System and method for event log review

US 8,402,002 B2
Filed: 09/22/2006
Issued: 03/19/2013
Est. Priority Date: 09/23/2005
Status: Active Grant

First Claim

Patent Images

1. A system, comprising:

an event log source configured to generate raw event log data associated with modification of an asset of an electronic network;

a security information manager configured to receive and normalize the raw event log data into a common data format, the normalized event log data including information associated with an event;

wherein the normalized event log data includes an asset identifier, the log report generator extracting the asset identifier from the normalized event log data and retrieving asset information from the asset database using the asset identifier included in the normalized event log data;

at least one computer including an event log database configured to store the normalized event log data and an asset database configured to store asset information where only the asset database is maintained to provide accurate information regarding the assets, the event log database being inaccessible by authorized users in order to maintain integrity of the data;

wherein the event log data are received, processed, and stored in real-time as the events occur throughout the network;

a log report generator configured to correlate the normalized event log data in the event log database with the asset information in the asset database and to package the correlated event log data and asset information into a log report;

a review monitor configured to track a review status of the log report, the review monitor including an electronic notification configured to notify a reviewer of the log report to be reviewed, the review monitor notifying the reviewer of delinquency of a review if the log report is not reviewed within a predetermined time period, the review monitor including a user interface configured to escalate the log report for further review in the event that the reviewer selects a notify link on the user interface; and

a report tracking database configured to store the review status of the log report, wherein the review status includes an escalation of the log report for further review upon determination regarding the modification of the asset was suspicious activity, and at least one of a first time stamp of when availability of the log report is communicated to a reviewer, a period of time covered by the log report, and a second time stamp of when the log report is reviewed,wherein the log report generator packages the correlated event log data according to asset type or asset name.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

An event log management system includes an event log source to generate event log data associated with an asset of an electronic network, an event log database to store the event log data, an asset database to store asset information, and a log report generator to package the event log data into a log report based on the asset information stored in the asset database.

Citations

15 Claims

1. A system, comprising:
- an event log source configured to generate raw event log data associated with modification of an asset of an electronic network;
  
  a security information manager configured to receive and normalize the raw event log data into a common data format, the normalized event log data including information associated with an event;
  
  wherein the normalized event log data includes an asset identifier, the log report generator extracting the asset identifier from the normalized event log data and retrieving asset information from the asset database using the asset identifier included in the normalized event log data;
  
  at least one computer including an event log database configured to store the normalized event log data and an asset database configured to store asset information where only the asset database is maintained to provide accurate information regarding the assets, the event log database being inaccessible by authorized users in order to maintain integrity of the data;
  
  wherein the event log data are received, processed, and stored in real-time as the events occur throughout the network;
  
  a log report generator configured to correlate the normalized event log data in the event log database with the asset information in the asset database and to package the correlated event log data and asset information into a log report;
  
  a review monitor configured to track a review status of the log report, the review monitor including an electronic notification configured to notify a reviewer of the log report to be reviewed, the review monitor notifying the reviewer of delinquency of a review if the log report is not reviewed within a predetermined time period, the review monitor including a user interface configured to escalate the log report for further review in the event that the reviewer selects a notify link on the user interface; and
  
  a report tracking database configured to store the review status of the log report, wherein the review status includes an escalation of the log report for further review upon determination regarding the modification of the asset was suspicious activity, and at least one of a first time stamp of when availability of the log report is communicated to a reviewer, a period of time covered by the log report, and a second time stamp of when the log report is reviewed,wherein the log report generator packages the correlated event log data according to asset type or asset name.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
- - 2. The system of claim 1, further comprising a report archive database configured to store the log report.
  - 3. The system of claim 2, wherein the report archive database further stores metadata related to the log report including at least one of an issue time of the report, a name of a reviewer, a name of the report, and a count of events to be reviewed in the report.
  - 4. The system of claim 1, wherein the review monitor further includes a portal configured to access the log report to be reviewed.
  - 5. The system of claim 4, wherein the portal is either an internet or an intranet portal.
  - 6. The system of claim 1, wherein the reviewer is an asset manager designated in the asset database.
  - 7. The system of claim 1, wherein the review monitor includes an electronic ticket configured to track the review status of the log report.
  - 8. The system of claim 1, wherein modification of the asset includes modification to data files and applications stored on the asset.

9. A method comprising the steps of:
- generating raw event log data associated with modification of an asset of an electronic network;
  
  receiving and normalizing raw event log data into a common data format, the normalized event log data including information associated with an event;
  
  wherein the normalized event log data includes an asset identifier, the method further comprising extracting the asset identifier from the normalized event log data and retrieving asset information from the asset database using the asset identifier included in the normalized event log data;
  
  storing the normalized event log data in an event log database, the event log database being inaccessible by authorized users in order to maintain integrity of the data;
  
  wherein the event log data are received, processed, and stored in real-time as the events occur throughout the network;
  
  storing asset information in an asset database where only the asset database is maintained to provide accurate information regarding the assets;
  
  correlating the normalized event log data in the event log database with the asset information in the asset database;
  
  packaging the correlated event log data and the asset information into a log report;
  
  tracking a review status of the log report;
  
  notifying a reviewer of the log report to be reviewed by an electronic notification;
  
  notifying the reviewer of delinquency of a review if the log report is not reviewed within a predetermined time period;
  
  providing a user interface configured to escalate the log report for further review in the event that the reviewer selects a notify link on the user interface;
  
  storing the review status of the log report in a report tracking database, wherein the review status includes an escalation of the log report for further review upon determination regarding the modification of the asset was suspicious activity, and at least one of a first time stamp of when availability of the log report is communicated to a reviewer, a period of time covered by the log report, and a second time stamp of when the log report is reviewed; and
  
  packaging the correlated event log data according to asset type or asset name.
- View Dependent Claims (10, 11, 12, 13, 14, 15)
- - 10. The method of claim 9, further comprising the step of storing the log report in a report archive database.
  - 11. The method of claim 10, wherein the step of storing the log report includes storing metadata related to the log report including at least one of an issue time of the report, a name of a reviewer, a name of the report, and a count of events to be reviewed in the report.
  - 12. The method of claim 9, further comprising the step of accessing a portal to review the log report.
  - 13. The method of claim 12, wherein the portal is either an internet portal or an intranet portal.
  - 14. The method of claim 9, wherein the reviewer is an asset manager designated in the asset database.
  - 15. The method of claim 9, wherein modification of the asset includes modification to data files and applications stored on the asset.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Barclays Capital Incorporated (Barclays PLC)
Original Assignee
Barclays Capital Incorporated (Barclays PLC)
Inventors
Adam, Christian C.
Primary Examiner(s)
Saeed, Usmaan
Assistant Examiner(s)
Uddin, Md. I

Application Number

US11/525,212
Publication Number

US 20070179986A1
Time in Patent Office

2,370 Days
Field of Search

707/200, 707/100, 707/101, 707/104.1, 707/648, 707/672, 707/673, 707/682, 707/603, 707/608, 707/688, 707/737, 709/217
US Class Current

707/688
CPC Class Codes

G06F 21/552   involving long-term monitor...

G06F 2221/2101   Auditing as a secondary aspect

G06F 2221/2151   Time stamp

G06Q 10/06   Resources, workflows, human...

G06Q 10/10   Office automation; Time man...

H04L 63/1425   Traffic logging, e.g. anoma...

System and method for event log review

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

Citations

15 Claims

Specification

Solutions

Use Cases

Quick Links

System and method for event log review

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

15 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links