input data;
  
  displaying the preliminary visualization to the user;
  
  receiving feedback from the user about the preliminary visualization;
  
  generating, based on the preliminary visualization and the feedback, a visualization of the network;
  
  automatically generating, based on the visualization, one or more SIEM custom correlation rules;
  
  receiving event data from the plurality of endpoints;
  
  applying the one or more SIEM custom correlation rules to the event data in order to determine whether to trigger one or more actions.
- View Dependent Claims (9, 10, 11, 12, 13, 14)
- - 9. The system of claim 8, wherein the method further comprises:
    - receiving changes to the visualization from the user;
      
      updating the visualization based on the changes;
      
      automatically updating the one or more SIEM custom correlation rules based on the updated visualization.
  - 10. The system of claim 9, wherein the feedback and the changes are provided by the user through a graphical user interface.
  - 11. The system of claim 8, wherein the input data comprises one or more of:
    - an IP address of a network device;
      
      network zone information; and
      
      network host information.
  - 12. The system of claim 8, wherein the log data from an endpoint of the plurality of endpoints comprises one or more of:
    - a source IP address of incoming traffic at the endpoint;
      
      a destination IP address of outgoing traffic from the endpoint;
      
      a source port of incoming traffic at the endpoint;
      
      a destination port of outgoing traffic from the endpoint; and
      
      identifying information of one or more applications executing on an endpoint of the plurality of endpoints.
  - 13. The system of claim 8, wherein the input data is received from the user in response to one or more prompts provided to the user.
  - 14. The system of claim 8, wherein the one or more actions comprise generating at least one of:
    - an alert; and
      
      a notification.

15. A non-transitory computer-readable storage medium containing instructions that, when executed by one or more processors, perform a method for automated Security Information and Event Management (SIEM) custom correlation rule generation, comprising:
- receiving log data from a plurality of endpoints in a network;
  
  receiving input data about the network from a user;
  
  generating a preliminary visualization of the network based on the log data and the input data;
  
  displaying the preliminary visualization to the user;
  
  receiving feedback from the user about the preliminary visualization;
  
  generating, based on the preliminary visualization and the feedback, a visualization of the network;
  
  automatically generating, based on the visualization, one or more SIEM custom correlation rules;
  
  receiving event data from the plurality of endpoints;
  
  applying the one or more SIEM custom correlation rules to the event data in order to determine whether to trigger one or more actions.
- View Dependent Claims (16, 17, 18, 19, 20)
- - 16. The non-transitory computer-readable storage medium of claim 15, wherein the method further comprises:
    - receiving changes to the visualization from the user;
      
      updating the visualization based on the changes;
      
      automatically updating the one or more SIEM custom correlation rules based on the updated visualization.
  - 17. The non-transitory computer-readable storage medium of claim 16, wherein the feedback and the changes are provided by the user through a graphical user interface.
  - 18. The non-transitory computer-readable storage medium of claim 15, wherein the input data comprises one or more of:
    - an IP address of a network device;
      
      network zone information; and
      
      network host information.
  - 19. The non-transitory computer-readable storage medium of claim 15, wherein the log data from an endpoint of the plurality of endpoints comprises one or more of:
    - a source IP address of incoming traffic at the endpoint;
      
      a destination IP address of outgoing traffic from the endpoint;
      
      a source port of incoming traffic at the endpoint;
      
      a destination port of outgoing traffic from the endpoint; and
      
      identifying information of one or more applications executing on an endpoint of the plurality of endpoints.
  - 20. The non-transitory computer-readable storage medium of claim 15, wherein the input data is received from the user in response to one or more prompts provided to the user.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Intuit, Inc.
Original Assignee
Intuit, Inc.
Inventors
RAJKUMAR, Vishal

Granted Patent

US 10,404,751 B2
Time in Patent Office

Days
Field of Search
US Class Current
CPC Class Codes

H04L 41/0631   using root cause analysis; ...

H04L 41/0654   using network fault recover...

H04L 41/0816   the condition being an adap...

H04L 41/0876   Aspects of the degree of co...

H04L 41/0889   Techniques to speed-up the ...

H04L 41/12   Discovery or management of ...

H04L 41/22   comprising specially adapte...

H04L 63/0263   Rule management

H04L 63/1408   by monitoring network traff...

H04L 63/20   for managing network securi...

METHOD FOR AUTOMATED SIEM CUSTOM CORRELATION RULE GENERATION THROUGH INTERACTIVE NETWORK VISUALIZATION

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

METHOD FOR AUTOMATED SIEM CUSTOM CORRELATION RULE GENERATION THROUGH INTERACTIVE NETWORK VISUALIZATION

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links