CN116932077A - Event processing method, device and storage medium - Google Patents

Event processing method, device and storage medium Download PDF

Info

Publication number
CN116932077A
CN116932077A CN202310878021.2A CN202310878021A CN116932077A CN 116932077 A CN116932077 A CN 116932077A CN 202310878021 A CN202310878021 A CN 202310878021A CN 116932077 A CN116932077 A CN 116932077A
Authority
CN
China
Prior art keywords
event
event processing
processed
determining
target
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN202310878021.2A
Other languages
Chinese (zh)
Inventor
张安清
周建杰
付廷升
顾阳
陈智
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Asiainfo Technologies (chengdu) Inc
Original Assignee
Asiainfo Technologies (chengdu) Inc
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Asiainfo Technologies (chengdu) Inc filed Critical Asiainfo Technologies (chengdu) Inc
Priority to CN202310878021.2A priority Critical patent/CN116932077A/en
Publication of CN116932077A publication Critical patent/CN116932077A/en
Pending legal-status Critical Current

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F9/00Arrangements for program control, e.g. control units
    • G06F9/06Arrangements for program control, e.g. control units using stored programs, i.e. using an internal store of processing equipment to receive or retain programs
    • G06F9/44Arrangements for executing specific programs
    • G06F9/445Program loading or initiating
    • G06F9/44505Configuring for program initiating, e.g. using registry, configuration files

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Software Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Theoretical Computer Science (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Physics & Mathematics (AREA)
  • General Physics & Mathematics (AREA)
  • Management, Administration, Business Operations System, And Electronic Commerce (AREA)

Abstract

The application provides an event processing method, an event processing device and a storage medium, relates to the technical field of computers, and is used for solving the problem of low flexibility of an event processing flow in the prior art. The method comprises the following steps: determining an event to be processed; determining an event processing strategy matched with the event to be processed; determining a target script program corresponding to an event processing strategy from at least one script program written in advance; and calling a component corresponding to the target script program to process the event to be processed.

Description

Event processing method, device and storage medium
Technical Field
The present application relates to the field of computer technologies, and in particular, to a method and apparatus for event processing, and a storage medium.
Background
With the continuous expansion of digital assets and public network infrastructure, the public network brings convenience to enterprises, and meanwhile, attacks on the internal network of the enterprises through the public network are also increasing. Therefore, how to respond to the attack of the public network on the internal network of the enterprise is a primary step of guaranteeing the security of the internal network of the enterprise.
The prior art is generally that a processing device determines a policy for processing security events through security orchestration automation and response techniques (security orchestration automation and response, SOAR) and automatically performs the processing of the security events according to the policy. However, when a security event requires cooperative processing of multiple components (also referred to as component devices), the prior art needs to modify the underlying logic of the processing device, and the processing flow is stiff and inflexible.
Disclosure of Invention
The application provides an event processing method, an event processing device and a storage medium, which are used for solving the problem of low flexibility of an event processing flow in the prior art.
In order to achieve the above purpose, the application adopts the following technical scheme:
in a first aspect, there is provided an event processing method, including: determining an event to be processed; determining an event processing strategy matched with the event to be processed; determining a target script program corresponding to an event processing strategy from at least one script program written in advance; and calling a component corresponding to the target script program to process the event to be processed.
Optionally, determining the event to be processed includes: acquiring attribute information of each alarm information in a plurality of alarm information; determining the alarm information with the attribute information similarity larger than the preset similarity as one type of alarm information; and determining an event corresponding to the alarm information of one category as an event to be processed.
Optionally, determining an event processing policy matching the event to be processed includes: reading a pre-stored data dictionary, and determining a target event handling identifier corresponding to target attribute information; the data dictionary stores the corresponding relation between a plurality of event handling identifications and a plurality of attribute information; the target attribute information is the attribute information of the alarm information of the corresponding category of the event to be processed; when the prestored plurality of event processing strategies comprise event processing strategies corresponding to the target event handling identification, determining the event processing strategies corresponding to the target event handling identification as event processing strategies matched with the to-be-processed event.
Optionally, determining an event processing policy matching the event to be processed includes: when the prestored event processing strategies do not comprise the event processing strategies corresponding to the target event handling identification, sending an event to be processed to event management equipment; and receiving an event processing strategy matched with the event to be processed, which is sent by the event management equipment.
Optionally, the event processing method further includes: determining the event type and the event level of the event to be processed according to the target event handling identification; when the event type of the event to be processed is a preset event type, sending a processing request of an event processing strategy to event management equipment corresponding to the event level; the processing request is used to request a confirmation of whether to process the pending event according to the event processing policy.
In a second aspect, there is provided an event processing apparatus comprising: a determination unit and a processing unit; a determining unit for determining an event to be processed; the determining unit is also used for determining an event processing strategy matched with the event to be processed; a determining unit, configured to determine a target script program corresponding to the event processing policy from at least one script program written in advance; and the processing unit is used for calling a component corresponding to the target script program to process the event to be processed.
Optionally, the determining unit is specifically configured to: acquiring attribute information of each alarm information in a plurality of alarm information; determining the alarm information with the attribute information similarity larger than the preset similarity as one type of alarm information; and determining an event corresponding to the alarm information of one category as an event to be processed.
Optionally, the determining unit is specifically configured to: reading a pre-stored data dictionary, and determining a target event handling identifier corresponding to target attribute information; the data dictionary stores the corresponding relation between a plurality of event handling identifications and a plurality of attribute information; the target attribute information is the attribute information of the alarm information of the corresponding category of the event to be processed; when the prestored plurality of event processing strategies comprise event processing strategies corresponding to the target event handling identification, determining the event processing strategies corresponding to the target event handling identification as event processing strategies matched with the to-be-processed event.
Optionally, the determining unit is specifically configured to: when the prestored event processing strategies do not comprise the event processing strategies corresponding to the target event handling identification, sending an event to be processed to event management equipment; and receiving an event processing strategy matched with the event to be processed, which is sent by the event management equipment.
Optionally, the event processing device further includes: a transmitting unit; the determining unit is further used for determining the event type and the event level of the event to be processed according to the target event handling identification; the sending unit is used for sending a processing request of the event processing strategy to the event management equipment corresponding to the event level when the event type of the event to be processed is a preset event type; the processing request is used to request a confirmation of whether to process the pending event according to the event processing policy.
In a third aspect, an event processing apparatus is provided, comprising a memory and a processor; the memory is used for storing computer execution instructions, and the processor is connected with the memory through a bus; when the event processing device is running, the processor executes computer-executable instructions stored in the memory to cause the event processing device to perform the event processing method according to the first aspect.
The event processing device may be a network device or may be a part of a device in a network device, for example, a chip system in a network device. The system-on-a-chip is configured to support the network device to implement the functions involved in the first aspect and any one of its possible implementations, for example, to obtain, determine, and send data and/or information involved in the event processing method described above. The chip system includes a chip, and may also include other discrete devices or circuit structures.
In a fourth aspect, there is provided a computer readable storage medium comprising computer executable instructions which, when run on a computer, cause the computer to perform the event processing method of the first aspect.
In a fifth aspect, there is also provided a computer program product comprising computer instructions which, when run on an event processing apparatus, cause the event processing apparatus to perform the event processing method as described in the first aspect above.
It should be noted that the above-mentioned computer instructions may be stored in whole or in part on the first computer readable storage medium. The first computer readable storage medium may be packaged together with the processor of the event processing apparatus or may be packaged separately from the processor of the event processing apparatus, which is not limited by the embodiment of the present application.
The description of the second, third, fourth and fifth aspects of the present application may refer to the detailed description of the first aspect; the advantages of the second aspect, the third aspect, the fourth aspect and the fifth aspect may be referred to as analysis of the advantages of the first aspect, and will not be described here.
In the embodiment of the present application, the names of the above-mentioned event processing apparatuses do not constitute limitations on the devices or functional modules themselves, and in actual implementation, these devices or functional modules may appear under other names. Insofar as the function of each device or function module is similar to that of the present application, it falls within the scope of the claims of the present application and the equivalents thereof.
These and other aspects of the application will be more readily apparent from the following description.
The technical scheme provided by the application has at least the following beneficial effects:
based on any one of the above aspects, an embodiment of the present application provides an event processing method, where an event processing device may determine a to-be-processed event first, and then determine an event processing policy matching with the to-be-processed event according to the to-be-processed event. Then, the event processing device may determine a target script program corresponding to the above event processing policy, and process the event to be processed by calling a component corresponding to the target script program, thereby completing the processing of the event to be processed. Therefore, the event processing method and the event processing system can process the event to be processed according to the corresponding event processing strategy only by loading the target script program corresponding to the event processing strategy, and the bottom code is not required to be modified, so that the flexibility of the event processing system is improved.
Drawings
FIG. 1 is a schematic diagram of an SOAR technique according to an embodiment of the present application;
FIG. 2 is a schematic diagram of an event processing system according to an embodiment of the present application;
FIG. 3 is a schematic diagram of a hardware structure of an event processing device according to an embodiment of the present application;
FIG. 4 is a schematic diagram of another hardware structure of an event processing device according to an embodiment of the present application;
FIG. 5 is a flowchart illustrating an event processing method according to an embodiment of the present application;
FIG. 6 is a flowchart illustrating another event processing method according to an embodiment of the present application;
FIG. 7 is a flowchart illustrating another event processing method according to an embodiment of the present application;
FIG. 8 is a flowchart illustrating another event processing method according to an embodiment of the present application;
FIG. 9 is a flowchart illustrating another event processing method according to an embodiment of the present application;
FIG. 10 is a flowchart illustrating another event processing method according to an embodiment of the present application;
FIG. 11 is a flowchart illustrating another event processing method according to an embodiment of the present application;
fig. 12 is a schematic structural diagram of an event processing device according to an embodiment of the present application.
Detailed Description
The following description of the embodiments of the present application will be made clearly and completely with reference to the accompanying drawings, in which it is apparent that the embodiments described are only some embodiments of the present application, but not all embodiments. All other embodiments, which can be made by those skilled in the art based on the embodiments of the application without making any inventive effort, are intended to be within the scope of the application.
It should be noted that, in the embodiments of the present application, words such as "exemplary" or "such as" are used to mean serving as an example, instance, or illustration. Any embodiment or design described herein as "exemplary" or "e.g." in an embodiment should not be taken as preferred or advantageous over other embodiments or designs. Rather, the use of words such as "exemplary" or "such as" is intended to present related concepts in a concrete fashion.
In order to clearly describe the technical solution of the embodiment of the present application, in the embodiment of the present application, the words "first", "second", etc. are used to distinguish identical items or similar items having substantially the same function and effect, and those skilled in the art will understand that the words "first", "second", etc. are not limited in number and execution order.
With the continuous expansion of digital assets and public network infrastructure, the public network brings convenience to enterprises, and meanwhile, attacks on the internal network of the enterprises through the public network are also increasing.
Traditional network security techniques are through manual handling of attack events, which have drawbacks including, but not limited to: the method can not process large-scale attack events, has low relevance of a plurality of event processing systems, is relatively dependent on experience of event processing related personnel, and is difficult to communicate with the plurality of event processing related personnel.
To address the shortcomings of manual handling events, network security technologies are also continually advancing.
From the very beginning of pure firewall software technology, virtual local area network technology based on programming language (groovy), secure operation center technology (security operations center, SOC), to 2005 the birth of security information and event management technology (security information and event management, SIEM). To the latest user entity behavior analysis technique (user and entity behavior analytics, UEBA), terminal monitoring and response technique (Endpoint Detection and Response, EDR) and SOAR.
The SOAR technology is a novel event processing technology based on the SOC technology. The SOC platform may collect event information of the event to be processed in various manners, and then collect the event information to the SOC platform through a self-research engine (an operation of collecting abnormal event information together may also be referred to as risk collection), and then uniformly process the event information by the SOC platform.
The various ways for the SOC platform to collect the event information corresponding to the event to be processed include, but are not limited to: the network management protocol Trap (simple network management protocol Trap, SNMP Trap) and system log (syslog) obtain event information, obtain operation logs through database connection (java database connectivity, JDBC), open database connection (open database connectivity, ODBC), and receive corresponding event information through a network security open platform (open platform for security, OPSEC) interface.
The SOAR technology is a technology innovation based on the SOC technology, and is a technology capable of collecting various alarm information to generate an event to be processed and responding to the event to be processed according to a preset standard workflow. The core of the SOAR technology is that the standard workflow set in advance is used for example: the worm virus outbreak processing flow, the mining virus alarm processing flow and the phishing mail processing flow are digitally managed, so that a processing strategy which can be automatically executed by the system is formed.
As shown in fig. 1, the SOAR technical process includes, but is not limited to: event access flow, scene arrangement flow, event processing flow and man-machine cooperative processing flow.
Event access flows include, but are not limited to: system alarms, system logs, work order systems, mail systems.
Scene orchestration procedures include, but are not limited to: component management, scenario management, and scenario arrangement.
Event processing flows include, but are not limited to: event processing equipment, automatic execution, man-machine interaction and third party software call.
Human machine system process flows include, but are not limited to: case statistics, case management and collaborative processing.
Among the commonly used third party software include, but are not limited to: basic security software, message application software, work order system software and cloud system software.
Since 2015, the SOAR has been the preferred solution for processing security events, but when the SOAR needs to cooperatively process a plurality of components for processing security events, the existing SOAR technology needs to modify the underlying logic of the processing device, so that the processing flow is relatively stiff and inflexible.
In view of the above problems, an embodiment of the present application provides an event processing method, where an event processing device may determine a to-be-processed event first, and then determine an event processing policy matching with the to-be-processed event according to the to-be-processed event. Then, the event processing device may determine a target script program corresponding to the above event processing policy, and process the event to be processed by calling a component corresponding to the target script program, thereby completing the processing of the event to be processed. Therefore, the event processing method and the event processing system can process the event to be processed according to the corresponding event processing strategy only by loading the target script program corresponding to the event processing strategy, and the bottom code is not required to be modified, so that the flexibility of the event processing system is improved.
The event processing method is suitable for an event processing system. Fig. 2 shows a structure of the event processing system. As shown in fig. 2, the event processing system includes: an event processing device 101, an alert generation device 102, a data storage device 103, a policy storage device 104, an event management device 105, and a component device 106.
Wherein the event processing device 101 is communicatively connected with the alarm generating device 102, the data storage device 103, the policy storage device 104, the event management device 105, and the component device 106, respectively.
Alternatively, the alarm generating device 102 may be an electronic device that monitors abnormal data and generates corresponding alarm information according to the abnormal data.
Alternatively, the data storage device 103 may be an electronic device that stores data dictionary-related data information.
Alternatively, the data dictionary is a directory of record databases and application metadata that can be accessed by the user. The data dictionary can be divided into: active data dictionary and passive data dictionary.
Alternatively, policy store 104 may be an electronic device that stores event handling policy related information.
Alternatively, the event management device 105 may be an electronic device that presets different event rights.
Optionally, the event management device 105 includes, but is not limited to: the device 105-1 corresponding to the security operation department, the device 105-2 corresponding to the business department, the primary management device 105-3, and the secondary management device 105-4.
When the event level is too high or the event processing policy in the policy storage device does not contain an event processing policy matching the event to be processed, the event processing device needs to send the event to be processed to the event management device.
Alternatively, the component device 106 may be a hardware device storing third party software, and the event management device may control the operation of the third party software by sending a control command to the component device.
In practical applications, the event processing device 101 may be connected to a plurality of alarm generating devices, the event processing device 101 may be connected to a plurality of data storage devices, the event processing device 101 may be connected to a plurality of policy storage devices, the event processing device 101 may be connected to a plurality of event management devices, and the event processing device 101 may be connected to a plurality of component devices. For ease of understanding, the application is illustrated with one event processing device 101 coupled to one alert generation device 102, one event processing device 101 coupled to one data storage device 103, one event processing device 101 coupled to one policy storage device 104, one event processing device 101 coupled to one event management device 105, and one event processing device 101 coupled to one component device 106.
Alternatively, the entity devices of the event processing device 101 and the event management device 105 may be terminals, servers, or other types of electronic devices.
Alternatively, the entity devices of the alert generation device 102, the data storage device 103, the policy storage device 104, and the component device 106 may be servers, or may be other types of electronic devices
Alternatively, when the entity devices of the event processing device 101 and the event management device 105 are terminals, the terminals may be devices providing voice and/or data connectivity to the user, handheld devices having wireless connection functionality, or other processing devices connected to a wireless modem. The terminal may communicate with one or more core networks via a radio access network (radio access network, RAN). Terminals may be mobile terminals such as mobile telephones (or "cellular" telephones) and computers with mobile terminals, as well as portable, pocket, hand-held, computer-built-in or car-mounted mobile devices which exchange voice and/or data with radio access networks, e.g. cell phones, tablet computers, notebook computers, netbooks, personal digital assistants (personal digital assistant, PDA).
Optionally, when the entity devices of the event processing device 101, the alarm generating device 102, the data storage device 103, the policy storage device 104, the event management device 105, and the component device 106 are servers, the servers may be one server in a server cluster (including a plurality of servers), may be a chip in the server, may also be a system on a chip in the server, and may also be implemented by a Virtual Machine (VM) deployed on a physical machine, which is not limited in the embodiment of the present application.
Alternatively, when the entity devices of the event processing device 101, the alarm generating device 102, the data storage device 103, the policy storage device 104, the event management device 105, and the component device 106 are all servers, the event processing device 101, the alarm generating device 102, the data storage device 103, the policy storage device 104, the event management device 105, and the component device 106 may be a plurality of devices that are set independently from each other, or may be integrated in the same device.
It is easy to understand that when the event processing device 101, the alarm generating device 102, the data storage device 103, the policy storage device 104, the event management device 105, and the component device 106 are integrated in the same device, the communication manner between the event processing device 101, the alarm generating device 102, the data storage device 103, the policy storage device 104, the event management device 105, and the component device 106 is communication between the internal modules of the device. In this case, the communication flow between the plurality of devices is the same as "in the case where the event processing device 101, the alarm generating device 102, the data storage device 103, the policy storage device 104, the event management device 105, and the component device 106 are independent of each other".
For ease of understanding, the present application is described by taking the example of event processing device 101, alert generation device 102, data storage device 103, policy storage device 104, event management device 105, and component device 106 being independent of one another.
The basic hardware architecture of the event processing device 101 in an event processing system is similar and includes the elements included in the event processing apparatus shown in fig. 3 or fig. 4. The hardware configuration of the event processing apparatus 101 will be described below taking the event processing devices shown in fig. 3 and 4 as an example.
Fig. 3 is a schematic hardware structure diagram of an event processing device according to an embodiment of the present application. The event processing device comprises a processor 21, a memory 22, a communication interface 23, a bus 24. The processor 21, the memory 22 and the communication interface 23 may be connected by a bus 24.
The processor 21 is a control center of the event processing apparatus, and may be one processor or a collective term of a plurality of processing elements. For example, the processor 21 may be a general-purpose central processing unit (central processing unit, CPU), or may be another general-purpose processor. Wherein the general purpose processor may be a microprocessor or any conventional processor or the like.
As one example, processor 21 may include one or more CPUs, such as CPU0 and CPU1 shown in fig. 3.
Memory 22 may be, but is not limited to, a read-only memory (ROM) or other type of static storage device that can store static information and instructions, a random access memory (random access memory, RAM) or other type of dynamic storage device that can store information and instructions, or an electrically erasable programmable read-only memory (EEPROM), magnetic disk storage or other magnetic storage device, or any other medium that can be used to carry or store desired program code in the form of instructions or data structures and that can be accessed by a computer.
In a possible implementation, the memory 22 may exist separately from the processor 21, and the memory 22 may be connected to the processor 21 by a bus 24 for storing instructions or program code. The processor 21, when calling and executing instructions or program code stored in the memory 22, is capable of implementing the event processing method provided in the following embodiments of the present application.
In the embodiment of the present application, the software program stored in the memory 22 is different for the event processing apparatus 101, so the functions realized by the event processing apparatus 101 are different. The functions performed with respect to the respective devices will be described in connection with the following flowcharts.
In another possible implementation, the memory 22 may also be integrated with the processor 21.
The communication interface 23 is used for connecting the event processing device with other devices through a communication network, such as ethernet, radio access network, wireless local area network (wireless local area networks, WLAN), etc. The communication interface 23 may include a receiving unit for receiving data, and a transmitting unit for transmitting data.
Bus 24 may be an industry standard architecture (industry standard architecture, ISA) bus, an external device interconnect (peripheral component interconnect, PCI) bus, or an extended industry standard architecture (extended industry standard architecture, EISA) bus, among others. The bus may be classified as an address bus, a data bus, a control bus, etc. For ease of illustration, only one thick line is shown in fig. 3, but not only one bus or one type of bus.
Fig. 4 shows another hardware configuration of the event processing apparatus in the embodiment of the present application. As shown in fig. 4, the event processing device may include a processor 31 and a communication interface 32. The processor 31 is coupled to a communication interface 32.
The function of the processor 31 may be as described above with reference to the processor 21. The processor 31 also has a memory function and can function as the memory 22.
The communication interface 32 is used to provide data to the processor 31. The communication interface 32 may be an internal interface of the event processing apparatus or an external interface (corresponding to the communication interface 23) of the event processing apparatus.
It should be noted that the structure shown in fig. 3 (or fig. 4) does not constitute a limitation of the event processing apparatus, and the event processing apparatus may include more or less components than those shown in fig. 3 (or fig. 4), or may combine some components, or may be arranged in different components.
The event processing method provided by the embodiment of the application is described in detail below with reference to the accompanying drawings.
As shown in fig. 5, the event processing method provided by the embodiment of the present application is applied to an event processing device, where the event processing method includes: S501-S504.
S501, the event processing device determines an event to be processed.
Alternatively, the event to be processed may be a network security event which is determined based on the alarm information generated by the alarm generating device and which requires processing by the event processing device.
Alternatively, the alert generating device may be a device that detects the abnormal data and transmits alert information to the event processing device according to the abnormal data.
Alternatively, the alert information includes, but is not limited to: network alarm information, system log information, daily work order information and daily mail information.
Optionally, the event to be processed includes, but is not limited to: checking internal personnel violation records, clearing phishing mails, clearing malicious software data packages, repairing network firewall holes, coping with denial of service supply requests and preventing encryption of the luxury software data packages.
Alternatively, in one implementation, the event processing device may predict, through the UEBA, an abnormal behavior or an internal threat operation of the internal user of the company based on the massive data, so that the event processing device may determine, at a first time, the abnormal behavior or the internal threat operation of the internal user of the company.
Specifically, the event processing device screens the alarm information for abnormal information which may threaten the network security according to the alarm information in combination with at least one preset event judgment logic (such as the above mentioned UEBA technology). Then, the event processing device extracts the corresponding keywords from the abnormal information, and searches the event to be processed corresponding to the keywords according to the keywords in a preset data dictionary storing the security event types.
Illustratively, in connection with FIG. 2, assume that the device in which privileged account A resides normally downloads 10 Megabytes (MB) of data packets every day, but that the device in which privileged account A resides suddenly downloads 1000MB of data packets every day. The alert generation apparatus 102 determines information corresponding to the abnormal operation of the privileged account a through the UEBA technology, and transmits alert information to the event processing apparatus 101.
The event processing device 101 receives the alarm information sent by the alarm generating device 102. The event processing device then determines keywords in the alert information based on the alert information including, but not limited to: privileged account, download, internal files. Next, the event processing device 101 transmits the keywords of the alert information described above to the data storage device 103. The data storage device 103 receives the keywords of the alarm information, and retrieves the events to be processed corresponding to the keywords.
Optionally, when the event processing device cannot generate the corresponding event to be processed according to the alarm information, the event processing device outputs an optimization request of the event judgment logic.
Optionally, the optimization request of the event judgment logic is used for indicating that the logic of the alarm generating device for extracting the keyword according to the abnormal information may have a problem and needs to be optimized.
S502, the event processing device determines an event processing strategy matched with the event to be processed.
Optionally, the event processing policy corresponding to the event to be processed is a preset processing flow guide capable of combining with multiple third party software, and the event processing device can complete processing of the event to be processed according to the step guide in the event processing policy.
Specifically, the event processing device searches in the data dictionary through the data storage device, and determines keywords of an event processing strategy corresponding to the event to be processed according to the keywords contained in the event to be processed. Then, the event processing device determines an event processing strategy matched with the event to be processed according to the keywords of the event processing strategy.
Illustratively, in connection with fig. 2, when event processing device 101 determines, via UEBA technology, that the event to be processed is likely to be stolen from the device in which privileged account a is located. The event processing apparatus 101 processes the keyword of the event to be processed as described above: privilege account, download and internal files, determining keywords of event processing policy for matching event to be processed: alert, limit, and lockout.
The keyword "reminder" is used to indicate that the event processing device 101 sends reminder information to the terminal device where the privileged account user is located by nailing or email.
The keyword "limit" is used to indicate that the event processing apparatus 101 limits the usage right of the privileged account a through the firewall software.
The keyword "lockout" is used to indicate that the event processing device 101 restricts the device access rights in which the privileged account a is located through the firewall software.
In this case, the event processing device sends the keywords of the event processing policy described above to the policy storage device 104, and determines, through the policy storage device 104, an event processing policy that matches the event to be processed.
Optionally, a further implementation manner of the event processing device to determine an event processing policy matched with the event to be processed is: the event processing device may integrate and integrate a plurality of component devices by managing event processing policies in a scenario library (which may also be referred to as an event processing policy library) and by managing component devices.
From the above, the management of the event processing policy in the scenario library may include: by storing the standard event processing strategy, part of the events to be processed can be directly transferred to the standard event processing strategy for processing. And the event processing strategy can be customized to flexibly cope with various events to be processed. Complex event processing strategies can be supported to be used as sub-event processing strategies to be called by other event processing strategies, so that the repeated use rate of the script is increased.
Managing component devices may include: multiple component devices (including, but not limited to, flow component devices, devices in which target script programs reside) may be managed. Sub-components in the component apparatus may also be controlled (including but not limited to operations of creating, editing, viewing, copying, deleting, and searching). The target script program can be written through the Python script, so that the threshold of programming is lowered.
S503, the event processing device determines a target script program corresponding to the event processing strategy from at least one script program which is written in advance.
Alternatively, the script program may be an executable file composed of a descriptive language.
Optionally, the event processing device may manage the at least one script program written in advance through its own capability center unit.
Optionally, the capability center unit includes, but is not limited to: the device comprises a device management module, a standard capability module and a processing strategy module. The device management module is used for managing the new addition or deletion of the script program. The standard capability module is used for judging the corresponding relation between the script program and the component equipment. The processing policy module is used for supporting that the event processing policy can be called by other event processing policies as a sub-event processing policy.
Optionally, the target script program includes, but is not limited to: an execution operation program written based on a computer programming language (Python) script and an execution operation program written based on a agile development language (Groovy) script.
Alternatively, when the event processing device performs event processing policies that match the events to be processed, multiple component cooperation may be required to complete, in which case the process of conventional event processing would require modification of the underlying program logic to cope with a wide variety of events to be processed.
The event processing device can search the software program corresponding to the function according to the function to be called in the event processing strategy. Then, the event processing device may determine, from among the script programs written in advance, a script program corresponding to a software program to be used in the event processing policy. Therefore, the event processing device can flexibly call the software program to be used in the event processing strategy by calling the target script program corresponding to the event processing strategy, and does not need to modify the underlying program logic, thereby improving the efficiency of event processing.
Alternatively, the component (which may also be referred to as a component device) may be a hardware device storing a software program that needs to be used in the event processing policy described above. The event processing device controls the operation of the software program by sending control instructions to the components.
Specifically, the event processing device may determine, according to the event processing policy, component devices that need to be used by the event processing policy and an operation flow that needs to be executed by the component devices. The event processing device may then retrieve the corresponding target script program from the pre-written script program according to the component device that the event processing policy needs to use and the operations that the component device needs to perform.
Illustratively, in connection with FIG. 2, assume that the event processing device 101 determines an event processing policy as: reminding, limiting and blocking the corresponding event handling policies. The event processing device 101 may determine, according to the event processing policy, the component device 106 and the operation flow that the component device 106 needs to execute, which the event processing device 101 invokes in the event processing policy.
Component devices 106 include, but are not limited to: the device where the nailing program is located, the device where the mailbox program is located, and the device where the firewall program is located.
The operational flows that the component device 106 needs to perform include, but are not limited to: the event processing device 101 sends a prompt message to the terminal device corresponding to the user of the privileged account a through the device where the nailing program is located and the device where the mailbox program is located, and the event processing device 101 seals the privileged account a through the device where the firewall program is located.
Then, the event processing apparatus 101 may retrieve the corresponding target script program from the script programs written in advance according to the component apparatus to be used and the operation to be performed by the component apparatus required for the event processing policy described above.
Optionally, the method of pre-writing at least one script program further includes: a standard APP function database may first be formed from APP functions (which may also be referred to as APP standard capabilities). And then searching the corresponding APP function in the standard APP function database according to the event processing strategy. Meanwhile, the APP function can be allowed to be called by a third party APP through an interface, and the security of operation is ensured by controlling the authority of a standard APP function database. Then, the platform scenario (also called as a processing strategy) is interfaced, and a third party is supported to call an APP function in the platform scenario through an application program interface (application program interface, API) interface, so that the sharing of the capability of the scenario is realized.
S504, the event processing device calls a component corresponding to the target script program to process the event to be processed.
Optionally, an implementation manner that the event processing device invokes a component corresponding to the target script program to process the event to be processed is: when the event processing device determines the target script program corresponding to the event processing policy, the event processing device may call the component corresponding to the target script program by sending a control instruction to the component corresponding to the target script program. The event processing device processes the event to be processed by calling the component corresponding to the target script program.
Illustratively, in connection with FIG. 2, after event processing device 101 determines a target script program corresponding to an event processing policy. The event processing device 101 invokes the information function of the spike software through the above-mentioned target script program, sends a message prompt to the terminal device corresponding to the user of the privileged account a, restricts the download authority of the privileged account a, and blocks the important file. Thus, the event processing device can rapidly process the abnormal behavior of the device where the privileged account is located, and the protection loss is not further enlarged.
Optionally, the event processing device invokes another implementation manner of processing the event to be processed by the component corresponding to the target script program: each type of component device corresponds to an Application (APP) that allows the APP to agree to the event handling device for management and invocation by registering the component device under the APP. Multiple storage devices, each equipped with standardized interfaces, can then be added under each APP. Third parties and policy storage devices are supported through standardized interfaces for querying, analyzing, handling, and responding to the storage devices. And then, controlling the adding permission and the registration permission of the equipment in the APP, so that the safety of the component equipment is ensured.
Optionally, another implementation manner that the event processing device invokes the component corresponding to the target script program to process the event to be processed is: the event processing device acquires an event to be processed as a task trigger. And then creating tasks corresponding to the events to be processed through a pre-arranged event processing strategy. And then configuring trigger factors corresponding to the event processing strategy according to the tasks corresponding to the events to be processed. When the task corresponding to the event to be processed is triggered, the event processing equipment automatically generates a case, and the case can support a responsible person corresponding to the event to be processed to check and cooperate with the responsible person to process the event to be processed.
In some embodiments, as shown in fig. 6 in connection with fig. 5, in S501, a method for determining a to-be-processed event by an event processing device specifically includes: S601-S603.
S601, the event processing equipment acquires attribute information of each alarm information in a plurality of alarm information.
Optionally, the attribute information of the alarm information includes, but is not limited to: source device information of the abnormal behavior, time when the abnormal behavior occurs, type of the abnormal behavior.
Specifically, the event processing device may extract keywords in the plurality of alert information according to the plurality of alert information. Then, the event processing device may send the above-mentioned keywords to a device where the data dictionary is located (may also be referred to as a data storage device), and then the event processing device may determine attribute information of the alarm information corresponding to the above-mentioned keywords through the data dictionary.
Optionally, the event processing device may perform unified management on keywords, attribute information, and event categories in the event processing process through the system management unit.
For example, referring to fig. 2, the event processing device 101 may extract keywords in a plurality of alert information according to the plurality of alert information, including but not limited to: privileged account, download, internal file, time of download instruction issue. Next, the event processing apparatus 101 may transmit the above-described keywords to the data storage apparatus 103, and then the event processing apparatus 101 may determine, through the data dictionary, that the attribute information of the alert information corresponding to the above-described keywords is: the source equipment of the abnormal behavior is equipment where the privileged account is located, and the time when the abnormal behavior occurs is the time when the downloading instruction is sent out.
S602, the event processing device determines the alarm information with the attribute information similarity larger than the preset similarity as one type of alarm information.
Alternatively, the similarity of the attribute information may be a similarity of a plurality of attribute information determined based on a cluster analysis method. By determining the alarm information with the attribute information similarity larger than the preset similarity as one type of alarm information, the event processing device can classify a large amount of alarm information into a plurality of types of alarm information, so that the workload of data processing is reduced.
Specifically, the event processing apparatus may cluster the acquired attribute information, thereby acquiring all clusters of the attribute information. The event processing apparatus may then determine the general distribution of the attribute information corresponding to the sample data in the samples of each cluster as a coarse classification set of the attribute information. And then, extracting the characteristics of the rough classification set to obtain fine classifications of the clusters corresponding to the attribute information.
In this case, the event processing apparatus may calculate the similarity of the fine classifications of the plurality of attribute information corresponding clusters through a cluster analysis method, and determine the fine classifications of the attribute information corresponding clusters greater than a preset similarity as attribute information of the same category. The event processing device may then determine alert information having attribute information of the same category as alert information of one category.
Illustratively, in connection with FIG. 2, assume that the pending event comprises: e-mail, virus program, exception log-in. The event processing apparatus 101 calculates the similarity of the fine classification of the cluster corresponding to the attribute information of the event to be processed by the cluster analysis method. The initiating devices of the lux mail and the virus program are unknown devices, and the initiating paths of the lux mail and the virus program are all through the public internet. The event processing apparatus 101 calculates the alert information that both of the "lux mail" and the "virus program" belong to the class of hacking, and the similarity is greater than the preset similarity. Accordingly, the event processing apparatus 101 can determine that the alert information of the "luxo mail" and the "virus program" are the alert information of the same category.
S603, the event processing device determines an event corresponding to the alarm information of one category as a to-be-processed event.
Optionally, the event processing device may determine an event corresponding to one category of alarm information as a to-be-processed event, and de-overlap the event. The number of the events to be processed can be reduced to 1% -10% of the total number of the events by de-overlapping the mass events, so that the event processing efficiency is improved.
For example, in conjunction with fig. 2, assuming that the event processing device 101 acquires alarm information of multiple categories, the event processing device 101 may determine an event corresponding to the alarm information of the same category (for example, the privilege account a downloads an internal file and the privilege account B downloads an internal file) as a pending event.
In some embodiments, as shown in fig. 7 in connection with fig. 6, in S502, a method for determining, by an event processing device, an event processing policy that matches an event to be processed specifically includes: S701-S702.
S701, the event processing device reads a pre-stored data dictionary and determines a target event handling identifier corresponding to target attribute information.
The data dictionary stores the correspondence between the event handling identifications and the attribute information. The target attribute information is the attribute information of the alarm information of the corresponding category of the event to be processed.
Alternatively, the data dictionary may be a catalog of record databases and application metadata that are accessible to the user device.
Alternatively, the event handling identification may be an identification for distinguishing between different event handling policies, including but not limited to: event type, event level. The event processing device may determine an event processing policy corresponding to the event handling identification by determining the event handling identification.
Specifically, the event processing apparatus determines the keyword of the target attribute information from the target attribute information. Then, the event processing apparatus may retrieve the target event handling identification corresponding to the target attribute information from the keyword of the target attribute information by reading the data dictionary stored in advance.
Illustratively, in connection with FIG. 2, the event processing device 101 determines keywords of target attribute information from the target attribute information, the keywords of target attribute information including, but not limited to: privileged account, download internal files, download time. Next, the event processing device 101 may retrieve, in the data storage device 103, the target event handling identifier corresponding to the target attribute information according to the keyword of the target attribute information: the account is blocked.
Optionally, the event processing device reads a pre-stored data dictionary, and another implementation manner of determining the target event handling identifier corresponding to the target attribute information is that: the user, the device, the tag and the field are uniformly managed by the system management function (including but not limited to event type, data dictionary, tag management, role management and user management).
From the above, event type management may include: the labels of the event types are configured and managed uniformly, and the labels corresponding to the newly added event types can be added, deleted, modified and checked. Other devices can be supported to reference the event processing strategy corresponding to the event tag through the event tag.
The data dictionary management may include: and uniformly configuring and managing all field information (also called as keywords) in the event processing process, including but not limited to a data dictionary corresponding to a data source, a data dictionary corresponding to a standardized field format description of data, a data dictionary corresponding to basic information of a target storage device, an attack path and a data dictionary corresponding to alarm information. The field information can be customized, and the customized field information can be added, deleted, modified and checked. Other devices of the system may also be supported to reference field information. Standardized logging may also be supported in the event log format to be processed.
Tag management may include: the labels that can be used in the event handling process are managed in a unified way, including but not limited to: standard capabilities, scenario management, device management, component management, and scenario capabilities. The sub-labels of the custom labels and the label groups can be added, deleted, modified and checked. Other devices can be supported to refer to the corresponding functions of the tag.
Role management may include: and uniformly checking the user accounts involved in the event processing process, and determining the role classification corresponding to each user account.
User management may include: the user accounts in the event processing process are uniformly configured and managed, and account numbers are distributed, password reset, account number deletion and account number forbidden by responsible persons corresponding to the user accounts are supported.
S702, when the plurality of pre-stored event processing policies include an event processing policy corresponding to the target event handling identifier, the event processing device determines the event processing policy corresponding to the target event handling identifier as an event processing policy matching the event to be processed.
Optionally, when the plurality of pre-stored event processing policies include an event processing policy corresponding to the target event handling identifier, the event processing device may retrieve the event processing policy corresponding to the target attribute information from the policy storage device. Thus, the event processing device may determine an event processing policy corresponding to the target event handling identification as an event processing policy matching the event to be processed.
Specifically, when the event processing policy corresponding to the target event handling identifier is stored in the policy storage device in advance, the event processing device may send the target event handling identifier to the policy storage device. The policy storage device receives the target event handling identification and determines an event handling policy corresponding to the target event handling identification from a plurality of pre-stored event handling policies. The event processing device may then determine that the event handling policy matches an event handling policy for the event to be processed.
For example, when the event processing policy corresponding to the target event handling identifier is stored in the policy storage device 104 in advance, the event processing device 101 may send the target event handling identifier to the policy storage device 104: the account is blocked. The policy storage device 104 receives the target event handling identifier, determines that the target event handling identifier seals the account in a plurality of pre-stored event handling policies, and the corresponding event handling policies are: the event processing device 101 seals the privileged account a in the event to be processed by the component device in which the firewall software resides. The event processing device 101 may then determine that the event processing policy matches an event processing policy for the event to be processed.
In some embodiments, as shown in fig. 8 in connection with fig. 7, in S502, a method for determining, by an event processing device, an event processing policy that matches an event to be processed specifically includes: S801-S802.
S801, when the plurality of event processing policies stored in advance do not include the event processing policy corresponding to the target event handling identifier, the event processing device sends the event to be processed to the event management device.
Optionally, when the plurality of pre-stored event processing policies do not include the event processing policy corresponding to the target event handling identifier, it is indicated that the event processing device cannot match the event processing policy corresponding to the event to be processed, and therefore, the event processing device needs to send the event to be processed to the event management device, so as to obtain the event processing policy corresponding to the event to be processed.
Optionally, the event management device includes, but is not limited to: the system comprises equipment corresponding to a security operation department, equipment corresponding to a business department, primary management equipment and secondary management equipment.
Specifically, when the event processing policies corresponding to the target event handling identifier are not included in the event processing policies stored in advance in the policy storage device, the event processing device may send the event to be processed to the device corresponding to the security operation department. And then, the equipment corresponding to the security operation department generates an event processing strategy corresponding to the event to be processed according to the event to be processed, and sends the event processing strategy corresponding to the event to be processed to the equipment corresponding to the business department. And then, the equipment corresponding to the service department receives an event processing strategy corresponding to the event to be processed and judges whether the event processing strategy affects normal service.
For example, when the event processing policy corresponding to the target event handling identifier is not included in the plurality of event processing policies stored in advance in the policy storage device, the event processing device 101 may send a to-be-processed event to the device 105-1 corresponding to the security operation department, where the to-be-processed event is "the internal file downloaded by the privileged account". Then, the device 105-1 corresponding to the security operation department generates an event processing policy corresponding to the event to be processed according to the event to be processed, the event processing policy is "blocking the privileged account", and the event processing policy corresponding to the event to be processed is sent to the device 105-2 corresponding to the business department. Then, the device 105-2 corresponding to the service department receives the event processing policy corresponding to the event to be processed, and determines whether the blocking privilege account affects the normal service or whether the blocking privilege account is a mis-blocking.
S802, the event processing device receives an event processing strategy which is sent by the event management device and is matched with the event to be processed.
Specifically, when the device corresponding to the service department receives the event processing policy corresponding to the event to be processed and judges that the event processing policy does not affect the normal service, the device corresponding to the service department sends the event processing policy matched with the event to be processed to the event processing device.
For example, when the device 105-2 corresponding to the service department receives the event processing policy corresponding to the event to be processed (i.e. blocks the privileged account), and determines that the event processing policy does not affect the normal service, the device 105-2 corresponding to the service department sends the event processing policy matched with the event to be processed to the event processing device 101.
In some embodiments, in conjunction with fig. 8, as shown in fig. 9, the event processing method further includes: S901-S902.
S901, the event processing device determines the event type and the event level of the event to be processed according to the target event handling identification.
Optionally, event types include, but are not limited to: harmful program events, network attack events, information corruption events, information content security events.
Alternatively, the event level may be an identification representing the importance level of the event to be processed.
Specifically, the event processing device may retrieve the target event handling identifier corresponding to the target attribute information according to the keyword of the target attribute information by reading the data dictionary stored in the data storage device in advance, and then the event processing device may determine the event type and the event level of the event to be processed according to the target event handling identifier corresponding to the target attribute information.
By way of example, the event processing apparatus 101 may retrieve a target event handling identification "disable privilege account" corresponding to target attribute information from a keyword (i.e., privilege account) of the target attribute information by reading a data dictionary stored in advance in the data storage apparatus 103. The event processing apparatus 101 may then determine that the event type of the event to be processed is "information content security event" and that the event class is "secondary" according to the target event handling identifier corresponding to the target attribute information.
S902, when the event type of the event to be processed is a preset event type, the event processing device sends a processing request of an event processing strategy to the event management device corresponding to the event level.
The processing request is used for requesting to confirm whether to process the event to be processed according to the event processing strategy.
Optionally, when the event level of the event to be processed is higher, the event processing device needs to be confirmed by the event management device, and the event processing device may process the event to be processed according to the event processing policy. The event processing device may process the event to be processed according to the event processing policy.
Optionally, the preset event types include, but are not limited to: hacking and privileged account abnormal behavior.
Specifically, when the event level is higher, the event processing device needs to send a processing request of an event processing policy of the event to be processed to the event management device (such as the primary management device and the secondary management device) corresponding to the event level, so as to determine whether the event processing device can process the event to be processed according to the event processing policy.
Illustratively, when the event level is two-level, the event processing device needs to send a processing request of an event processing policy of the event to be processed to an event management device (such as the secondary management device 105-4) corresponding to the event level, so as to determine whether the event processing device can process the event to be processed according to the event processing policy.
The foregoing description of the solution provided by the embodiments of the present application has been mainly presented in terms of a method. To achieve the above functions, it includes corresponding hardware structures and/or software modules that perform the respective functions. Those of skill in the art will readily appreciate that the various illustrative elements and algorithm steps described in connection with the embodiments disclosed herein may be implemented as hardware or combinations of hardware and computer software. Whether a function is implemented as hardware or computer software driven hardware depends upon the particular application and design constraints imposed on the solution. Skilled artisans may implement the described functionality in varying ways for each particular application, but such implementation decisions should not be interpreted as causing a departure from the scope of the present application.
The embodiment of the application can divide the functional modules of the event processing device according to the method example, for example, each functional module can be divided corresponding to each function, or two or more functions can be integrated in one processing module. The integrated modules may be implemented in hardware or in software functional modules. Optionally, the division of the modules in the embodiment of the present application is schematic, which is merely a logic function division, and other division manners may be implemented in practice.
In some embodiments, fig. 10 illustrates a specific implementation of processing an event to be processed according to an embodiment of the present application. As shown in fig. 10, includes: S1001-S1006.
S1001, the event processing device generates an event to be processed according to the alarm information.
Referring to fig. 5, the event processing device generates a description of the event to be processed according to the alarm information, and the description of S501 may be referred to, which is not described herein.
S1002, the event processing equipment is linked for application management.
Alternatively, the coordinated application management may determine a target script program for the event processing device.
With reference to fig. 5, the event processing device links application management. Reference may be made to the related description of S503, which is not described here again.
S1003, the event processing device compiles a treatment plan.
Alternatively, the orchestration treatment protocol may be: the event processing device composes a plurality of event processing strategies or target script programs into a new event processing strategy by a visual arrangement mode.
In connection with fig. 5, the event processing device composes a relevant description of the treatment plan, reference may be made to the relevant description of S503, and a detailed description thereof will be omitted.
S1004, the event processing apparatus manages the treatment plan.
Alternatively, the management treatment protocol may be: the event processing device performs new construction, inquiry and deletion operation on the event processing strategy.
In connection with fig. 5, the electronic device may refer to the related description of S503 for generating the related description of the processing policy repository, which is not described herein.
S1005, the event processing device manages the processing result.
Alternatively, the management processing result may be: the event processing equipment records the processing result of the event to be processed and displays the processing result of the event to be processed in a visual display mode.
Referring to fig. 5, the description of the event processing device management processing result may refer to the description of S504, which is not described herein.
S1006, the event processing device automatically processes the event to be processed.
Alternatively, the automatically processing the pending event may be: and the event processing equipment invokes a corresponding target script program in the event processing strategy according to the preset event processing strategy, and automatically processes the event to be processed.
Referring to fig. 5, the event processing device automatically processes the related description of the event to be processed, reference may be made to the related description of S504, which is not described herein.
In some embodiments, fig. 11 is a general flowchart of an event processing method according to an embodiment of the present application. As shown in fig. 11, the event processing method provided by the embodiment of the present application includes: S1101-S1116.
S1101, the alarm generating device determines an event to be processed according to the alarm information.
Referring to fig. 5, the alert generating device generates a description of the event to be processed according to the alert information, and the description of S501 may be referred to, which is not described herein.
S1102, the alarm generating device sends an event processing strategy containing an event to be processed in a processing strategy library to the event processing device.
Referring to fig. 8, the alert generating device sends, to the event processing device, a related description of an event processing policy including an event to be processed in the processing policy library, and the related description of S802 may be referred to, which is not described herein.
S1103, the event processing device determines an event level and an event type of the event to be processed.
Referring to fig. 9, the event processing device determines a description of the event class and the event type of the event to be processed, and the description of S901 may be referred to, which is not described herein.
S1104, the event processing device sends a processing request of the event processing policy to the secondary management device.
In connection with fig. 9, the event processing device sends the relevant description of the processing request of the event processing policy to the secondary management device, and reference may be made to the relevant description of S902, which is not repeated herein.
S1105, the secondary management device determines whether to report the primary management device according to the event level.
Referring to fig. 9, the secondary management device determines whether to report the related description of the primary management device according to the event level, and the related description of S902 may be referred to, which is not described herein.
S1106, the secondary management device sends the event to be processed and the event processing strategy of the event to be processed to the primary management device.
In connection with fig. 9, the secondary management device sends the event to be processed and the related description of the event processing policy of the event to be processed to the primary management device, and reference may be made to the related description of S902, which is not described herein.
S1107, the primary management device determines whether to process the event to be processed according to the event processing strategy.
Referring to fig. 9, the first-level management device determines whether to process the related description of the event to be processed according to the event processing policy, and the related description of S902 may be referred to, which is not described herein.
S1108, the primary management device sends an instruction for confirming that the event to be processed is processed according to the event processing strategy to the event processing device.
Referring to fig. 9, the description of the event processing policy processing instruction according to the event processing policy may be referred to as the description of S902, which is not described herein.
S1109, the event processing device processes the event to be processed according to the event processing strategy of the event to be processed.
Referring to fig. 5, the event processing device processes the related description of the event to be processed according to the event processing policy of the event to be processed, and the related description of S504 may be referred to, which is not described herein.
S1110, the alarm generating device sends an event processing strategy which does not contain the event to be processed in the processing strategy library to the device corresponding to the security operation department.
Referring to fig. 8, the alert generating device sends, to a device corresponding to the security operation department, a description of an event handling policy corresponding to the event to be handled, which is not included in the handling policy library, and the description of the event handling policy corresponding to S801 may be referred to, which is not described herein.
S1111, the equipment corresponding to the security operation department generates a new event processing strategy according to the event to be processed.
Referring to fig. 9, the relevant description of the new event processing policy generated by the device corresponding to the security operation department according to the event to be processed may refer to the relevant description of S902, which is not described herein again.
S1112, the equipment corresponding to the security operation department sends a request for generating a new event processing strategy to the equipment corresponding to the business department.
In connection with fig. 9, the device corresponding to the security operation department sends the related description for generating the new event processing policy request to the device corresponding to the service department, and the related description of S902 may be referred to, which is not described herein.
S1113, the equipment corresponding to the business department confirms whether to process the event to be processed according to the newly generated event processing strategy.
Referring to fig. 9, the relevant description of S902 may be referred to for the relevant description of the event to be processed by the device corresponding to the service department to determine whether to process the relevant description of the event to be processed according to the newly generated event processing policy, which is not described herein.
And 1114, the equipment corresponding to the business department sends the event processing strategy of the updated event to be processed to the event processing equipment.
Referring to fig. 5, the relevant description of the event processing policy of the event to be processed after the update may be referred to the relevant description of S504, which is not described herein.
S1115, retesting the event to be processed is carried out by the event processing equipment.
Referring to fig. 5, the related description of retesting the event to be processed by the event processing device may refer to the related description of S504, which is not described herein.
S1116, when the event to be processed cannot be generated, the alarm generating device outputs an event judgment logic optimization request to the event processing device.
Referring to fig. 5, when the event to be processed cannot be generated, the alert generating device outputs the relevant description of the event judgment logic optimization request to the event processing device, and the relevant description of S501 may be referred to, which is not described herein.
Fig. 12 is a schematic structural diagram of an event processing device according to an embodiment of the present application. The event processing device may be used to perform the method of event processing shown in fig. 5-9. The event processing apparatus shown in fig. 12 includes: a determination unit 1201, a processing unit 1202, and a transmission unit 1203.
A determining unit 1201 configured to determine an event to be processed; a determining unit 1201, configured to determine an event processing policy that matches the event to be processed; a determining unit 1201, configured to determine a target script program corresponding to the event processing policy from at least one script program written in advance; and the processing unit 1202 is used for calling a component corresponding to the target script program to process the event to be processed.
Optionally, the determining unit 1201 is specifically configured to: acquiring attribute information of each alarm information in a plurality of alarm information; determining the alarm information with the attribute information similarity larger than the preset similarity as one type of alarm information; and determining an event corresponding to the alarm information of one category as an event to be processed.
Optionally, the determining unit 1201 is specifically configured to: reading a pre-stored data dictionary, and determining a target event handling identifier corresponding to target attribute information; the data dictionary stores the corresponding relation between a plurality of event handling identifications and a plurality of attribute information; the target attribute information is the attribute information of the alarm information of the corresponding category of the event to be processed; when the prestored plurality of event processing strategies comprise event processing strategies corresponding to the target event handling identification, determining the event processing strategies corresponding to the target event handling identification as event processing strategies matched with the to-be-processed event.
Optionally, the determining unit 1201 is specifically configured to: when the prestored event processing strategies do not comprise the event processing strategies corresponding to the target event handling identification, sending an event to be processed to event management equipment; and receiving an event processing strategy matched with the event to be processed, which is sent by the event management equipment.
Optionally, the determining unit 1201 is further configured to determine an event type and an event level of the event to be processed according to the target event handling identifier; the sending unit 1203 is configured to send, when an event type of an event to be processed is a preset event type, a processing request of an event processing policy to an event management device corresponding to an event level; the processing request is used to request a confirmation of whether to process the pending event according to the event processing policy.
The embodiment of the application also provides a computer readable storage medium, which includes computer executable instructions that when executed on a computer cause the computer to perform the event processing method provided in the above embodiment.
The embodiment of the application also provides a computer program which can be directly loaded into a memory and contains software codes, and the computer program can realize the event processing method provided by the embodiment after being loaded and executed by a computer.
Those skilled in the art will appreciate that in one or more of the examples described above, the functions described in the present application may be implemented in hardware, software, firmware, or any combination thereof. When implemented in software, these functions may be stored on or transmitted over as one or more instructions or code on a computer-readable medium. Computer-readable media includes both computer-readable storage media and communication media including any medium that facilitates transfer of a computer program from one place to another. A storage media may be any available media that can be accessed by a general purpose or special purpose computer.
From the foregoing description of the embodiments, it will be apparent to those skilled in the art that, for convenience and brevity of description, only the above-described division of functional modules is illustrated, and in practical application, the above-described functional allocation may be implemented by different functional modules according to needs, i.e. the internal structure of the apparatus is divided into different functional modules to implement all or part of the functions described above.
In the several embodiments provided by the present application, it should be understood that the disclosed apparatus and method may be implemented in other manners. For example, the above-described apparatus embodiments are merely illustrative, and, for example, the division of modules or units is merely a logical function division, and other manners of division may be implemented in practice. For example, multiple units or components may be combined or may be integrated into another device, or some features may be omitted, or not performed. Alternatively, the coupling or direct coupling or communication connection shown or discussed with each other may be an indirect coupling or communication connection via some interfaces, devices or units, which may be in electrical, mechanical or other form. The units described as separate parts may or may not be physically separate, and the parts shown as units may be one physical unit or a plurality of physical units, may be located in one place, or may be distributed in a plurality of different places. Some or all of the units may be selected according to actual needs to achieve the purpose of the solution of this embodiment.
In addition, each functional unit in the embodiments of the present application may be integrated in one processing unit, or each unit may exist alone physically, or two or more units may be integrated in one unit. The integrated units may be implemented in hardware or in software functional units. The integrated units, if implemented in the form of software functional units and sold or used as stand-alone products, may be stored in a readable storage medium. Based on such understanding, the technical solution of the embodiments of the present application may be essentially or a part contributing to the prior art or all or part of the technical solution may be embodied in the form of a software product stored in a storage medium, including several instructions for causing a device (may be a single-chip microcomputer, a chip or the like) or a processor (processor) to perform all or part of the steps of the methods of the embodiments of the present application. And the aforementioned storage medium includes: a usb disk, a removable hard disk, a ROM, a RAM, a magnetic disk, or an optical disk, etc.
The present application is not limited to the above embodiments, and any changes or substitutions that can be easily understood by those skilled in the art within the technical scope of the present application are intended to be included in the scope of the present application. Therefore, the protection scope of the application is subject to the protection scope of the claims.

Claims (10)

1. An event processing method, comprising:
determining an event to be processed;
determining an event processing strategy matched with the event to be processed;
determining a target script program corresponding to the event processing strategy from at least one script program written in advance;
and calling a component corresponding to the target script program to process the event to be processed.
2. The event processing method according to claim 1, wherein the determining the event to be processed includes:
acquiring attribute information of each alarm information in a plurality of alarm information;
determining the alarm information with the similarity of the attribute information being greater than the preset similarity as alarm information of a category;
and determining the event corresponding to the alarm information of the category as one event to be processed.
3. The event processing method according to claim 1, wherein said determining an event processing policy matching said event to be processed comprises:
reading a pre-stored data dictionary, and determining a target event handling identifier corresponding to target attribute information; the data dictionary stores the corresponding relation between a plurality of event handling identifications and a plurality of attribute information; the target attribute information is the attribute information of the alarm information of the corresponding category of the event to be processed;
When the prestored event processing strategies comprise event processing strategies corresponding to the target event handling identification, determining the event processing strategy corresponding to the target event handling identification as the event processing strategy matched with the to-be-processed event.
4. The event processing method of claim 3, wherein said determining an event processing policy that matches said event to be processed comprises:
when the prestored event processing strategies do not comprise the event processing strategies corresponding to the target event handling identification, sending the event to be processed to event management equipment;
and receiving an event processing strategy which is matched with the event to be processed and is sent by the event management equipment.
5. The event processing method according to claim 3, further comprising:
determining the event type and the event level of the event to be processed according to the target event handling identification;
when the event type of the event to be processed is a preset event type, sending a processing request of the event processing strategy to event management equipment corresponding to the event level; the processing request is used for requesting to confirm whether to process the event to be processed according to the event processing strategy.
6. An event processing apparatus, comprising: a determination unit and a processing unit;
the determining unit is used for determining an event to be processed;
the determining unit is further used for determining an event processing strategy matched with the event to be processed;
the determining unit is further used for determining a target script program corresponding to the event processing strategy from at least one script program which is written in advance;
and the processing unit is used for calling a component corresponding to the target script program to process the event to be processed.
7. The event processing device according to claim 6, wherein the determining unit is specifically configured to:
acquiring attribute information of each alarm information in a plurality of alarm information;
determining the alarm information with the similarity of the attribute information being greater than the preset similarity as alarm information of a category;
and determining the event corresponding to the alarm information of the category as one event to be processed.
8. The event processing device according to claim 6, wherein the determining unit is specifically configured to:
reading a pre-stored data dictionary, and determining a target event handling identifier corresponding to target attribute information; the data dictionary stores the corresponding relation between a plurality of event handling identifications and a plurality of attribute information; the target attribute information is the attribute information of the alarm information of the corresponding category of the event to be processed;
When the prestored event processing strategies comprise event processing strategies corresponding to the target event handling identification, determining the event processing strategy corresponding to the target event handling identification as the event processing strategy matched with the to-be-processed event.
9. An event processing apparatus comprising a memory and a processor; the memory is used for storing computer execution instructions, and the processor is connected with the memory through a bus; the processor executing the computer-executable instructions stored in the memory when the event processing apparatus is running, to cause the event processing apparatus to perform the event processing method of any of claims 1-5.
10. A computer readable storage medium comprising computer executable instructions which, when run on a computer, cause the computer to perform the event processing method as claimed in any of claims 1 to 5.
CN202310878021.2A 2023-07-17 2023-07-17 Event processing method, device and storage medium Pending CN116932077A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202310878021.2A CN116932077A (en) 2023-07-17 2023-07-17 Event processing method, device and storage medium

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202310878021.2A CN116932077A (en) 2023-07-17 2023-07-17 Event processing method, device and storage medium

Publications (1)

Publication Number Publication Date
CN116932077A true CN116932077A (en) 2023-10-24

Family

ID=88387310

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202310878021.2A Pending CN116932077A (en) 2023-07-17 2023-07-17 Event processing method, device and storage medium

Country Status (1)

Country Link
CN (1) CN116932077A (en)

Similar Documents

Publication Publication Date Title
US11469976B2 (en) System and method for cloud-based control-plane event monitor
US11246013B2 (en) System and method for triggering on platform usage
US10673902B2 (en) Labeling computing objects for improved threat detection
US10558800B2 (en) Labeling objects on an endpoint for encryption management
US10841339B2 (en) Normalized indications of compromise
US10063373B2 (en) Key management for compromised enterprise endpoints
EP3080741B1 (en) Systems and methods for cloud security monitoring and threat intelligence
US7890627B1 (en) Hierarchical statistical model of internet reputation
US20190028438A1 (en) Firewall techniques for colored objects on endpoints
US20180278631A1 (en) Threat detection using a time-based cache of reputation information on an enterprise endpoint
CN106789964B (en) Cloud resource pool data security detection method and system
US10140453B1 (en) Vulnerability management using taxonomy-based normalization
US10965711B2 (en) Data behavioral tracking
US9992228B2 (en) Using indications of compromise for reputation based network security
US11582242B2 (en) System, computer program product and method for risk evaluation of API login and use
US20080183603A1 (en) Policy enforcement over heterogeneous assets
US20100251369A1 (en) Method and system for preventing data leakage from a computer facilty
EP2733656A1 (en) System and method for enforcing a security policy on mobile devices using dynamically generated security profiles
GB2565734A (en) Labeling computing objects for improved threat detection
GB2507360A (en) Threat detection through the accumulated detection of threat characteristics
CN113516337A (en) Method and device for monitoring data security operation
CN112738138B (en) Cloud security hosting method, device, equipment and storage medium
CN111177480A (en) Block chain directory file system
CN114139178A (en) Data link-based data security monitoring method and device and computer equipment
CN114208114B (en) Multi-view security context per participant

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination