Event-driven customizable automated workflows for incident remediation

US 9,715,675 B2
Filed: 12/22/2006
Issued: 07/25/2017
Est. Priority Date: 08/10/2006
Status: Active Grant

First Claim

Patent Images

1. A method for event-driven incident customizable automated workflows for incident remediation, comprising:

monitoring activity in a network with an activity monitor implemented on a processor coupled to the network;

collecting a plurality of events with the activity monitor, the plurality of events based on a violation of a security policy;

filtering the collected plurality of events with the activity monitor based on pre-determined patterns defining events of interest to select filtered events, wherein the filtered events comprise single events of interest or running windows of events;

analyzing the filtered events with a correlation analysis engine implemented on the processor;

correlating two or more of the filtered events based on a set of correlation rules defining characteristics of one or more events that comprise an incident;

detecting, with the correlation analysis engine, one or more incidents associated with the monitored activity based on the correlated two or more of the filtered events to identify one or more detected incidents;

responsive to the detecting of the one or more incidents;

assigning a workflow process instance to the one or more detected incidents, wherein the workflow process instance comprises a plurality of work-items including one or more system work-items that comprise one or more executable commands to be executed by one or more devices of the network, each system work-item directed to remediating the one or more incidents;

creating an incident object instance associated with the one or more incidents, the incident object instance comprising a single, self-contained object containing the assigned workflow process instance including the one or more system work-items, one or more alert work-items, and aggregated incident details associated with the one or more incidents;

storing the incident object instance in a data store; and

electronically communicating, via the network to the one or more devices, the incident object instance to cause the one or more devices to automatically execute the workflow process instance including the one or more system work-items;

initiating execution of the one or more executable commands of the one or more system work-items to perform one or more actions based on the workflow process instance of the incident object-instance, the one or more alert work-items to be automatically executed by the one or more devices of the network to send an alert as part of an audit trail; and

receiving a set of one or more communications from the one or more devices consequent to the one or more alert work-items causing the one or more devices to generate alerts, where the set of one or more communications indicate a current status associated with the one or more system work-items, and, based on processing the set of one or more communications received, outputting for display information to graphically represent the current status associated with the one or more system work-items based on the workflow process instance of the incident object instance to track progress along a sequence in the workflow process instance to coordinate remediating the one or more incidents.

View all claims

3 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

The invention relates to a system and method for customizing and storing workflow processes for use in remediation incidents such as security events. One aspect of the invention relates to providing tools to enable creation of customized workflow processes for event driven incident remediation, monitoring and analyzing system activity to identify occurrence of incidents, assigning a workflow process to an incident, applying the assigned workflow process to remediate the incident, and tracking and graphically displaying the status of the workflow process, among other things.

94 Citations

View as Search Results

34 Claims

1. A method for event-driven incident customizable automated workflows for incident remediation, comprising:
- monitoring activity in a network with an activity monitor implemented on a processor coupled to the network;
  
  collecting a plurality of events with the activity monitor, the plurality of events based on a violation of a security policy;
  
  filtering the collected plurality of events with the activity monitor based on pre-determined patterns defining events of interest to select filtered events, wherein the filtered events comprise single events of interest or running windows of events;
  
  analyzing the filtered events with a correlation analysis engine implemented on the processor;
  
  correlating two or more of the filtered events based on a set of correlation rules defining characteristics of one or more events that comprise an incident;
  
  detecting, with the correlation analysis engine, one or more incidents associated with the monitored activity based on the correlated two or more of the filtered events to identify one or more detected incidents;
  
  responsive to the detecting of the one or more incidents;
  
  assigning a workflow process instance to the one or more detected incidents, wherein the workflow process instance comprises a plurality of work-items including one or more system work-items that comprise one or more executable commands to be executed by one or more devices of the network, each system work-item directed to remediating the one or more incidents;
  
  creating an incident object instance associated with the one or more incidents, the incident object instance comprising a single, self-contained object containing the assigned workflow process instance including the one or more system work-items, one or more alert work-items, and aggregated incident details associated with the one or more incidents;
  
  storing the incident object instance in a data store; and
  
  electronically communicating, via the network to the one or more devices, the incident object instance to cause the one or more devices to automatically execute the workflow process instance including the one or more system work-items;
  
  initiating execution of the one or more executable commands of the one or more system work-items to perform one or more actions based on the workflow process instance of the incident object-instance, the one or more alert work-items to be automatically executed by the one or more devices of the network to send an alert as part of an audit trail; and
  
  receiving a set of one or more communications from the one or more devices consequent to the one or more alert work-items causing the one or more devices to generate alerts, where the set of one or more communications indicate a current status associated with the one or more system work-items, and, based on processing the set of one or more communications received, outputting for display information to graphically represent the current status associated with the one or more system work-items based on the workflow process instance of the incident object instance to track progress along a sequence in the workflow process instance to coordinate remediating the one or more incidents.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 33)
- - 2. The method of claim 1, wherein the correlation analysis engine detects the one or more incidents in response to determining based on the set of correlation rules that the two or more of the filtered events relate to a security breach on the network.
  - 3. The method of claim 1, wherein the correlation analysis engine detects the one or more incidents in response to determining based on the set of correlation rules that the two or more of the filtered events relate to a compliance breach on the network.
  - 4. The method of claim 1, wherein a workflow module assigns the workflow process instance to the one or more detected incidents based on one or more workflow assignment rules.
  - 5. The method of claim 4, wherein the one or more workflow assignment rules indicate that the assigned workflow process instance has been designed to remediate incidents associated with the one or more events, vulnerable devices affected by the one or more incidents and identified in the aggregated incident details included in the incident object instance, or the one or more devices identified in the aggregated incident details included in the incident object instance as devices that caused the one or more incidents.
  - 6. The method of claim 1, further comprising updating the information displayed to visually represent the progress associated with the workflow process instance in response to an incident tracking module receiving completion information relating to the one or more system work-items or one or more user work-items.
  - 7. The method of claim 5, further comprising:
    - updating the incident object instance to include the current status and a historical status associated with the one or more system work-items and one or more user work-items to integrate the tracked progress associated with the workflow process instance within the incident object instance.
  - 8. The method of claim 5, wherein a workflow module automatically assigns the workflow process instance to the one or more incidents in response to determining that the one or more workflow assignment rules indicate that the workflow process instance has been designed to remediate incidents associated with the one or more events, the vulnerable devices affected by the one or more incidents, or the one or more devices that caused the one or more incidents.
  - 9. The method of claim 1, wherein a workflow module assigns the workflow process instance to the one or more incidents in response to a manual input associating the one or more incidents with the assigned workflow process instance.
  - 10. The method of claim 1, wherein a workflow module assigns the workflow process instance to the one or more incidents based on one or more workflow assignment rules.
  - 11. The method of claim 1, further comprising assigning one or more user work-items to an identity or a role, wherein one or more users notified to perform one or more manual steps associated with the one or more user work-items have the assigned identity or role.
  - 12. The method of claim 5, wherein one or more devices identified in the aggregated incident details included in the incident object instance as devices downstream from the one or more devices that caused the one or more incidents further perform the one or more actions to automatically implement the one or more system work-items.
  - 13. The method of claim 6, wherein the updating the displayed information in response to the incident tracking module receiving the completion information visually represents the progress associated with the workflow process instance in real-time.
  - 14. The method of claim 13, further comprising:
    - updating the displayed information to visually represent that the workflow process instance has successfully remediated the one or more incidents in response to the incident tracking module receiving information indicating that the one or more devices have successfully performed the one or more actions to complete the one or more system work-items and that one or more users have successfully performed one or more manual steps to complete the one or more user work-items.
  - 15. The method of claim 14, further comprising storing information associated with the workflow process instance successfully remediated the one or more incidents within the incident object instance.
  - 16. The method of claim 15, comprising using the information stored within the incident object to audit the workflow process instance used to coordinate remediating the one or more incidents.
  - 33. The method of claim 1, wherein the aggregated incident details included in the incident object instance further contains information about one or more assets related to the incident and information about vulnerabilities of the one or more assets.

17. A system for event-driven customizable automated workflows for incident remediation, wherein the system comprises one or more processors coupled to a network and configured to:
- monitor activity in the network with an activity monitor;
  
  collect a plurality of events based on a violation of a security policy;
  
  filter the collected plurality of events based on pre-determined patterns defining events of interest to select filtered events, wherein the filtered events comprise single events or running windows of events;
  
  analyze the filtered events with a correlation analysis engine;
  
  correlate two or more of the filtered events based on a set of correlation rules defining characteristics of one or more events that comprise an incident;
  
  detect, with the correlation analysis engine, one or more incidents associated with the monitored activity based on the correlated two or more of the filtered events to identify one or more detected incidents;
  
  responsive to the detecting of the one or more incidents;
  
  assign a workflow process instance to the one or more detected incidents, wherein the workflow process instance comprises a plurality of work-items including one or more system work-items that comprise one or more executable commands to be executed by one or more devices of the network, each system work-item directed to remediating the one or more incidents;
  
  create an incident object instance associated with the one or more incidents, the incident object instance comprising a single, self-contained object containing the assigned workflow process instance including the one or more system work-items, one or more alert work-items, and aggregated incident details associated with the one or more incidents;
  
  storing the incident object instance in a data store; and
  
  electronically, via the network to the one or more devices, communicating the incident object instance to cause the one or more devices to automatically execute the workflow process instance including the one or more system work-items;
  
  initiating execution of the one or more executable commands of the one or more system work-items to perform one or more actions based on the workflow process instance of the incident object-instance, the one or more alert work-items to be automatically executed by the one or more devices of the network to send an alert as part of an audit trail; and
  
  receiving a set of one or more communications from the one or more devices consequent to the one or more alert work-items causing the one or more devices to generate alerts, where the set of one or more communications indicate a current status associated with the one or more system work-items, and, based on processing the set of one or more communications received, outputting for display information to graphically represent the current status associated with the one or more system work-items based on the workflow process instance of the incident object instance to track progress along a sequence in the workflow process instance to coordinate remediating the one or more incidents.
- View Dependent Claims (18, 19, 20, 21, 22, 23, 24, 25, 26, 27, 28, 29, 30, 31, 32, 34)
- - 18. The system of claim 17, wherein the correlation analysis engine is configured to detect the one or more incidents in response to determining based on the set of correlation rules that the two or more of the filtered events relate to a security breach on the network.
  - 19. The system of claim 17, wherein the correlation analysis engine is configured to detect the one or more incidents in response to determining based on the set of correlation rules that the two or more of the filtered events relate to a compliance breach on the network.
  - 20. The system of claim 17, wherein the one or more processors are configured to assign the workflow process instance to the one or more detected incidents based on one or more workflow assignment rules.
  - 21. The system of claim 20, wherein one or more workflow assignment rules indicate that the assigned workflow process instance has been designed to remediate incidents associated with the one or more events, vulnerable devices affected by the one or more incidents and identified in the aggregated incident details included in the incident object instance, or the one or more devices identified in the aggregated incident details included in the incident object instance as devices that caused the one or more incidents.
  - 22. The system of claim 17, wherein the one or more processors are further configured to update the displayed information to visually represent the progress associated with the workflow process instance in response to an incident tracking module receiving completion information relating to the one or more system work-items or one or more user work-items.
  - 23. The system of claim 21, wherein the one or more processors are further configured to:
    - update the incident object instance to include the current status and a historical status associated with the one or more system work-items and one or more user work-items to integrate the tracked progress associated with the workflow process instance within the incident object instance.
  - 24. The system of claim 21, wherein the one or more processors are configured to automatically assign the workflow process instance to the one or more incidents in response to determining that the one or more workflow assignment rules indicate that the workflow process instance has been designed to remediate incidents associated with the one or more events, the vulnerable devices affected by the one or more incidents, or the one or more devices that caused the one or more incidents.
  - 25. The system of claim 17, wherein the one or more processors are configured to assign the workflow process instance to the one or more incidents in response to a manual input associating the one or more incidents with the assigned workflow process instance.
  - 26. The system of claim 17, wherein the one or more processors are configured to assign the workflow process instance to the one or more incidents based on one or more workflow assignment rules.
  - 27. The system of claim 17, wherein the one or more processors are further configured to assign one or more user work-items to an identity or a role, wherein one or more users notified to perform one or more manual steps associated with the one or more user work-items have the assigned identity or role.
  - 28. The system of claim 21, further comprising one or more devices identified in the aggregated incident details included in the incident object instance as one or more downstream devices downstream from the one or more devices that caused the one or more incidents, wherein the one or more downstream devices are configured to further perform the one or more actions to automatically implement the one or more system work-items.
  - 29. The system of claim 28, wherein the displayed information updated in response to an incident tracking module receiving the completion information visually represents the progress associated with the workflow process instance in real-time.
  - 30. The system of claim 29, wherein the one or more processors are further configured to update the displayed information to visually represent that the workflow process instance has successfully remediated the one or more incidents in response to an incident tracking module receiving information indicating that the one or more devices have successfully performed the one or more actions to complete the one or more system work-items and that one or more users have successfully performed one or more manual steps to complete one or more user work-items.
  - 31. The system of claim 30, wherein the one or more processors are further configured to store information associated with the workflow process instance successfully remediated the one or more incidents within the incident object instance.
  - 32. The system of claim 31, wherein the one or more processors are further configured to use the information stored within the incident object instance to audit the workflow process instance used to coordinate remediating the one or more incidents.
  - 34. The system of claim 17, wherein the aggregated incident details included in the incident object instance further contains information about one or more assets related to the incident and information about vulnerabilities of the one or more assets.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Oracle International Corporation (Oracle Corporation)
Original Assignee
Oracle International Corporation (Oracle Corporation)
Inventors
Chakravarty, Dipto, Antony, John Melvin, Choudhary, Usman, Capuano, David, Mallapragada, Srinivasa Phanindra
Primary Examiner(s)
Feacher, Renae

Application Number

US11/643,773
Publication Number

US 20080040191A1
Time in Patent Office

3,868 Days
Field of Search

705 726, 705 727
US Class Current
CPC Class Codes

G06Q 10/06   Resources, workflows, human...

G06Q 10/063114   Status monitoring or status...

G06Q 10/06316   Sequencing of tasks or work

G06Q 10/0633   Workflow analysis

G06Q 10/10   Office automation; Time man...

Event-driven customizable automated workflows for incident remediation

First Claim

3 Assignments

0 Petitions

Accused Products

Abstract

94 Citations

34 Claims

Specification

Solutions

Use Cases

Quick Links

Event-driven customizable automated workflows for incident remediation

First Claim

3 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

94 Citations

34 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links