Systems and methods for correlating log messages into actionable security incidents and managing human responses

US 8,156,553 B1
Filed: 07/11/2008
Issued: 04/10/2012
Est. Priority Date: 07/11/2008
Status: Active Grant

First Claim

Patent Images

1. A method of managing incidents comprising:

at a computer having at least one processor, comparing a plurality of parsed log messages to one another, wherein the plurality of parsed log messages are free form log messages, wherein parsing occurs substantially in real time;

if two or more of the plurality of parsed log messages correlate, generating one or more correlation messages and comparing the one or more correlation messages to a plurality of incident descriptions;

determining from the one or more correlation messages whether to create an incident case corresponding to the one or more correlation messages;

associating one or more workflow steps with the incident case; and

outputting the incident case with the workflow steps.

View all claims

8 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Systems and methods for correlating log messages into actionable incidents. Some embodiments implement a method which includes comparing a plurality of disparate log messages to a plurality of incident descriptions. The disparate log messages can be parsed. When the messages correlate with an incident description an incident case can be created. Workflow steps can be associated with the incident case and output along with the incident case. Additional disparate log messages can be compared to the incident expressions and, when additional messages correlate with the correlated incident description, the incident case can be adjusted. In some embodiments, the adjustment can include adding workflow steps to the incident case. Results of various workflow steps can be monitored and adjustments can be made accordingly. In some embodiments, the results can include out-of-bounds activities.

93 Citations

View as Search Results

17 Claims

1. A method of managing incidents comprising:
- at a computer having at least one processor, comparing a plurality of parsed log messages to one another, wherein the plurality of parsed log messages are free form log messages, wherein parsing occurs substantially in real time;
  
  if two or more of the plurality of parsed log messages correlate, generating one or more correlation messages and comparing the one or more correlation messages to a plurality of incident descriptions;
  
  determining from the one or more correlation messages whether to create an incident case corresponding to the one or more correlation messages;
  
  associating one or more workflow steps with the incident case; and
  
  outputting the incident case with the workflow steps.
- View Dependent Claims (2, 3, 4, 5, 6)
- - 2. The method of claim 1 further comprising:
    - comparing additional log messages to the incident descriptions; and
      
      when the additional log messages correlate with an incident description associated with the incident case, adjusting the incident case.
  - 3. The method of claim 2 wherein the adjusting the incident case includes associating additional workflow steps with the incident case.
  - 4. The method of claim 1 further comprising monitoring a result of the workflow steps.
  - 5. The method of claim 4 further comprising adjusting the workflow steps based on the result of the workflow steps.
  - 6. The method of claim 4 wherein the result includes out-of-bounds activities.

7. A non-transitory machine readable medium carrying instructions for managing incidents which when executed by a machine cause the machine to:
- compare a plurality of parsed log messages to one another, wherein the plurality of parsed log messages are free form log messages, wherein parsing occurs substantially in real time;
  
  if two or more of the plurality of parsed log messages correlate, generate one or more correlation messages and compare the one or more correlation messages to a plurality of incident descriptions;
  
  determining from the one or more correlation messages whether to create an incident case corresponding to the one or more correlation messages;
  
  associate one or more workflow steps with the incident case; and
  
  output the incident case with the workflow steps.
- View Dependent Claims (8, 9, 10, 11, 12)
- - 8. The machine readable medium of claim 7 wherein the instructions further cause the machine to:
    - compare additional log messages to the incident descriptions; and
      
      when the additional log messages correlate with an incident description associated with the incident case, adjust the incident case.
  - 9. The machine readable medium of claim 8 wherein the instructions which cause the machine to adjust the incident case includes instructions which cause the machine to associate additional workflow steps with the incident case.
  - 10. The machine readable medium of claim 7 wherein the instructions further cause the machine to monitor a result of the workflow steps.
  - 11. The machine readable medium of claim 10 wherein the instructions further cause the machine to adjust the workflow steps based on the result of the workflow steps.
  - 12. The machine readable medium of claim 7 wherein the result includes out-of-bounds activities.

13. A system for managing incidents comprising:
- a processor;
  
  an interface in communication with the processor; and
  
  a machine readable medium in communication with the processor and carrying instructions which when executed by the processor cause the processor to;
  
  compare a plurality of parsed log messages to one another, wherein the plurality of parsed log messages are free form log messages, wherein parsing occurs substantially in real time;
  
  if two or more of the plurality of parsed log messages correlate, generate one or more correlation messages and compare the one or more correlation messages to a plurality of incident descriptions;
  
  determine from the one or more correlation messages whether to create an incident case corresponding to the one or more correlation messages;
  
  associate one or more workflow steps with the incident case; and
  
  output the incident case with the workflow steps via the interface.
- View Dependent Claims (14, 15, 16, 17)
- - 14. The system of claim 13 wherein the instructions further cause the machine to:
    - compare additional log messages to the incident descriptions; and
      
      when the additional log messages correlate with an incident description associated with the incident case, adjust the incident case.
  - 15. The system of claim 14 wherein the instructions which cause the machine to adjust the incident case includes instructions which cause the machine to associate additional workflow steps with the incident case.
  - 16. The system of claim 13 wherein the instructions further cause the machine to monitor a result of the workflow steps.
  - 17. The system of claim 16 wherein the instructions further cause the machine to adjust the workflow steps based on the result of the workflow steps.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Alert Logic Incorporated
Original Assignee
Alert Logic Incorporated
Inventors
Church, Christopher, Golovinsky, Eugene, Govshteyn, Mikhail
Primary Examiner(s)
LEMMA, SAMSON B

Application Number

US12/171,713
Time in Patent Office

1,369 Days
Field of Search

726 22- 25, 726/11, 709/224
US Class Current

726/22
CPC Class Codes

G06Q 10/06 Resources, workflows, human...

Systems and methods for correlating log messages into actionable security incidents and managing human responses

First Claim

8 Assignments

0 Petitions

Accused Products

Abstract

93 Citations

17 Claims

Specification

Solutions

Use Cases

Quick Links

Systems and methods for correlating log messages into actionable security incidents and managing human responses

First Claim

8 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

93 Citations

17 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links