Systems and methods for correlating log messages into actionable security incidents and managing human responses
First Claim
1. A method of managing incidents comprising:
- at a computer having at least one processor, comparing a plurality of parsed log messages to one another, wherein the plurality of parsed log messages are free form log messages, wherein parsing occurs substantially in real time;
if two or more of the plurality of parsed log messages correlate, generating one or more correlation messages and comparing the one or more correlation messages to a plurality of incident descriptions;
determining from the one or more correlation messages whether to create an incident case corresponding to the one or more correlation messages;
associating one or more workflow steps with the incident case; and
outputting the incident case with the workflow steps.
8 Assignments
0 Petitions
Accused Products
Abstract
Systems and methods for correlating log messages into actionable incidents. Some embodiments implement a method which includes comparing a plurality of disparate log messages to a plurality of incident descriptions. The disparate log messages can be parsed. When the messages correlate with an incident description an incident case can be created. Workflow steps can be associated with the incident case and output along with the incident case. Additional disparate log messages can be compared to the incident expressions and, when additional messages correlate with the correlated incident description, the incident case can be adjusted. In some embodiments, the adjustment can include adding workflow steps to the incident case. Results of various workflow steps can be monitored and adjustments can be made accordingly. In some embodiments, the results can include out-of-bounds activities.
93 Citations
17 Claims
-
1. A method of managing incidents comprising:
-
at a computer having at least one processor, comparing a plurality of parsed log messages to one another, wherein the plurality of parsed log messages are free form log messages, wherein parsing occurs substantially in real time; if two or more of the plurality of parsed log messages correlate, generating one or more correlation messages and comparing the one or more correlation messages to a plurality of incident descriptions; determining from the one or more correlation messages whether to create an incident case corresponding to the one or more correlation messages; associating one or more workflow steps with the incident case; and outputting the incident case with the workflow steps. - View Dependent Claims (2, 3, 4, 5, 6)
-
-
7. A non-transitory machine readable medium carrying instructions for managing incidents which when executed by a machine cause the machine to:
-
compare a plurality of parsed log messages to one another, wherein the plurality of parsed log messages are free form log messages, wherein parsing occurs substantially in real time; if two or more of the plurality of parsed log messages correlate, generate one or more correlation messages and compare the one or more correlation messages to a plurality of incident descriptions; determining from the one or more correlation messages whether to create an incident case corresponding to the one or more correlation messages; associate one or more workflow steps with the incident case; and output the incident case with the workflow steps. - View Dependent Claims (8, 9, 10, 11, 12)
-
-
13. A system for managing incidents comprising:
-
a processor; an interface in communication with the processor; and a machine readable medium in communication with the processor and carrying instructions which when executed by the processor cause the processor to; compare a plurality of parsed log messages to one another, wherein the plurality of parsed log messages are free form log messages, wherein parsing occurs substantially in real time; if two or more of the plurality of parsed log messages correlate, generate one or more correlation messages and compare the one or more correlation messages to a plurality of incident descriptions; determine from the one or more correlation messages whether to create an incident case corresponding to the one or more correlation messages; associate one or more workflow steps with the incident case; and output the incident case with the workflow steps via the interface. - View Dependent Claims (14, 15, 16, 17)
-
Specification