Security incident identification and prioritization
First Claim
Patent Images
1. A method for protecting a computer environment, comprising:
- providing an archive index that includes for each of one or more stored objects a corresponding archive index entry indicative of a state of the stored object at an archive time with which the entry is associated;
comparing with the archive index a system index generated at a system index time subsequent to the archive time;
generating based on the comparison a first event if the comparison indicates that a first stored object associated with the system index has been modified since the archive time; and
determining whether a correlation exists between the first event and a second event generated in connection with a monitoring process associated with the computer environment.
7 Assignments
0 Petitions
Accused Products
Abstract
Techniques are disclosed for protecting a computer environment. The technique comprises providing an index; comparing a first event with the index; determining whether the first event is unusual; and determining whether a security incident associated with the first event has occurred.
-
Citations
18 Claims
-
1. A method for protecting a computer environment, comprising:
-
providing an archive index that includes for each of one or more stored objects a corresponding archive index entry indicative of a state of the stored object at an archive time with which the entry is associated; comparing with the archive index a system index generated at a system index time subsequent to the archive time; generating based on the comparison a first event if the comparison indicates that a first stored object associated with the system index has been modified since the archive time; and determining whether a correlation exists between the first event and a second event generated in connection with a monitoring process associated with the computer environment. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16)
-
-
17. A system for protecting a computer environment, comprising:
-
a processor configured to provide an archive index that includes for each of one or more stored objects a corresponding archive index entry indicative of a state of the stored object at an archive time with which the entry is associated, compare with the archive index a system index generated at a system index time subsequent to the archive time, generate based on the comparison a first event if the comparison indicates that a first stored object associated with the system index has been modified since the archive time, and determine whether a correlation exists between the first event and a second event generated in connection with a monitoring process associated with the computer environment; and a memory coupled with the processor, wherein the memory is configured to provide the processor with instructions.
-
-
18. A computer program product for protecting a computer environment, the computer program product being embodied in a tangible computer readable storage medium and comprising computer instructions for:
-
providing an archive index that includes for each of one or more stored objects a corresponding archive index entry indicative of a state of the stored object at an archive time with which the entry is associated; comparing with the archive index a system index generated at a system index time subsequent to the archive time; generating based on the comparison a first event if the comparison indicates that a first stored object associated with the system index has been modified since the archive time; and determining whether a correlation exists between the first event and a second event generated in connection with a monitoring process associated with the computer environment.
-
Specification