ENTERPRISE POLICY TRACKING WITH SECURITY INCIDENT INTEGRATION
First Claim
Patent Images
1. A method for monitoring security policy violations in a computer network, the method comprising:
- (a) creating a rule corresponding to a security policy;
(b) determining a variable from the rule, wherein the variable is enabled to be set to a plurality of values, and wherein the rule is violated or not violated conditional on the value of the variable;
(c) receiving a log associated with the computer network;
(d) parsing the log to determine the value of the variable;
(e) evaluating the rule conditional on the value of the variable;
(f) identifying a rule violation corresponding to the value of the variable and the rule;
(g) generating a security event corresponding to the rule violation; and
(h) recording information representing the security event to a computer-readable storage medium.
2 Assignments
0 Petitions
Accused Products
Abstract
The present invention relates to methods, processes, and systems for monitoring security policy violations in a computer network. Details of such monitoring include creating a rule according to a security policy, determining if the rule is violated by a value of a variable, and recording security events and comparing the number of events to a threshold.
62 Citations
42 Claims
-
1. A method for monitoring security policy violations in a computer network, the method comprising:
-
(a) creating a rule corresponding to a security policy; (b) determining a variable from the rule, wherein the variable is enabled to be set to a plurality of values, and wherein the rule is violated or not violated conditional on the value of the variable; (c) receiving a log associated with the computer network; (d) parsing the log to determine the value of the variable; (e) evaluating the rule conditional on the value of the variable; (f) identifying a rule violation corresponding to the value of the variable and the rule; (g) generating a security event corresponding to the rule violation; and (h) recording information representing the security event to a computer-readable storage medium. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21, 28, 29, 30, 31, 32, 33, 34, 35, 36, 37, 38, 39, 40, 41, 42)
-
-
22. A system for monitoring violations of security policies, the system comprising:
-
(a) a computer network; (b) a computer-readable storage medium; (c) a processor; and (d) memory, including instructions executable by the processor to cause the system to at least; (i) create a rule corresponding to a security policy; (ii) determine a variable from the rule, wherein the variable is enabled to be set to a plurality of values, and wherein the rule is violated or not violated conditional on the value of the variable; (iii) receive from the computer network a log associated with the computer network; (iv) parse the log to determine the value of the variable; (v) evaluate the rule conditional on the value of the variable; (vi) identify a rule violation corresponding to the rule and the value of the variable; (vii) generate a security event associated with the rule violation; and (viii) record information representing the security event to the computer-readable storage medium. - View Dependent Claims (23, 24, 25, 26, 27)
-
Specification