System and method for interactive correlation rule design in a network security system
First Claim
1. A method for generating correlation rules for events, comprising:
- receiving event data for each of a plurality of events, the event data of a particular event comprising at least one attribute associated with that event;
displaying the event data for each of the plurality of events to an operator, the event data for the plurality of events having been processed according to one or more rules of a ruleset stored in a memory, the event data being displayed in a unified interface for displaying event data processed by rules in the ruleset and for creation of new correlation rules;
receiving a selection made using the unified user interface of at least a portion of the plurality of events for which event data is displayed to the operator in the unified user interface;
generating at least one new rule that correlates the selected events, the at least one new rule generated based at least in part upon a pattern spread among the attributes associated with the selected events, the at least one new rule generated by at least one processor;
storing the at least one new rule and the selection of at least a portion of the events in the memory such that the at least one new rule is added to the ruleset stored in the memory; and
re-displaying, in the unified interface for displaying event data processed by rules in the ruleset and for creation of new correlation rules, the event data to the operator such that the event data is correlated in accordance with the at least one new rule.
10 Assignments
0 Petitions
Accused Products
Abstract
A method for generating correlation rules for events comprises receiving event data for each of a plurality of events, the event data of a particular event comprising at least one attribute associated with that event. The method continues by displaying the event data for each of the plurality of events to an operator. The method continues by receiving a selection of at least a portion of the events. The method continues by generating at least one rule that correlates the selected events based at least in part upon the attributes associated with the selected events. The method concludes by displaying the event data to the operator in accordance with the at least one rule.
140 Citations
33 Claims
-
1. A method for generating correlation rules for events, comprising:
-
receiving event data for each of a plurality of events, the event data of a particular event comprising at least one attribute associated with that event; displaying the event data for each of the plurality of events to an operator, the event data for the plurality of events having been processed according to one or more rules of a ruleset stored in a memory, the event data being displayed in a unified interface for displaying event data processed by rules in the ruleset and for creation of new correlation rules; receiving a selection made using the unified user interface of at least a portion of the plurality of events for which event data is displayed to the operator in the unified user interface; generating at least one new rule that correlates the selected events, the at least one new rule generated based at least in part upon a pattern spread among the attributes associated with the selected events, the at least one new rule generated by at least one processor; storing the at least one new rule and the selection of at least a portion of the events in the memory such that the at least one new rule is added to the ruleset stored in the memory; and re-displaying, in the unified interface for displaying event data processed by rules in the ruleset and for creation of new correlation rules, the event data to the operator such that the event data is correlated in accordance with the at least one new rule. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9)
-
-
10. A system for generating correlation rules for events, comprising:
-
at least one sensor that receives event data for each of a plurality of events, the event data of a particular event comprising at least one attribute associated with that event; at least one memory that stores a ruleset comprising a plurality of rules; at least one interface device that displays the event data for each of the plurality of events to an operator, the event data for the plurality of events having been processed according to one or more rules of the ruleset, and that receives a selection of at least a portion of the plurality of events for which event data is displayed to the operator, the interface comprising a unified interface for displaying event data processed by rules in the ruleset and for creation of new correlation rules, the event data for each of the plurality of events being displayed to the operator using the unified user interface and the at least one selection being made using the unified user interface; and at least one processor that generates at least one new rule that correlates the selected events, the at least one new rule generated based at least in part upon a pattern spread among the attributes associated with the selected events, stores the at least one new rule and the selection of at least a portion of the events in the at least one memory such that the at least one new rule is added to the ruleset stored in the at least one memory, and redisplays, in the unified user interface for displaying event data processed by rules in the ruleset and for creation of new correlation rules, the selected events to the operator such that the event data is correlated in accordance with the at least one new rule. - View Dependent Claims (11, 12, 13, 14, 15, 16, 17, 18, 19, 20)
-
-
21. An apparatus for generating correlation rules for events, the apparatus comprising:
-
at least one memory that stores a ruleset comprising a plurality of rules; and a correlation engine that; receives event data for each of a plurality of events, the event data of a particular event comprising a plurality of attributes associated with that event; displays the event data for each of the plurality of events to at least one operator, the event data for the plurality of events having been processed according to one or more rules of the ruleset, the event data being displayed in a unified interface for displaying event data processed by rules in the ruleset and for creation of new correlation rules; receives from the at least one operator a selection made using the unified user interface of at least a portion of the plurality of events for which event data is displayed to the at least one operator in the unified user interface; generates at least one new rule that correlates the selected events, the at least one new rule generated based at least in part upon a pattern spread among the attributes associated with the selected events; stores the at least one new rule and the selection of at least a portion of the events in the at least one memory such that the at least one new rule is added to the ruleset stored in the at least one memory; and sends the event data to at least one graphical user interface in accordance with the at least one new rule such that the selected events are redisplayed, in the unified interface for displaying event data processed by rules in the ruleset and for creation of new correlation rules, to the at least one operator in such a way that the selected event data is correlated in accordance with the at least one new rule. - View Dependent Claims (22, 23, 24, 25, 26, 27, 28, 29, 30, 31, 32, 33)
-
Specification