Event-driven customizable automated workflows for incident remediation
First Claim
Patent Images
1. A method for event-driven incident customizable automated workflows for incident remediation, comprising:
- monitoring activity in a network with an activity monitor implemented on a processor coupled to the network;
collecting a plurality of events with the activity monitor, the plurality of events based on a violation of a security policy;
filtering the collected plurality of events with the activity monitor based on pre-determined patterns defining events of interest to select filtered events, wherein the filtered events comprise single events of interest or running windows of events;
analyzing the filtered events with a correlation analysis engine implemented on the processor;
correlating two or more of the filtered events based on a set of correlation rules defining characteristics of one or more events that comprise an incident;
detecting, with the correlation analysis engine, one or more incidents associated with the monitored activity based on the correlated two or more of the filtered events to identify one or more detected incidents;
responsive to the detecting of the one or more incidents;
assigning a workflow process instance to the one or more detected incidents, wherein the workflow process instance comprises a plurality of work-items including one or more system work-items that comprise one or more executable commands to be executed by one or more devices of the network, each system work-item directed to remediating the one or more incidents;
creating an incident object instance associated with the one or more incidents, the incident object instance comprising a single, self-contained object containing the assigned workflow process instance including the one or more system work-items, one or more alert work-items, and aggregated incident details associated with the one or more incidents;
storing the incident object instance in a data store; and
electronically communicating, via the network to the one or more devices, the incident object instance to cause the one or more devices to automatically execute the workflow process instance including the one or more system work-items;
initiating execution of the one or more executable commands of the one or more system work-items to perform one or more actions based on the workflow process instance of the incident object-instance, the one or more alert work-items to be automatically executed by the one or more devices of the network to send an alert as part of an audit trail; and
receiving a set of one or more communications from the one or more devices consequent to the one or more alert work-items causing the one or more devices to generate alerts, where the set of one or more communications indicate a current status associated with the one or more system work-items, and, based on processing the set of one or more communications received, outputting for display information to graphically represent the current status associated with the one or more system work-items based on the workflow process instance of the incident object instance to track progress along a sequence in the workflow process instance to coordinate remediating the one or more incidents.
3 Assignments
0 Petitions
Accused Products
Abstract
The invention relates to a system and method for customizing and storing workflow processes for use in remediation incidents such as security events. One aspect of the invention relates to providing tools to enable creation of customized workflow processes for event driven incident remediation, monitoring and analyzing system activity to identify occurrence of incidents, assigning a workflow process to an incident, applying the assigned workflow process to remediate the incident, and tracking and graphically displaying the status of the workflow process, among other things.
94 Citations
34 Claims
-
1. A method for event-driven incident customizable automated workflows for incident remediation, comprising:
-
monitoring activity in a network with an activity monitor implemented on a processor coupled to the network; collecting a plurality of events with the activity monitor, the plurality of events based on a violation of a security policy; filtering the collected plurality of events with the activity monitor based on pre-determined patterns defining events of interest to select filtered events, wherein the filtered events comprise single events of interest or running windows of events; analyzing the filtered events with a correlation analysis engine implemented on the processor; correlating two or more of the filtered events based on a set of correlation rules defining characteristics of one or more events that comprise an incident; detecting, with the correlation analysis engine, one or more incidents associated with the monitored activity based on the correlated two or more of the filtered events to identify one or more detected incidents; responsive to the detecting of the one or more incidents; assigning a workflow process instance to the one or more detected incidents, wherein the workflow process instance comprises a plurality of work-items including one or more system work-items that comprise one or more executable commands to be executed by one or more devices of the network, each system work-item directed to remediating the one or more incidents; creating an incident object instance associated with the one or more incidents, the incident object instance comprising a single, self-contained object containing the assigned workflow process instance including the one or more system work-items, one or more alert work-items, and aggregated incident details associated with the one or more incidents; storing the incident object instance in a data store; and electronically communicating, via the network to the one or more devices, the incident object instance to cause the one or more devices to automatically execute the workflow process instance including the one or more system work-items; initiating execution of the one or more executable commands of the one or more system work-items to perform one or more actions based on the workflow process instance of the incident object-instance, the one or more alert work-items to be automatically executed by the one or more devices of the network to send an alert as part of an audit trail; and receiving a set of one or more communications from the one or more devices consequent to the one or more alert work-items causing the one or more devices to generate alerts, where the set of one or more communications indicate a current status associated with the one or more system work-items, and, based on processing the set of one or more communications received, outputting for display information to graphically represent the current status associated with the one or more system work-items based on the workflow process instance of the incident object instance to track progress along a sequence in the workflow process instance to coordinate remediating the one or more incidents. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 33)
-
-
17. A system for event-driven customizable automated workflows for incident remediation, wherein the system comprises one or more processors coupled to a network and configured to:
-
monitor activity in the network with an activity monitor; collect a plurality of events based on a violation of a security policy; filter the collected plurality of events based on pre-determined patterns defining events of interest to select filtered events, wherein the filtered events comprise single events or running windows of events; analyze the filtered events with a correlation analysis engine; correlate two or more of the filtered events based on a set of correlation rules defining characteristics of one or more events that comprise an incident; detect, with the correlation analysis engine, one or more incidents associated with the monitored activity based on the correlated two or more of the filtered events to identify one or more detected incidents; responsive to the detecting of the one or more incidents; assign a workflow process instance to the one or more detected incidents, wherein the workflow process instance comprises a plurality of work-items including one or more system work-items that comprise one or more executable commands to be executed by one or more devices of the network, each system work-item directed to remediating the one or more incidents; create an incident object instance associated with the one or more incidents, the incident object instance comprising a single, self-contained object containing the assigned workflow process instance including the one or more system work-items, one or more alert work-items, and aggregated incident details associated with the one or more incidents; storing the incident object instance in a data store; and electronically, via the network to the one or more devices, communicating the incident object instance to cause the one or more devices to automatically execute the workflow process instance including the one or more system work-items; initiating execution of the one or more executable commands of the one or more system work-items to perform one or more actions based on the workflow process instance of the incident object-instance, the one or more alert work-items to be automatically executed by the one or more devices of the network to send an alert as part of an audit trail; and receiving a set of one or more communications from the one or more devices consequent to the one or more alert work-items causing the one or more devices to generate alerts, where the set of one or more communications indicate a current status associated with the one or more system work-items, and, based on processing the set of one or more communications received, outputting for display information to graphically represent the current status associated with the one or more system work-items based on the workflow process instance of the incident object instance to track progress along a sequence in the workflow process instance to coordinate remediating the one or more incidents. - View Dependent Claims (18, 19, 20, 21, 22, 23, 24, 25, 26, 27, 28, 29, 30, 31, 32, 34)
-
Specification