Generation of alerts in an event management system based upon risk
First Claim
1. A method for generating alerts by an event management device, comprising:
- receiving, by the event management device, a request for access from a client device;
transmitting, by the event management device and in response to receiving the request, an authentication webpage to the client device, the authentication webpage including a beacon configured to execute on the client device when the webpage is displayed on the client device to retrieve a client device profile characteristic;
receiving, by the event management device, logon event information from an event device in response to a logon event associated between the event device and the client device, the logon event information including authentication input from the authentication webpage;
receiving, by the event management device, a risk assessment from a risk assessment device, the risk assessment based upon a web device profile characteristic associated with the logon event, the web device profile characteristic having been gathered by the beacon executing on the client device in the authentication webpage transmitted to the client device;
correlating, by the event management device, the logon event information and the risk assessment; and
in response to detecting the logon event as corresponding to an authentication attack, generating, by the event management device, an alert having an associated priority level based upon the risk assessment;
wherein receiving the risk assessment from the risk assessment device comprises receiving, by the event management device, the risk assessment based upon the web device profile characteristic associated with the logon event, the web device profile characteristic identifying click stream information associated with a web page accessed by the client device, andwherein the method further comprises;
receiving, by the event management device, in response to the request for access to an enterprise network access device from a client device, a first client geographical location based upon the web device profile characteristic associated with the logon event gathered by the beacon executing on the client device;
subsequently receiving, by the event management device, in response to a request for access to a website in the enterprise network, at least a second client geographical location based upon a second set of web device profile characteristics gathered by a second beacon executing on the device from which the request was received; and
in response to detecting a difference between the first and second geographical locations, generating, by the risk assessment device, a risk assessment based upon the difference.
9 Assignments
0 Petitions
Accused Products
Abstract
Embodiments relate to the generation of alerts in an event management system based upon risk. When an event device associated with the event management system, presents a logon page to a client device, the event device includes a beacon as part of the page to monitor and collect web device profile characteristics related to the client device. In response to a logon attempt by the client device, an event management device receives a notification regarding logon attempt and a risk assessment associated with the web device profile characteristics of the client device. Based upon a correlation of the notification and the corresponding risk assessment, the event management device can generate an alert, such as a SIEM alert, and can include an indication of priority, whether relatively low or high, and/or a confidence factor, whether or not the alert can be suppressed as part of the alert.
-
Citations
23 Claims
-
1. A method for generating alerts by an event management device, comprising:
-
receiving, by the event management device, a request for access from a client device; transmitting, by the event management device and in response to receiving the request, an authentication webpage to the client device, the authentication webpage including a beacon configured to execute on the client device when the webpage is displayed on the client device to retrieve a client device profile characteristic; receiving, by the event management device, logon event information from an event device in response to a logon event associated between the event device and the client device, the logon event information including authentication input from the authentication webpage; receiving, by the event management device, a risk assessment from a risk assessment device, the risk assessment based upon a web device profile characteristic associated with the logon event, the web device profile characteristic having been gathered by the beacon executing on the client device in the authentication webpage transmitted to the client device; correlating, by the event management device, the logon event information and the risk assessment; and in response to detecting the logon event as corresponding to an authentication attack, generating, by the event management device, an alert having an associated priority level based upon the risk assessment; wherein receiving the risk assessment from the risk assessment device comprises receiving, by the event management device, the risk assessment based upon the web device profile characteristic associated with the logon event, the web device profile characteristic identifying click stream information associated with a web page accessed by the client device, and wherein the method further comprises; receiving, by the event management device, in response to the request for access to an enterprise network access device from a client device, a first client geographical location based upon the web device profile characteristic associated with the logon event gathered by the beacon executing on the client device; subsequently receiving, by the event management device, in response to a request for access to a website in the enterprise network, at least a second client geographical location based upon a second set of web device profile characteristics gathered by a second beacon executing on the device from which the request was received; and in response to detecting a difference between the first and second geographical locations, generating, by the risk assessment device, a risk assessment based upon the difference. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15)
-
-
16. An event management device, comprising:
-
a communications interface; a controller disposed in electrical communication with the communications interface, the controller configured to; receive a request for access from a client device; transmit an authentication webpage to the client including a beacon to retrieve a client device profile characteristic; receive logon event information from an event device in response to a logon event associated between the event device and the client device, the logon event information including authentication input from the authentication webpage; receive a risk assessment from a risk assessment device, the risk assessment based upon a web device profile characteristic associated with the logon event, the web device profile characteristic having been gathered by the beacon executing on the client device in the authentication webpage transmitted to the client device; correlate the logon event information and the risk assessment; and in response to detecting the logon event as corresponding to an authentication attack, generate an alert having an associated priority level based upon the risk assessment; wherein when receiving the risk assessment from the risk assessment device the controller is configured to receive the risk assessment based upon the web device profile characteristic associated with the logon event, the web device profile characteristic identifying click stream information associated with a web page accessed by the client device, wherein the controller is further configured to; receive, by the event management device, in response to the request for access to an enterprise network access device from a client device, a first client geographical location based upon the web device profile characteristic associated with the logon event gathered by the beacon executing on the client device; subsequently receive, by the event management device, in response to a request for access to a website in the enterprise network, at least a second client geographical location based upon a second set of web device profile characteristics gathered by a second beacon executing on the device from which the request was received; and in response to detecting a difference between the first and second geographical locations, generate, by the risk assessment device, a risk assessment based upon the difference. - View Dependent Claims (17, 18, 19, 20, 21, 22)
-
-
23. A computer program product having a non-transitory computer-readable medium including computer program logic encoded thereon that, when performed on a controller of an event management device causes the event management device to:
-
receive a request for access from a client device; transmit, in response to receiving the request, an authentication webpage to the client device, the webpage including a beacon configured to execute on the client device when the webpage is displayed on the client device to retrieve a client device profile characteristic; receive logon event information in response to a logon event associated between the event device and the client device, the logon event information including authentication input from the authentication webpage; receive a risk assessment based upon a web device profile characteristic associated with the logon event, the web device profile characteristic having been gathered by the beacon executing on the client device in the authentication webpage transmitted to the client device; correlate the logon event information and the risk assessment; and in response to detecting the logon event as corresponding to an authentication attack, generate an alert having an associated priority level based upon the risk assessment; wherein receiving web device profile characteristic information from the event device in response to the logon event associated between the event device and the client device comprises receiving, by the event management device, click stream information from the risk assessment device in response to the logon event associated between the event device and the client device; and comparing the web device profile characteristic information to entries in the aggregate information database, comprises comparing, by the event management device, the client device click stream information with entries in a known click stream information portion of the aggregate information database, wherein the event management device is further caused to; receive, by the event management device, in response to the request for access to an enterprise network access device from a client device, a first client geographical location based upon the web device profile characteristic associated with the logon event gathered by the beacon executing on the client device; subsequently receive, by the event management device, in response to a request for access to a website in the enterprise network, at least a second client geographical location based upon a second set of web device profile characteristics gathered by a second beacon executing on the device from which the request was received; and in response to detecting a difference between the first and second geographical locations, generate, by the risk assessment device, a risk assessment based upon the difference.
-
Specification