METHOD FOR AUTOMATED SIEM CUSTOM CORRELATION RULE GENERATION THROUGH INTERACTIVE NETWORK VISUALIZATION
First Claim
1. A method for automated Security Information and Event Management (SIEM) custom correlation rule generation, comprising:
- receiving log data from a plurality of endpoints in a network;
receiving input data about the network from a user;
generating a preliminary visualization of the network based on the log data and the input data;
displaying the preliminary visualization to the user;
receiving feedback from the user about the preliminary visualization;
generating, based on the preliminary visualization and the feedback, a visualization of the network;
automatically generating, based on the visualization, one or more SIEM custom correlation rules;
receiving event data from the plurality of endpoints;
applying the one or more SIEM custom correlation rules to the event data in order to determine whether to trigger one or more actions.
1 Assignment
0 Petitions
Accused Products
Abstract
The present disclosure provides a dynamic method for automated Security Information and Event Management (SIEM) custom correlation rule generation through the use of an interactive network visualization. The visualization is based on log data received from network endpoints and inputs received from a user, and is provided to the user for feedback before the SIEM custom correlation rules are automatically generated based on the visualization. The automatically generated SIEM custom correlation rules are then used to determine whether to trigger actions based on event data received from the network endpoints.
-
Citations
20 Claims
-
1. A method for automated Security Information and Event Management (SIEM) custom correlation rule generation, comprising:
-
receiving log data from a plurality of endpoints in a network; receiving input data about the network from a user; generating a preliminary visualization of the network based on the log data and the input data; displaying the preliminary visualization to the user; receiving feedback from the user about the preliminary visualization; generating, based on the preliminary visualization and the feedback, a visualization of the network; automatically generating, based on the visualization, one or more SIEM custom correlation rules; receiving event data from the plurality of endpoints; applying the one or more SIEM custom correlation rules to the event data in order to determine whether to trigger one or more actions. - View Dependent Claims (2, 3, 4, 5, 6, 7)
-
-
8. A system comprising:
-
one or more processors; and memory storing one or more applications that, when executed on the one or more processors, perform a method for automated Security Information and Event Management (SIEM) custom correlation rule generation, comprising; receiving log data from a plurality of endpoints in a network; receiving input data about the network from a user; generating a preliminary visualization of the network based on the log data and the input data; displaying the preliminary visualization to the user; receiving feedback from the user about the preliminary visualization; generating, based on the preliminary visualization and the feedback, a visualization of the network; automatically generating, based on the visualization, one or more SIEM custom correlation rules; receiving event data from the plurality of endpoints; applying the one or more SIEM custom correlation rules to the event data in order to determine whether to trigger one or more actions. - View Dependent Claims (9, 10, 11, 12, 13, 14)
-
-
15. A non-transitory computer-readable storage medium containing instructions that, when executed by one or more processors, perform a method for automated Security Information and Event Management (SIEM) custom correlation rule generation, comprising:
-
receiving log data from a plurality of endpoints in a network; receiving input data about the network from a user; generating a preliminary visualization of the network based on the log data and the input data; displaying the preliminary visualization to the user; receiving feedback from the user about the preliminary visualization; generating, based on the preliminary visualization and the feedback, a visualization of the network; automatically generating, based on the visualization, one or more SIEM custom correlation rules; receiving event data from the plurality of endpoints; applying the one or more SIEM custom correlation rules to the event data in order to determine whether to trigger one or more actions. - View Dependent Claims (16, 17, 18, 19, 20)
-
Specification