CN116244534A - Security event display method, device, computer equipment and storage medium - Google Patents
Security event display method, device, computer equipment and storage medium Download PDFInfo
- Publication number
- CN116244534A CN116244534A CN202211591687.1A CN202211591687A CN116244534A CN 116244534 A CN116244534 A CN 116244534A CN 202211591687 A CN202211591687 A CN 202211591687A CN 116244534 A CN116244534 A CN 116244534A
- Authority
- CN
- China
- Prior art keywords
- data
- displayed
- information
- format conversion
- workflow
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Images
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F16/00—Information retrieval; Database structures therefor; File system structures therefor
- G06F16/90—Details of database functions independent of the retrieved data types
- G06F16/95—Retrieval from the web
- G06F16/957—Browsing optimisation, e.g. caching or content distillation
- G06F16/9574—Browsing optimisation, e.g. caching or content distillation of access to content, e.g. by caching
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/60—Protecting data
- G06F21/62—Protecting access to data via a platform, e.g. using keys or access control rules
- G06F21/6218—Protecting access to data via a platform, e.g. using keys or access control rules to a system of files or objects, e.g. local or distributed file system or database
- G06F21/6227—Protecting access to data via a platform, e.g. using keys or access control rules to a system of files or objects, e.g. local or distributed file system or database where protection concerns the structure of data, e.g. records, types, queries
Abstract
The application relates to a security event presentation method, a security event presentation device, computer equipment and a storage medium. The method comprises the following steps: acquiring node information of a workflow, wherein the node information comprises output style information; acquiring data generated in the workflow in real time; performing format conversion on the data based on the node information; and displaying the data in a system interface. By adopting the method, the user-defined visual presentation of the data in the corresponding format according to the user requirement can be realized, the data readability of the SOAR system is improved, the diversified display requirement of the user is met, and the effect of improving the processing efficiency of the security event is achieved.
Description
Technical Field
The present disclosure relates to the field of information security technologies, and in particular, to a method and apparatus for displaying a security event, a computer device, and a storage medium.
Background
With the development of the internet field, computer systems may often encounter various security risk problems during operation, such as network attacks, remote trojans, etc. To quickly cope with security threat actions from the internet, gartner in 2017 proposed architecture concepts of SOAR (Security Orchestration, automation and Response, security orchestration automation and response) that enable acceleration of event response processes through automation, orchestration techniques. The SOAR system can automatically collect the safety information and display the collected rich information to safety operation and maintenance personnel, and the safety operation and maintenance personnel can acquire the basis of rapid analysis and judgment based on the information.
However, the information display of the SOAR system only stays at the data level, the output form is single, and the security operation and maintenance personnel cannot intuitively obtain effective information through the provided data, so that the readability is poor.
Therefore, the current SOAR system still has the problems of low data readability and inability to meet the diversified display requirements of users.
Disclosure of Invention
In view of the foregoing, it is desirable to provide a security event presentation method, apparatus, computer device, and computer-readable storage medium capable of improving data readability and satisfying the diversified presentation needs of users.
In a first aspect, the present embodiment provides a security event exhibiting method, applied to an SOAR system, including:
acquiring target node information of a workflow, wherein the target node information comprises output style information;
acquiring data to be displayed generated in the workflow in real time;
performing format conversion on the data to be displayed based on the target node information;
and displaying the data to be displayed in a system interface.
In one embodiment, the acquiring the target node information of the workflow includes:
and responding to a user instruction, respectively associating a plurality of output style information with a plurality of nodes of the workflow to obtain the target node information.
In one embodiment, the format conversion of the data to be presented based on the target node information includes:
acquiring a data format conversion function based on the output style information;
and carrying out format conversion on the data to be displayed based on the data format conversion function.
In one embodiment, before the acquiring the data format conversion function based on the output style information includes:
acquiring a data conversion code set, and determining a calling interface and input parameter information based on the data conversion code set;
the data format conversion function is generated based on the set of data conversion codes, the call interface, and the input parameter information in response to a user instruction.
In one embodiment, the converting the data to be presented based on the data format conversion function includes:
and if the data to be displayed is abnormal error reporting information, generating error reminding information based on the data format conversion function and the abnormal error reporting information.
In one embodiment, before the data to be displayed is displayed in the system interface, the method includes:
identifying context parameters in the data to be displayed;
and splicing the data to be displayed with the historical data based on the context parameters to obtain spliced data to be displayed.
In one embodiment, the presenting the data to be presented in the system interface includes:
and pushing the data to be displayed to a system interface for displaying based on the Websocket.
In a second aspect, the present embodiment provides a security event presentation device, the device comprising:
the node acquisition module is used for acquiring target node information of the workflow, wherein the target node information comprises output style information;
the data acquisition module is used for acquiring data to be displayed generated in the workflow in real time;
the format conversion module is used for carrying out format conversion on the data to be displayed based on the target node information;
and the data display module is used for displaying the data to be displayed in a system interface.
In a third aspect, the present embodiment provides a computer device comprising a memory storing a computer program and a processor implementing the steps of the above method when the processor executes the computer program.
In a fourth aspect, the present embodiment provides a computer readable storage medium having stored thereon a computer program which when executed by a processor performs the steps of the above method.
The method, the device, the computer equipment and the storage medium for displaying the security event acquire node information of the workflow, wherein the node information comprises output style information; acquiring data generated in the workflow in real time; performing format conversion on the data based on the node information; the data is displayed in the system interface, so that the user-defined visual presentation of the data in a corresponding format according to the user requirement can be realized, the data readability of the SOAR system is improved, the diversified display requirement of the user is met, and the effect of improving the processing efficiency of the security event is achieved.
Drawings
FIG. 1 is an application environment diagram of a security event presentation method in one embodiment;
FIG. 2 is a flow chart of a method for presenting security events according to one embodiment;
FIG. 3 is a flow chart of a method for presenting security events according to another embodiment;
FIG. 4 is a flow chart of a method for presenting security events according to another embodiment;
FIG. 5 is a block diagram of a security event presentation device in one embodiment;
fig. 6 is an internal structural diagram of a computer device in one embodiment.
Detailed Description
In order to make the objects, technical solutions and advantages of the present application more apparent, the present application will be further described in detail with reference to the accompanying drawings and examples. It should be understood that the specific embodiments described herein are for purposes of illustration only and are not intended to limit the present application.
The security event display method provided by the embodiment of the application can be applied to an application environment shown in fig. 1. Wherein the terminal 102 communicates with the server 104 via a network. The data storage system may store data that the server 104 needs to process. The data storage system may be integrated on the server 104 or may be located on a cloud or other network server. The terminal 102 obtains target node information of the workflow, wherein the target node information comprises output style information, and the target node information can be stored on the terminal 102 or the server 104; acquiring data to be displayed generated in the workflow in real time, wherein the data to be displayed generated in the workflow can be generated by a server or other terminals and sent to the terminal 102 in a direct or indirect mode; performing format conversion on the data to be displayed based on the target node information; and displaying the data to be displayed in a system interface. The terminal 102 may be, but is not limited to, various personal computers, notebook computers, smart phones, tablet computers, and internet of things devices. The server 104 may be implemented as a stand-alone server or as a server cluster of multiple servers.
In one embodiment, as shown in fig. 2, a security event display method is provided, and the method is applied to the terminal 102 in fig. 1 for illustration, and includes the following steps:
step S100, obtaining target node information of the workflow, wherein the target node information comprises output style information.
The workflow refers to a workflow contained in an automatic security arrangement scheme of the SOAR system. The workflow can be generated based on a preset automatic arrangement script, can be generated based on user input and user instructions, and can be arranged based on graphical arrangement to realize the arrangement of the workflow.
The node is a flow node specifically executed in the workflow execution process. The node information may include parameter information of the nodes themselves, hierarchical relationships, connection modes and the like between the nodes, and output style information corresponding to each node. The target node refers to a node to be subjected to visualization processing on data.
The output style information may include an output style of the node content, where the output style of the node content may include an output style corresponding to data to be displayed, may include output styles corresponding to different data types, may include a style of auxiliary information other than the data to be displayed, and may also be style information required for displaying target node data in a display interface, which is not limited herein; the output style information may further include a format conversion manner required for converting the data to be displayed into the output style, and the conversion manner may include step S200 of a format conversion program, where the data to be displayed generated in the workflow is obtained in real time.
The data to be displayed refers to data generated in a workflow node, the real-time acquisition can be based on whether new data is generated in the workflow node or not by a workflow engine of an SOAR system, and if the new data is generated, the node data is acquired; the workflow node data may also be listened to based on a third party plug-in or otherwise, as not limited herein.
And step S300, performing format conversion on the data to be displayed based on the target node information.
The format conversion of the data to be displayed based on the target node information may be performed based on output style information. The format conversion may be to convert a source format of the data to be displayed, or to convert a file format of the data to be displayed, or to convert the source format and the file format of the data to be displayed sequentially, or to convert other formats, which is not limited herein.
And step S400, displaying the data to be displayed in a system interface.
The system interface is a user interface and is used for realizing conversion between an internal form and a user acceptable form of information. The data to be displayed is displayed in a system interface, which may be displayed in a user interface such as a client or a web page of the SOAR system, or may be other user interfaces for providing a visualization, which is not limited herein.
In the security event display method, node information of a workflow is obtained, wherein the node information comprises output style information; acquiring data generated in the workflow in real time; performing format conversion on the data based on the node information; the data is displayed in the system interface, so that the user-defined visual presentation of the data in a corresponding format according to the user requirement can be realized, the data readability of the SOAR system is improved, the diversified display requirement of the user is met, and the effect of improving the processing efficiency of the security event is achieved.
In one embodiment, the acquiring the target node information of the workflow includes:
and responding to a user instruction, respectively associating a plurality of output style information with a plurality of nodes of the workflow to obtain the target node information.
The single output style information can be associated with a single workflow node or a plurality of workflow nodes, namely, the node information of the plurality of nodes adopts the same input style information.
The output style information can be obtained based on user input or analysis of style information of other workflow nodes, for example, training style information of other workflow nodes based on deep learning to obtain format conversion relations and arrangement sequences of different types of data, and determining the format conversion relations and arrangement sequences corresponding to the data in the node based on a training model to generate the output style information.
According to the security event display method provided by the embodiment, the output style information is associated with the workflow nodes in response to the user instruction, so that the self definition of the output content of each node can be realized, and the effect of diversification of the output styles of different nodes is achieved.
In one embodiment, the format conversion of the data to be presented based on the target node information includes:
acquiring a data format conversion function based on the output style information;
and carrying out format conversion on the data to be displayed based on the data format conversion function.
The data format conversion function may convert a source format of the data to be displayed, or convert a file format of the data to be displayed, which is not described herein.
The data format conversion function may be pre-written by the user in the SOAR system. Before the data format conversion function is acquired based on the output style information, corresponding calling information is determined based on the data format conversion function corresponding to different formats, and the output style information is generated.
The data format conversion function may also be a software development kit provided with a unified application program interface API. The software development kit may be stored in a database or may be pre-embedded in the SOAR system. Before the data format conversion function is acquired based on the output style information, the output style information can be generated based on the calling interfaces corresponding to different format conversions.
Taking a software development kit as an example, before acquiring the data format conversion function based on the output style information, the method further comprises: and detecting whether a software development kit is introduced into the SOAR system, if not, acquiring the software development kit from a database, and introducing the software development kit into the SOAR system.
And carrying out format conversion on the data to be displayed based on the data format conversion function, namely, calling the data format conversion function based on a calling interface to process the data to be displayed, and returning to obtain the data to be displayed in the target format.
In a specific embodiment, the data to be displayed is converted into a format of list, JSON, file, hyperlink, text, markdown, html, etc.
According to the security event display method, the data format conversion function is based on the data format conversion function to convert the data, so that the data is formatted in an output mode, and the effect of visual data presentation can be achieved.
In one embodiment, before the acquiring the data format conversion function based on the output style information includes:
acquiring a data conversion code set, and determining a calling interface and input parameter information based on the data conversion code set;
the data format conversion function is generated based on the set of data conversion codes, the call interface, and the input parameter information in response to a user instruction.
The data conversion code set can be based on user input or obtained from a database. The calling interface can be an interface required by running a data conversion code set, the input parameter information can be data to be displayed waiting for format conversion, the data to be displayed can be subjected to certain screening, effective data in the data to be displayed are selected as the input parameter information, the data source to be displayed can be used as the input parameter information, and the data conversion code set directly acquires the data to be displayed based on the data source to perform format conversion.
And determining a calling interface and input parameter information based on the data conversion code set, namely determining a corresponding calling interface based on the data conversion code set, and taking parameter information required by running the data conversion code set as input parameter information.
The data format conversion function is generated based on the data conversion code set, the calling interface and the input parameter information, and the data format conversion function which can be called can be generated by packaging the data conversion code set, the calling interface and the input parameter information.
Further, the call interface may be incorporated into the formatted output SDK software development kit. When the SDK software development kit is introduced into the SOAR system, the dependent code is generated based on the calling interface, so that the SOAR system can call the data conversion code function in the SDK software development kit.
According to the security event display method provided by the embodiment, the calling interface and the output parameter information are determined through the data conversion code set, the data format conversion function is generated, the encapsulation of the data format conversion function is realized, and the effect that the data format function can be pluggable and called is achieved.
In one embodiment, the converting the data to be presented based on the data format conversion function includes:
and if the data to be displayed is abnormal error reporting information, generating error reminding information based on the data format conversion function and the abnormal error reporting information.
When the data to be displayed is abnormal error information, the error information needs to be output to the display interface. The error reminding information is generated based on the data format conversion function and the abnormal error reporting information, and the data format conversion function is called to be converted into the error reminding information to be displayed on a system interface by taking the abnormal error reporting information or a data source of the abnormal error reporting information as an input parameter.
In a specific embodiment, when the data to be displayed is abnormal error reporting information, the data source dataSource (object) based on the abnormal error reporting information is used as input parameter information, and the interface/api/add_error is called to process the abnormal error reporting information, so that error reminding information is generated and displayed on the system interface.
The error reminding information can be statically displayed in a page, and can be displayed in a highlighting mode, an underline mode and the like, or can be dynamically displayed in an interface, for example, a dynamic popup window is generated, an animation mode is generated and the like for carrying out the emphasized reminding, and the error reminding information is not limited in this document.
According to the security event display method, when a security event is reported to be wrong, the error reminding information is generated according to the error reporting information, so that visualization of the error reporting information can be realized, and the effect of improving the processing efficiency of the security event is achieved.
In one embodiment, before the data to be displayed is displayed in the system interface, the method includes:
identifying context parameters in the data to be displayed;
and splicing the data to be displayed with the historical data based on the context parameters to obtain spliced data to be displayed.
The context parameters may be input and output parameters of the node, or a group of data shared by the data to be displayed and the history data in the same node, for example, data sources, data parameters required by processing tasks, and other related data shared by the data to be displayed and the history data.
The splicing is performed based on the context parameters, namely corresponding nodes are determined according to input and output parameters of the data to be displayed, and the data to be displayed under the same node are spliced.
Based on the context parameters, the data to be displayed and the historical data can be spliced according to the connection relation of the data to be displayed and the historical data under the same node, for example, when the data to be displayed and the historical data belong to the same list type data, the data to be displayed and the historical data can be spliced to realize the continuation of the same list; the splicing based on the context parameters can be performed based on the reference relation between the data to be displayed and other data in the nodes, for example, when the data to be displayed after format conversion is in a hyperlink format, the data to be displayed and the historical data pointed by the hyperlink are spliced, and the splicing mode can be that when a mouse moves to the area where the hyperlink is located, a visual page of the historical data is displayed in surrounding areas such as an upper column, a side column, a lower column and the like.
The splicing of the data to be displayed and the historical data based on the context parameters may be performed before the data format conversion of the data to be displayed or after the data format conversion of the data to be displayed, which is not limited herein.
According to the security event display method, the data continuity in data display can be achieved by splicing based on the context parameters in the data, and the effect of improving the data readability is achieved.
In one embodiment, the presenting the data to be presented in the system interface includes:
and pushing the data to be displayed to a system interface for displaying based on the WebSocket.
WebSocket is used as a part of the Html5 protocol, is a full duplex communication mechanism carried out on a single TCP connection and is applied between a Web application client and a server, and a browser and a server can establish persistent connection between the client and the server only by one handshake and carry out bidirectional data transmission.
The data to be displayed is pushed to the system interface for displaying based on the WebSocket, and the active pushing of the data to be displayed from the server to the client can be realized based on the WebSocket, and the client displays the data to be displayed on the system interface of the client based on the received data.
According to the security event display method, the data to be displayed is pushed based on the WebSocket, so that the effect of real-time dynamic display of the data can be achieved.
In order to more clearly illustrate the technical solution of the present application, the present application also provides a detailed embodiment.
In this embodiment, the SDK (Software Development Kit ) is included by providing some files of an application programming interface for a programming language, or by providing complex hardware that can communicate with an embedded system. A typical SDK software development kit includes utilities for debugging and other purposes. The SDK may also include example code, supporting technical notes, or other supporting documents that clarify the suspects for the base reference.
As shown in fig. 3 and fig. 4, in the present embodiment, the security event presentation method includes a workflow design state and a workflow running state, respectively.
The workflow design state comprises the design, management, test and release of the workflow and the whole life cycle management. The workflow running state can be an execution level of the workflow, including an actual execution flow after the workflow is released.
In the workflow design state, the process for preparing the formatted output form comprises the following steps:
(1) Designing a flow SOP of a workflow, and writing flow nodes in the workflow; the SOP (Standard Operation Procedure, event standard disposition procedure) design is a standard design for unifying workflow, and includes listing steps and requirements of an operation procedure for guiding and standardizing daily work.
(2) And designing workflow node parameters, namely designing input and output parameters aiming at each workflow node.
(3) And designating a node output style, and carrying out custom formulation on node output content.
(4) The high-level editor outputs content editing, and the high-level editor can support inserting context parameters and formatting functions of workflow nodes and inserting rich text, pictures and other contents. After the output content editing is realized through the advanced editor, all the finally formulated content is pushed to the SOAR system for presentation after being spliced in real time. Wherein one output parameter may specify that multiple formatting functions are output simultaneously, multiple context parameters may be introduced, and multiple content may be input. The pictures can be content such as third-party system screenshot, processing screenshot and the like.
The content editing is output through the advanced editor, and the formulated content can be highlighted in a rich text, for example, highlighted, underlined and the like, or can be dynamically displayed in an interface.
Further, the workflow design state may further include:
(1) Formatting output functions are defined including, but not limited to, list format output, json format output, markdown format output, text format output, hyperlink format output, and the like.
In one particular embodiment, the formatting function may include:
(2) Packaging a call interface of the formatted output function; and manufacturing a formatting function SDK. The reference to the formatted output function by the SOAR system can be a direct reference to the formatted output function, or can be a reference by acquiring an SDK software development kit and generating a dependent code.
In one embodiment, taking list format output as an example, the call-in parameters for outputting content editing call-formatted output functions at the high-level editor are as follows:
title IP list output
datasource:[{"intk":1,"strk":"1.1.1.1"},{"intk":2,"strk":"2.1.1.1"}
lineTitle [ "sequence number", "IP" ]
linekey:["intk","strk"]
The output parameters returned after the formatted output functions are processed are as follows:
list name: IP list output
| Sequence number | IP |
| 1 | 1.1.1.1 |
| 2 | 2.1.1.1 |
In the workflow running state, the calling format output form flow comprises the following steps:
(1) The workflow operation begins.
(2) The workflow engine monitors whether the workflow node generates data or not.
(3) If the data is generated, the system pushes the node data to the output content in real time.
(4) By querying the output content formulated in the advanced editor, it is checked whether the formatted output function is invoked, the context parameters are introduced, and other content data is filled in.
(5) If the formatted output function is called and the context parameters are referenced, the system will splice the results of the formatted output, the parameter content and other content filled in the advanced editor.
(6) And pushing the spliced content to a system for real-time display through a WebSocket.
Further, the workflow running state further includes: and judging whether the reference format output function is needed or not based on the content written by the advanced editor, if the reference format output function is not included in the content written, splicing the content of the editor, and pushing the content into the SOAR system in real time through the WebSocket.
Wherein, the formatting function can be introduced by the way of SDK:
(1) The SOAR system detects whether the system services introduce formatted output SDK dependencies.
(2) The formatted output SDK introduction manner may include: mode one: the workflow node component can directly insert the formatted output SDK dependency code into the component code; mode two: the SOAR system service may install and configure the formatted output SDK.
(3) Specifying the format output parameter means may include: after the step (2) is completed, the SOAR system has already configured the formatted output SDK, namely the formatted configuration of the output parameters can be manually completed in the advanced editor, the direct insertion of the formatted functions in the advanced editor is supported, namely all the formatted functions supported in the SDK can be inserted, and the input parameter information is input.
According to the security event display method, through the custom formatted output function and the style node output, different formatted display style requirements of the SOAR when equipment linkage is carried out on equipment of different manufacturers can be met. The time and labor cost consumed by directly writing the script in the SOAR system can be reduced by referring to the formatting function SDK; the method has the advantages that the node original data is output and displayed in a plurality of formats in the running process of the SOAR workflow, and richer auxiliary information is added, such as highlighting key information rich texts, screenshot of other third-party systems and the like, so that the readability of the SOAR system content can be improved; through custom formulation of the content of the advanced editor, multi-format output of node output parameters, reference of context parameters and filling and inserting of richer information are supported, so that the SOAR system can push quarter parameters in real time to be converted into artificial friendly languages, richer auxiliary information is added, and effective evidence obtaining information is provided for a safe operation analyst; the SDK is generated based on the encapsulation of the formatted output function, the formatted output function can be used in other systems with formatting requirements, the formatting quotation mode can realize the interface, various formatted output methods can be cited at the same time, the pain point of a user writing a script is solved, and the rapid and various formatted output is realized; the data display consistency can be realized by splicing based on the context parameters in the data, so that the effect of improving the data readability is achieved; the real-time pushing is performed based on the WebSocket, and the effect of real-time dynamic display of the data can be achieved.
It should be understood that, although the steps in the flowcharts related to the embodiments described above are sequentially shown as indicated by arrows, these steps are not necessarily sequentially performed in the order indicated by the arrows. The steps are not strictly limited to the order of execution unless explicitly recited herein, and the steps may be executed in other orders. Moreover, at least some of the steps in the flowcharts described in the above embodiments may include a plurality of steps or a plurality of stages, which are not necessarily performed at the same time, but may be performed at different times, and the order of the steps or stages is not necessarily performed sequentially, but may be performed alternately or alternately with at least some of the other steps or stages.
Based on the same inventive concept, the embodiment of the application also provides a security event display device for realizing the above related security event display method. The implementation of the solution provided by the device is similar to that described in the above method, so the specific limitations in the embodiments of the security event display device or devices provided below may be referred to above for the limitations of the security event display method, and will not be repeated here.
In one embodiment, as shown in fig. 5, there is provided a security event presentation apparatus comprising: the system comprises a node acquisition module, a data acquisition module, a format conversion module and a data display module, wherein:
a node obtaining module 100, configured to obtain target node information of a workflow, where the target node information includes output style information;
the data acquisition module 200 is used for acquiring data to be displayed generated in the workflow in real time;
the format conversion module 300 is configured to perform format conversion on the data to be displayed based on the target node information;
and the data display module 400 is used for displaying the data to be displayed in a system interface.
In one embodiment, the security event presentation device further comprises:
and the information association module is used for responding to a user instruction, and respectively associating a plurality of output style information with a plurality of nodes of the workflow to obtain the target node information.
In one embodiment, the format conversion module 300 is further configured to obtain a data format conversion function based on the output style information; and carrying out format conversion on the data to be displayed based on the data format conversion function.
In one embodiment, the security event presentation device further comprises a function generation module for obtaining a set of data conversion codes, and determining the call interface and the input parameter information based on the set of data conversion codes; the data format conversion function is generated based on the set of data conversion codes, the call interface, and the input parameter information in response to a user instruction.
In one embodiment, the format conversion module 300 is further configured to generate error alert information based on the data format conversion function and the error reporting information if the data to be displayed is the error reporting information.
In one embodiment, the security event presentation device further comprises:
the data splicing module is used for identifying context parameters in the data to be displayed; and splicing the data to be displayed with the historical data based on the context parameters to obtain spliced data to be displayed.
In one embodiment, the data display module 400 is further configured to push the data to be displayed to a system interface for displaying based on Websocket.
The various modules in the security event presentation device described above may be implemented in whole or in part by software, hardware, and combinations thereof. The above modules may be embedded in hardware or may be independent of a processor in the computer device, or may be stored in software in a memory in the computer device, so that the processor may call and execute operations corresponding to the above modules.
In one embodiment, a computer device is provided, which may be a terminal, and the internal structure of which may be as shown in fig. 6. The computer device includes a processor, a memory, a communication interface, a display screen, and an input device connected by a system bus. Wherein the processor of the computer device is configured to provide computing and control capabilities. The memory of the computer device includes a non-volatile storage medium and an internal memory. The non-volatile storage medium stores an operating system and a computer program. The internal memory provides an environment for the operation of the operating system and computer programs in the non-volatile storage media. The communication interface of the computer device is used for carrying out wired or wireless communication with an external terminal, and the wireless mode can be realized through WIFI, a mobile cellular network, NFC (near field communication) or other technologies. The computer program is executed by a processor to implement a security event presentation method. The display screen of the computer equipment can be a liquid crystal display screen or an electronic ink display screen, and the input device of the computer equipment can be a touch layer covered on the display screen, can also be keys, a track ball or a touch pad arranged on the shell of the computer equipment, and can also be an external keyboard, a touch pad or a mouse and the like.
It will be appreciated by those skilled in the art that the structure shown in fig. 6 is merely a block diagram of some of the structures associated with the present application and is not limiting of the computer device to which the present application may be applied, and that a particular computer device may include more or fewer components than shown, or may combine certain components, or have a different arrangement of components.
In one embodiment, a computer device is provided comprising a memory and a processor, the memory having stored therein a computer program, the processor when executing the computer program performing the steps of:
acquiring target node information of a workflow, wherein the target node information comprises output style information;
acquiring data to be displayed generated in the workflow in real time;
performing format conversion on the data to be displayed based on the target node information;
and displaying the data to be displayed in a system interface.
In one embodiment, a computer readable storage medium is provided having a computer program stored thereon, which when executed by a processor, performs the steps of:
acquiring target node information of a workflow, wherein the target node information comprises output style information;
acquiring data to be displayed generated in the workflow in real time;
performing format conversion on the data to be displayed based on the target node information;
and displaying the data to be displayed in a system interface.
It should be noted that, user information (including but not limited to user equipment information, user personal information, etc.) and data (including but not limited to data for analysis, stored data, presented data, etc.) referred to in the present application are information and data authorized by the user or sufficiently authorized by each party.
Those skilled in the art will appreciate that implementing all or part of the above described methods may be accomplished by way of a computer program stored on a non-transitory computer readable storage medium, which when executed, may comprise the steps of the embodiments of the methods described above. Any reference to memory, database, or other medium used in the various embodiments provided herein may include at least one of non-volatile and volatile memory. The nonvolatile Memory may include Read-Only Memory (ROM), magnetic tape, floppy disk, flash Memory, optical Memory, high density embedded nonvolatile Memory, resistive random access Memory (ReRAM), magnetic random access Memory (Magnetoresistive Random Access Memory, MRAM), ferroelectric Memory (Ferroelectric Random Access Memory, FRAM), phase change Memory (Phase Change Memory, PCM), graphene Memory, and the like. Volatile memory can include random access memory (Random Access Memory, RAM) or external cache memory, and the like. By way of illustration, and not limitation, RAM can be in the form of a variety of forms, such as static random access memory (Static Random Access Memory, SRAM) or dynamic random access memory (Dynamic Random Access Memory, DRAM), and the like. The databases referred to in the various embodiments provided herein may include at least one of relational databases and non-relational databases. The non-relational database may include, but is not limited to, a blockchain-based distributed database, and the like. The processors referred to in the embodiments provided herein may be general purpose processors, central processing units, graphics processors, digital signal processors, programmable logic units, quantum computing-based data processing logic units, etc., without being limited thereto.
The technical features of the above embodiments may be arbitrarily combined, and all possible combinations of the technical features in the above embodiments are not described for brevity of description, however, as long as there is no contradiction between the combinations of the technical features, they should be considered as the scope of the description.
The above examples only represent a few embodiments of the present application, which are described in more detail and are not to be construed as limiting the scope of the present application. It should be noted that it would be apparent to those skilled in the art that various modifications and improvements could be made without departing from the spirit of the present application, which would be within the scope of the present application. Accordingly, the scope of protection of the present application shall be subject to the appended claims.
Claims (10)
1. A security event presentation method applied to an SOAR system, the method comprising:
acquiring target node information of a workflow, wherein the target node information comprises output style information;
acquiring data to be displayed generated in the workflow in real time;
performing format conversion on the data to be displayed based on the target node information;
and displaying the data to be displayed in a system interface.
2. The method of claim 1, wherein the obtaining the target node information of the workflow is preceded by:
and responding to a user instruction, respectively associating a plurality of output style information with a plurality of nodes of the workflow to obtain the target node information.
3. The method of claim 1, wherein said converting the format of the data to be presented based on the target node information comprises:
acquiring a data format conversion function based on the output style information;
and carrying out format conversion on the data to be displayed based on the data format conversion function.
4. A method according to claim 3, wherein before said obtaining a data format conversion function based on said output style information comprises:
acquiring a data conversion code set, and determining a calling interface and input parameter information based on the data conversion code set;
the data format conversion function is generated based on the set of data conversion codes, the call interface, and the input parameter information in response to a user instruction.
5. A method according to claim 3, wherein said converting the format of the data to be presented based on the data format conversion function comprises:
and if the data to be displayed is abnormal error reporting information, generating error reminding information based on the data format conversion function and the abnormal error reporting information.
6. The method of claim 1, wherein the presenting the data to be presented in the system interface comprises:
identifying context parameters in the data to be displayed;
and splicing the data to be displayed with the historical data based on the context parameters to obtain spliced data to be displayed.
7. The method of claim 1, wherein the presenting the data to be presented in a system interface comprises:
and pushing the data to be displayed to a system interface for displaying based on the Websocket.
8. A security event presentation device, the device comprising:
the node acquisition module is used for acquiring target node information of the workflow, wherein the target node information comprises output style information;
the data acquisition module is used for acquiring data to be displayed generated in the workflow in real time;
the format conversion module is used for carrying out format conversion on the data to be displayed based on the target node information;
and the data display module is used for displaying the data to be displayed in a system interface.
9. A computer device comprising a memory and a processor, the memory storing a computer program, characterized in that the processor implements the steps of the method of any one of claims 1 to 7 when the computer program is executed.
10. A computer readable storage medium, on which a computer program is stored, characterized in that the computer program, when being executed by a processor, implements the steps of the method of any one of claims 1 to 7.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202211591687.1A CN116244534A (en) | 2022-12-12 | 2022-12-12 | Security event display method, device, computer equipment and storage medium |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202211591687.1A CN116244534A (en) | 2022-12-12 | 2022-12-12 | Security event display method, device, computer equipment and storage medium |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN116244534A true CN116244534A (en) | 2023-06-09 |
Family
ID=86630378
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202211591687.1A Pending CN116244534A (en) | 2022-12-12 | 2022-12-12 | Security event display method, device, computer equipment and storage medium |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN116244534A (en) |
-
2022
- 2022-12-12 CN CN202211591687.1A patent/CN116244534A/en active Pending
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US11119812B2 (en) | Method and device for processing application program page according to a common interface container | |
| US9524283B2 (en) | Techniques to remotely access form information and generate a form | |
| CA2841815A1 (en) | Method for associating third party content with online document signing | |
| US9390399B2 (en) | Integrating a web-based CRM system with a PIM client application | |
| CN111045653B (en) | System generation method and device, computer readable medium and electronic equipment | |
| CN109582317A (en) | Method and apparatus for debugging boarding application | |
| KR20140116438A (en) | Graphical representation of an order of operations | |
| CN110390063A (en) | A kind of data analysis method, device, medium and electronic equipment | |
| CN113836014A (en) | Interface testing method and device, electronic equipment and storage medium | |
| CN111158777B (en) | Component calling method, device and computer readable storage medium | |
| US9104573B1 (en) | Providing relevant diagnostic information using ontology rules | |
| CN116594683A (en) | Code annotation information generation method, device, equipment and storage medium | |
| CN109582580B (en) | System, method and apparatus for debugging pages | |
| CN115809056A (en) | Component multiplexing implementation method and device, terminal equipment and readable storage medium | |
| CN116244534A (en) | Security event display method, device, computer equipment and storage medium | |
| CN115617441A (en) | Method and device for binding model and primitive, storage medium and computer equipment | |
| CN115421770A (en) | Resource information processing method and device, storage medium and electronic equipment | |
| CN115130442A (en) | Report generation method and device, storage medium and computer equipment | |
| CN114625372A (en) | Automatic component compiling method and device, computer equipment and storage medium | |
| CN112507677A (en) | Method and device for inputting and displaying electronic form | |
| CN111880698A (en) | Information processing method and device of intelligent terminal, electronic equipment and storage medium | |
| US20230237050A1 (en) | Apparatuses, systems, and methods for providing an event management framework for a geographic information system | |
| CN117312619A (en) | Character string processing method, device, computer equipment and storage medium | |
| CN113392014A (en) | Test case generation method and device, electronic equipment and medium | |
| CN113535153A (en) | Method, device, equipment and medium for encoding custom label |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination |