Asset model import connector

US 9,569,471 B2
Filed: 08/01/2012
Issued: 02/14/2017
Est. Priority Date: 08/01/2011
Status: Active Grant

First Claim

Patent Images

1. An asset model import connector comprising a hardware processor to:

receive asset data from a data source, wherein the asset data describes an asset with a network interface;

determine an operation to be performed at a security information and event management (SIEM) system different than the data source based on the received asset data and different than the asset model import connector comprising the hardware processor determining the operation, wherein the STEM system stores security event data for a computer network and correlates the security event data with the received asset data;

determine asset attributes from a schema to include in code to instruct the STEM system to perform the operation;

generate the code by populating the asset attributes in the code with values from the received asset data, the code including the determined operation to be performed at the SIEM system, the code executable at the STEM system to perform the determined operation in relation to the asset data described by the asset attributes; and

send the generated code to the STEM system, the SIEM system performing the determined operation on the asset described by the received asset data having the value with which the asset attributes have been populated in the code.

View all claims

8 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

An asset model import connector includes an interface to receive asset data from a data source and a normalize module. The normalize module determines an operation to be performed at a system based on the received asset data and determines code to perform the determined operation. The schema may be populated with attributes from the asset data, and sent to the system.

Citations

16 Claims

1. An asset model import connector comprising a hardware processor to:
- receive asset data from a data source, wherein the asset data describes an asset with a network interface;
  
  determine an operation to be performed at a security information and event management (SIEM) system different than the data source based on the received asset data and different than the asset model import connector comprising the hardware processor determining the operation, wherein the STEM system stores security event data for a computer network and correlates the security event data with the received asset data;
  
  determine asset attributes from a schema to include in code to instruct the STEM system to perform the operation;
  
  generate the code by populating the asset attributes in the code with values from the received asset data, the code including the determined operation to be performed at the SIEM system, the code executable at the STEM system to perform the determined operation in relation to the asset data described by the asset attributes; and
  
  send the generated code to the STEM system, the SIEM system performing the determined operation on the asset described by the received asset data having the value with which the asset attributes have been populated in the code.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9)
- - 2. The asset model import connector of claim 1, comprising a data storage to store code templates describing different operations to be performed on asset data stored at the SIEM system, wherein each code template includes different attributes from the schema, and wherein the code is determined from the code template for the operation.
  - 3. The asset model import connector of claim 2, wherein the different operations comprise adding an asset, removing an asset, moving an asset from one group to another, adding an asset to a group, removing an asset from the group, moving an asset from one category to another to another, adding an asset to a category, removing an asset from the category, moving an asset from one zone to another, adding an asset to a zone, removing an asset from the zone, or marking an asset as enabled or disabled.
  - 4. The asset model import connector of claim 1, the processor to:
    - identify if the received asset data matches a condition and responsive to the received asset data matching the condition, to send the received asset data to the SIEM system.
  - 5. The asset model import connector of claim 1, the processor to:
    - control how much asset data is sent to the STEM system and when to send the asset data to the STEM system.
  - 6. The asset model import connector of claim 1, wherein the selected schema describes the operation.
  - 7. The asset model import connector of claim 1, wherein the STEM system is external to the asset model import connector and the asset model import connector sends the populated schema to the STEM system via a computer network.
  - 8. The asset model import connector of claim 1, the processor to:
    - determine the operation from an indication of the operation in the received asset data.
  - 9. The asset model import connector of claim 1, the processor to:
    - determine the operation by determining whether the received asset data includes attributes specified in a rule for determining the operation, and responsive to the received asset data includes the attributes, determine the operation from the rule.

10. A non-transitory computer readable medium including machine readable instructions executable by a processor to:
- store a plurality of different code templates at an asset model import connector, wherein the code templates describe different operations to be performed on asset data stored at a security information and event management (SIEM) system that is external to the asset model import connector;
  
  receive asset data from a data source different than the STEM system, wherein the received asset data describes an asset with a network interface, wherein the SIEM system stores security event data for a computer network and correlates the security event data with the received asset data;
  
  determine an operation to be performed on the asset data stored at the SIEM system based on the received asset data, the SIEM different than the processor determining the operation;
  
  select one of the plurality of code templates for the operation;
  
  generate code from the selected code template, wherein the code includes asset attributes from a schema used to store the asset data at the SIEM system, the code including the determined operation to be performed at the SIEM system, the code executable at the SIEM to perform the determined operation in relation to the asset data described by the asset attributes; and
  
  send the generated code to the SIEM system, the SIEM system performing the determined operation on the asset described by the received asset data associated with the asset attributes that have been included in the code.
- View Dependent Claims (11, 12, 13)
- - 11. The non-transitory computer readable medium of claim 10, wherein the machine readable instructions to determine the operation comprise machine readable instructions to:
    - request information associated with the received asset data from the SIEM system; and
      
      determine the operation from the requested information.
  - 12. The non-transitory computer readable medium of claim 10, wherein the machine readable instructions to determine the operation comprise machine readable instructions to:
    - determine the operation from an indication of the operation in the received asset data.
  - 13. The non-transitory computer readable medium of claim 10, wherein the machine readable instructions to determine the operation comprise machine readable instructions to:
    - determine whether the received asset data includes attributes specified in a rule for determining the operation; and
      
      responsive to the received asset data including the attributes, determine the operation from the rule.

14. A method of normalizing asset data at an asset model import connector, the method comprising:
- receiving asset data from a data source, wherein the asset data describes an asset with a network interface;
  
  determining an operation to be performed at a security information and event management (SIEM) system different than the data source based on the received asset data and different than the asset model import connector determining the operation, wherein the SIEM system stores security event data for a computer network and correlates the security event data with the received asset data;
  
  generating, by at least one hardware processor, code to instruct the STEM system to perform the operation, wherein the code includes asset attributes from a schema, and the schema is used by the STEM system to store data for assets, the code including the determined operation to be performed at the STEM system, the code executable at the SIEM system to perform the determined operation in relation to the asset data described by the asset attributes;
  
  populating the asset attributes in the code with values from the received asset data; and
  
  sending the code with the populated asset values to the SIEM system, the SIEM system performing the determined operation on the asset described by the received asset data having the value with which the asset attributes have been populated in the code.
- View Dependent Claims (15, 16)
- - 15. The method of claim 14, wherein the security event data is analyzed to identify network security threats.
  - 16. The method of claim 14, wherein the security event data is captured in logs or messages generated by the data source.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Micro Focus LLC (Open Text Corporation)
Original Assignee
Hewlett Packard Enterprise Development LP (Hewlett-Packard Enterprise Company)
Inventors
Yee, Sez Ming, Sharan, Dhiraj, Zeng, Qiang
Primary Examiner(s)
Choi, Yuk Ting

Application Number

US14/233,178
Publication Number

US 20140156711A1
Time in Patent Office

1,658 Days
Field of Search
US Class Current

1/1
CPC Class Codes

G06F 16/212   with details for data model...

H04L 41/022   Multivendor or multi-standa...

H04L 41/0266   using meta-data, objects or...

H04L 41/0631   using root cause analysis; ...

H04L 63/1416   Event detection, e.g. attac...

Asset model import connector

First Claim

8 Assignments

0 Petitions

Accused Products

Abstract

Citations

16 Claims

Specification

Solutions

Use Cases

Quick Links

Asset model import connector

First Claim

8 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

16 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links