JP2024030371A - Processing device, processing program, and processing method - Google Patents

Abstract

To enable an operator to perform an initial response even when performing operation monitoring work of a monitoring target server remotely, such as working at one's home.SOLUTION: An incident information analysis section 30 detects an incident from a monitoring target apparatus group 20, and the incident information analysis section 30 instructs to determine whether the incident is new or existing and determine an abnormal level from a content of the incident. A measure executing section 38 controls an operation confirmation database 40 and a log acquisition database 42 to automatically execute operation confirmation and log acquisition when the incident occurs. A mail distribution module 44 generates mail to an incident responder (SM) terminal 24 and an incident responder (a person in charge of operation) terminal 26 to automatically transmit information. Thus, an operator can simultaneously acquire the necessary information and quickly determine a method of an initial response when the incident occurs.SELECTED DRAWING: Figure 2

Description

The present invention relates to a processing device, a processing program, and a processing method for managing incidents detected within a computer network.

Conventionally, in operational monitoring work, it is important to quickly respond to the initial response to an incident detected within a computer network.

Patent Document 1 discloses that in an initial response support device for operation monitoring work, a checklist generation unit acquires a checklist template corresponding to terminal identification information, and performs operations for an incident based on the acquired checklist template. It states that the quality of initial response can be improved by creating a checklist that includes each item for initial response.

Incidents are defined as ``situations that may result in or cause interruptions, hindrances, losses, emergencies, or crises,'' or ``situations that disrupt services provided through system operation or degrade service quality.'' An incident can be defined as an incident that causes damage, but in short, any incident that occurs unexpectedly and will cause widespread damage if not dealt with promptly is an incident.

By the way, operation monitoring services monitor the operation of customer systems, etc., respond immediately when an abnormality occurs, restore the customer's services so as not to affect them, and are conducted 24 hours a day, 365 days a year. are doing.

More specifically, when the monitoring server detects an incident from a device to be monitored (server, network device, etc.), the operator first takes an initial response.

Initial response involves investigating the incident detection details and log information from the server where the incident occurred, and determining whether or not a response is necessary for the incident. If it is determined that an investigation is necessary, log in to the target device, check the status, obtain logs, etc., and investigate the details of the incident.

Once the suspected incident location has been identified, the operations staff will first notify the relevant parties by phone or email. After that, in cooperation with related parties, determine and implement the most appropriate and prompt response to the incident.

JP 2016-076133 Publication

However, there are cases where an operations person works from home or performs operations and monitoring tasks for a server to be monitored remotely. Operational management when performing remote tasks such as working from home is difficult to access because the monitored servers are set to a high security level.

When an incident that requires investigation occurs while an operator is working remotely, such as by working from home, a problem arises in which the initial response is to log in to the target device, check its status, obtain logs, etc. in a timely manner.

It is an object of the present invention to provide a processing device, a processing program, and a processing method that enable initial response even when an operator is working from home or performing operational monitoring tasks for a server to be monitored remotely.

The processing device according to the present invention includes a first processing unit that monitors a monitoring device that is a monitoring target and determines whether an incident has occurred in the monitoring device; When it is determined that the incident has occurred, first information including information indicating that the incident has occurred is transmitted to a terminal device operated by a response processor for responding to the incident. and a second processing unit that transmits second information including communication procedure information that allows access to a response processing device used to respond to the incident.

A processing program according to the present invention causes a computer to monitor a monitoring device that is a monitoring target and determines whether or not an incident has occurred in the monitoring device; When the monitoring device determines that the incident has occurred, a message containing information indicating that the incident has occurred is transmitted to a terminal device operated by a response processor for responding to the incident. The second processing unit is configured to operate as a second processing unit that transmits second information including communication procedure information that can access the first information and the processing device used to respond to the incident.

A processing method according to the present invention is a processing method in a processing device, and includes a first processing step in which the monitoring device determines whether an incident has occurred in the monitoring device; When the monitoring device determines that the incident has occurred, information indicating that the incident has occurred is sent to a terminal device operated by a response processor for responding to the incident. A second processing step of transmitting first information and second information including communication procedure information that allows access to a response processing device used to respond to the incident. There is.

As described above, according to the present invention, an advantage is achieved in that an operator can perform initial response even when he or she is working from home or performing operational monitoring duties for a server to be monitored remotely.

1 is a schematic diagram of an incident initial response system as a processing device according to the present embodiment. FIG. 2 is a control block diagram showing the functions of an incident management and initial response device. It is a control flowchart explaining the operation|movement for incident management and initial response based on this Embodiment.

FIG. 1 is a schematic diagram of an incident initial response system 10 as a processing device according to the present embodiment.

The incident initial response system 10 includes an incident management/initial response device 12 and a monitoring monitor 14 . The monitoring monitor 14 displays the console screen of the incident management/initial response device 12.

The incident management/initial response device 12 is connected to a monitored device group 20 consisting of a plurality of monitoring devices 18(1) to 18(n) via a first network 16 such as the Internet. Note that n is a positive integer and corresponds to the number of monitoring devices 18.

The monitoring devices 18(1) to 18(n) can target devices within the company and devices of multiple other companies.

Further, the incident management/initial response device 12 is connected to an incident responder terminal (SM) 24 and an incident responder terminal (in charge of operations) 26 via a second network 22 such as an intra-system LAN.

The incident responder terminal (SM) 24 and the incident responder terminal (in charge of operations) 26 are located at a location remote from the incident management/initial response device 12, for example, when the operator is working remotely such as working from home. However, communication is possible via the second network 22, for example, it is possible to receive e-mails when an incident occurs.

FIG. 2 is a control block diagram showing the functions of the incident management/initial response device 12. As shown in FIG. Note that each block shown in FIG. 2 is a classification of the incident management/initial response device 12 by function, and does not limit the hardware configuration. For example, it is equipped with a microcomputer consisting of a CPU "Central Processing Unit", RAM "Random Access Memory", ROM "Read Only Memory", input/output ports, and buses such as data buses and control buses that interconnect these. However, a program for managing incidents and executing impulses may be run.

The incident management/initial response device 12 includes an incident information detection unit 28 that receives incidents occurring from the monitored equipment group 20. When the incident information detection unit 28 detects incident information from any of the monitoring devices 18(1) to 18(n) of the monitored device group 20, it sends the incident information to the incident information analysis unit 30. The incident information analysis unit 30 analyzes the received incident information.

The incident information analysis unit 30 also has a function of storing operation confirmation results and logs from the monitored equipment group 20.

The incident information analysis section 30 is connected to a past incident storage section 32. The past incident storage unit 32 stores incident information that occurred in the past, and also has a function of storing the results of analysis by the incident information analysis unit 30. The past incident storage unit 32 also has a function of searching for stored incident information that occurred in the past.

The incident information analysis unit 30 is connected to an abnormality level database 36 via an abnormality determination unit 34. The abnormal level database 36 stores warning level data 36A, caution level data 36B, and information level data 36C as abnormal levels of incidents. The abnormality determination unit 34 has a function of determining the abnormality level of an incident based on the analysis result of the incident information analysis unit 30.

The incident information analysis section 30 is connected to the countermeasure execution section 38. The countermeasure execution unit 38 is connected to an operation confirmation database 40 and a log acquisition database 42.

(Details of operation confirmation database 40)

The operation confirmation database 40 stores target cases 1, 2 to M (M is a positive integer).

Further, the operation confirmation database 40 includes a processing unit for each of the target cases 1, 2 to M, and is adapted to execute operation confirmation processing based on an operation confirmation execution command. For example, target case 1 includes processing unit 1-1, processing unit 1-2, ... processing unit 1-N (N is a positive integer), and target case 2 includes processing unit 2-1, processing unit 1-N, and Section 2-2...Processing section 2-N (N is a positive integer) is provided, and the processing section M processes processing section M-1, processing section M-2... processing section MN. We are prepared.

As an example of the target case 1, an operation check related to the suspension of the operation of the monitoring devices 18(1) to 18(L) shown in FIG. 1 is executed.

An example of the processing unit 1-1 of the target case 1 is life-or-death monitoring using SNMP "Simple Network Management Protocol" and ICMP "Internet Control Message Protocol" (PING).

As an example of the target case 2, an operation check related to a sudden increase in the amount of communication in the monitoring devices 18(1) to 18(L) shown in FIG. 1 is executed.

An example of the processing unit 2-1 of the target case 2 is life-or-death monitoring using SNMP or ICMP (PING).

As an example of the processing unit 2-2 of the target case 2, the CPU, GPU "Graphics Processing Unit", memory, HDD "Hard This includes checking the usage rates of ``Disk Drive'' and SSD ``Solid State Drive,'' and checking the amount of data sent and received over Ethernet (registered trademark).

As an example of the target case M, an operation check regarding a communication failure between the monitoring devices 18(1) to 18(L) shown in FIG. 1 is executed.

An example of the processing unit M-1 of the target matter M is life-and-death monitoring using SNMP or ICMP (PING).

An example of the processing unit M-2 of the target matter M is checking the network topology including monitoring equipment.

Note that target cases and processing units can be added at any time as necessary.

(Details of log acquisition database 42)
The log acquisition database 42 stores target cases 1, 2 to M (M is a positive integer).

Further, the log acquisition database 42 includes a processing unit for each of the target cases 1, 2 to M, and log acquisition processing is executed based on the respective log acquisition execution commands. For example, target case 1 includes processing unit 1-1, processing unit 1-2, ... processing unit 1-N (N is a positive integer), and target case 2 includes processing unit 2-1, processing unit 1-N, and Section 2-2...Processing section 2-N (N is a positive integer) is provided, and the processing section M processes processing section M-1, processing section M-2... processing section MN. We are prepared.

As an example of the target case 1, log acquisition related to the operation stoppage of the monitoring devices 18(1) to 18(L) shown in FIG. 1 is executed.

An example of the processing unit 1-1 of the target case 1 is log acquisition related to life-or-death monitoring using SNMP or ICMP (PING).

As an example of the target case 2, log acquisition related to a sudden increase in the amount of communication in the monitoring devices 18(1) to 18(L) shown in FIG. 1 is executed.

An example of the processing unit 2-1 of the target case 2 is log acquisition related to life-or-death monitoring using SNMP or ICMP (PING).

An example of the processing unit 2-2 of target case 2 is checking the usage rates of the CPU, GPU, memory, and HDD as individual resources (performance) in the monitoring devices 18(1) to 18(L). This is log acquisition related to checking the amount of data sent and received in Ethernet (registered trademark).

As an example of the target case M, log acquisition related to operation confirmation related to a communication failure between the monitoring devices 18(1) to 18(L) shown in FIG. 1 is executed.

An example of the processing unit M-1 of the target matter M is log acquisition related to life-or-death monitoring using SNMP or ICMP (PING).

An example of the processing unit M-2 of the target matter M is log acquisition related to confirmation of network topology including monitoring equipment.

Note that target cases and processing units can be added at any time as necessary.

The countermeasure execution unit 38 has a function of referring to target commands to be executed from the operation confirmation database 40 and the log acquisition database 42 and executing them.

Incident information analysis section 30 is connected to email distribution module 44 . Mail distribution module 44 is connected to mail database 46 .

The mail database 46 has a mail format to be sent to the incident handler terminal (SM) 24 and the incident handler terminal (operation manager) 26.

(Details of mail database 46)
The mail database 46 stores target cases 1, 2 to M (M is a positive integer).

Further, the mail database 46 includes a processing unit for each of the target cases 1, 2 to M, and mail distribution is executed based on the respective mail formats. For example, target case 1 includes processing unit 1-1, processing unit 1-2, ... processing unit 1-N (N is a positive integer), and target case 2 includes processing unit 2-1, processing unit 1-N, and Section 2-2...Processing section 2-N (N is a positive integer) is provided, and the processing section M processes processing section M-1, processing section M-2... processing section MN. We are prepared.

The email distribution module 44 has a function of selecting a target email format from the email database 46, automatically creating an email, and sending the email to the incident responder terminal (SM) 24 and the incident responder terminal (operation staff) 26. .

Below, the action (operation) of this embodiment will be explained according to the flowchart of FIG. 3.

In normal times, the incident management/initial response device 12 monitors the group of devices 20 to be monitored.

When an incident occurs in any of the monitoring devices in the monitored device group 20, the incident detection unit 28 detects the incident (affirmative determination in step 100), and the process moves to step 102. Note that if a negative determination is made in step 100, this routine ends.

In step 102, the incident information analysis unit 30 analyzes the incident detected in step 100, and the process proceeds to step 104.

In step 104, the incident information analysis unit 30 sends the analysis result of the detected incident to the past incident storage unit 32 and performs a search.

In the next step 106, the incident information analysis unit 30 determines the target case regarding the detected incident, and then proceeds to step 108. Determine whether there is a detected incident among the incidents (existing or new).

In step 108, if the incident information analysis unit 30 determines that the incident is an existing incident that occurred in the past, the process moves to step 110, and the incident information analysis unit 30 checks the detected incident from the past incident storage unit 32. The target case related to the above is read out, and the process moves to step 128. A description of steps after step 128 will be given later.

On the other hand, if the incident information analysis unit 30 determines in step 108 that the detected incident is a new incident (there is no incident that has occurred in the past), the process proceeds to step 112.

In step 112, the incident information analysis unit 30 automatically selects the processing of the operation confirmation execution command and the processing of the log acquisition execution command based on the incident analysis result, and proceeds to step 116.

That is, in step 112, based on the analysis result by the incident information analysis unit 30 and the target cases 1 to n determined in step 106, the countermeasure execution unit 38 executes the operation confirmation execution command held in the operation confirmation database 40. and the process of the log acquisition execution command held in the log acquisition database 42 are automatically selected. In step 116, the countermeasure execution unit 38 executes the process selected in step 112.

In the next step 118, the countermeasure execution unit 38 executes the processing of the operation confirmation execution command and the processing of the log acquisition execution command on the monitoring equipment of the monitored equipment group in which the incident has occurred.

In step 118, the countermeasure execution unit 38 acquires the processing results of the operation confirmation execution command and the log acquisition execution command, stores them in the incident information analysis unit 30, and proceeds to step 120.

In step 120, the incident information analysis unit 30 sends the results of the analysis by the incident information analysis unit 30 and the operation confirmation results to the abnormality determination unit 34. Next, the process proceeds to step 122, where the abnormality determination unit 34 determines whether the incident Based on the results of the analysis by the information analysis unit 30 and the results of the operation confirmation, one of the abnormality levels (three levels: warning level, caution level, and information level) stored in the abnormality level database 36 is determined. In the next step 124, the abnormality determination unit 34 sends the abnormality level determined in step 122 to the incident information analysis unit 30, and the process proceeds to step 128.

In step 128, which is transferred from step 124 or step 110, the countermeasure execution unit 38 receives the existing incident information or new incident information from the incident information analysis unit 30, and receives the target log in the log acquisition database 42. The acquisition execution command is determined and the process moves to step 130. In step 130, the countermeasure execution unit 38 executes the determined log acquisition execution command on the monitoring devices 18(1) to 18(L) inside the monitored device group 20, and The logs obtained in steps 18(L) to 18(L) are sent to the incident information analysis unit 30.

Here, in step 128 and step 130, in the case of an existing incident, a specified log acquisition execution command is executed for the incident registered in the target case in the log acquisition database.

On the other hand, in steps 128 and 130, in the case of a new incident, a log acquisition execution command registered for new incidents is executed.

In the next step 132, the incident information analysis unit 30 sends information about the target matter related to the incident detected by the incident information analysis unit 30, the execution results of the operation confirmation execution command, and the execution results of the log acquisition execution command by email. It is sent to the distribution module 44.

In the next step 134, the e-mail distribution module 44 refers to the e-mail format within the e-mail database 46 based on the information on the target case sent out by the incident information analysis unit 30 in step 132 and the two execution results, and sends the e-mail. The process then proceeds to step 136.

Here, in the created email, for example, the incident occurrence, information on the target case, operation confirmation results, log information, and the connection URL of the management console to the incident management/initial response device 12 are described in the email body.

Also, here, the information on the target matter, the operation confirmation result, and the log information are based on the information sent by the incident information analysis unit 30 in step 132, and the information on the target matter, the execution result of the operation confirmation execution command, This information is based on the execution results of the log acquisition execution command.

In step 136, the email distribution module 44 sends the created email (including the incident occurrence, information on the target case, operation confirmation results, log information, and the connection URL of the management console to the incident management/initial response device 12) to the incident responder. It is transmitted to the terminal (SM) 24 and the incident responder terminal (operation person) 26.

After receiving the email, the incident responder (SM) and the incident responder (operation manager) determine a permanent measure for the incident.

Here, if additional investigation is necessary (affirmative determination at step 138), the process moves to step 140.

In step 140, the following processing is performed.

Since the URL for connecting the management console to the incident management/initial response device 12 is written in the email body, the incident responder terminal (SM) 24 (or the incident responder terminal (operation person) 26) is used by the person in charge of the incident. The connection URL of the management console to the incident management/initial response device 12 is input by the person in charge of the incident (SM) (or the person in charge of the incident (in charge of operations)). When the connection URL of the management console is input, the incident responder terminal (SM) 24 (or the incident responder terminal (operation staff) 26) accesses the management console (not shown) of the incident management/initial response device 12. do.

In addition, the incident responder terminal (SM) 24 (or incident responder terminal (operations person) 26) is pressed (input) by the incident person (SM) (or incident person in charge (operations person)) of the countermeasure number. be done. The incident responder terminal (SM) 24 (or the incident responder terminal (operation person) 26) transmits the countermeasure number to the management console.

When the countermeasure execution unit 38 receives a countermeasure number from the incident responder terminal (SM) 24 (or the incident responder terminal (operation staff) 26) via the management console, the countermeasure execution unit 38 executes an additional investigation based on the received countermeasure number. do.

Here, in step 140, if there is an access control unit (not shown) in the incident management/initial response device 12, the following process is executed.

When the access control unit receives the connection URL from the incident responder terminal (SM) 24 (or the incident responder terminal (operation staff) 26), the access control unit uses the received connection URL and the information written in the email body created in step 136. Compare with the connection URL of the management console.

If the comparison results of the two URLs match, the access control unit allows access to the management console from the incident responder terminal (SM) 24 or the incident responder terminal (operator) 26. When the countermeasure execution unit 38 receives a countermeasure number from the incident handler terminal (SM) 24 (or incident responder terminal (operation staff) 26) via the management console in the access control unit, the countermeasure execution unit 38 executes the countermeasure number based on the received countermeasure number. Perform additional investigation.

The access control unit prohibits access to the management console from the incident responder terminal (SM) 24 or the incident responder terminal (operation person) 26 if the comparison result of the two URLs does not match.

When the access control unit completes the process when the two URLs match (or do not match), step 140 ends.

Here, in step 140, if the connection URL of the management console written in the email body in step 136 is changed every time step 136 is executed, the following process is executed.

The access control unit receives the connection URL from the next incident responder terminal (SM) 24 (or incident responder terminal (operation person) 26), and sends the received connection URL and the email body created in step 136. When comparing the management console connection URL written in the email body created in step 136, the management console connection URL written in the email body created in step 136 is the last one (the most recent time information from the time information when step 140 is executed). This is the connection URL of the management console created in step 136 executed in .

When the process of step 140 is completed, this routine ends. Note that if the determination in step 138 is negative, this routine ends.

The management console requests the countermeasure execution unit 38 to obtain additional logs for the target case, and the obtained logs are sent to the incident responder terminal (SM) 24 and the incident responder terminal (operation staff) 26 via the email distribution module 44. be done.

As explained above, according to the incident initial response system 10 of the present embodiment, when the incident information analysis section 30 detects an incident from the monitored equipment group 20, the incident information analysis section 30, based on instructions from the incident information analysis section 30, The countermeasure execution unit 38 determines whether the incident is new or existing, and determines the abnormality level based on the content of the incident.The countermeasure execution unit 38 also controls the operation confirmation database 40 and the log acquisition database 42 to automatically prevent the incident from occurring. By executing operation confirmation and log acquisition, and creating an email from the email delivery module 44 to the incident responder terminal (SM) 24 and the incident responder terminal (operation staff) 26, the information is automatically sent. , when an incident occurs, the necessary information can be obtained at the same time, and the initial response method can be quickly determined.

Although the incident initial response system 10 shown in the overall configuration of FIG. 1 uses the Internet as the first network 16 and the internal LAN as the second network 22, the same applies even when an external network such as a cloud service is used. have an effect. Further, the first network 16 and the second network 22 may be common.

In addition, in this embodiment, the e-mail distribution module 44 is illustrated as a component of the incident management/initial response device 12, and it is assumed that e-mail is to be distributed. Information sites such as web portal sites are also applicable.

Further, in this embodiment, a configuration in which there is one incident management/initial response device 12 is described, but a configuration in which there are a plurality of incident management/initial response devices 12 (for example, two units) may be used. Here, when the incident management/initial response device 12 is composed of two units, each incident management/initial response device 12 divides the operations for incident management/initial response in FIG. 3 as follows.

One incident management/initial response device 12 shares the processing of steps 100 to 136 in FIG.

The other incident management/initial response device 12 shares the processing of step 140 in FIG.

10 Incident initial response system 12 Incident management and initial response device (processing device)
14 Surveillance monitor 16 First network 18 Monitoring equipment (1) to (n)
20 Monitored equipment group 22 Second network 24 Incident responder terminal “SM” (terminal device)
26 Incident responder terminal “Operations” (terminal device)
28 Incident information detection unit (first processing unit)
30 Incident Information Analysis Department (Second Processing Department)
32 Past incident storage unit 34 Abnormality determination unit (second processing unit)
36 Abnormality level database 36A Warning level data 36B Caution level data 36C Information level data 38 Countermeasure execution unit (second processing unit)
40 Operation confirmation database 42 Log acquisition database 44 Email distribution module 46 Email database

Claims (6)

a first processing unit that monitors a monitoring device that is a monitoring target and determines whether an incident has occurred in the monitoring device;
When the first processing unit determines that the incident has occurred in the monitoring device, the incident is transmitted to a terminal device operated by a response processor for handling the incident. a second processing unit that transmits first information including information indicating that the incident occurred, and second information including communication procedure information that allows access to a response processing device used to respond to the incident; ,
A processing device comprising: The processing device includes:
an incident analysis department that analyzes the incident;
a countermeasure execution unit that executes countermeasures against the incident;
The processing device according to claim 1, further comprising: an abnormality determination unit that determines the abnormality level of the incident. The processing device includes an access control unit,
The process according to claim 1, wherein the access control unit sets communication restrictions in communication between the terminal device and the compatible processing device other than access based on second information transmitted by the second processing unit. Device. The processing device according to claim 1, wherein the compatible processing device is the processing device. computer,
a first processing unit that monitors a monitoring device that is a monitoring target and determines whether an incident has occurred in the monitoring device;
When the first processing unit determines that the incident has occurred in the monitoring device, the incident is transmitted to a terminal device operated by a response processor for handling the incident. operates as a second processing unit that transmits first information including information indicating that the incident occurred, and second information including communication procedure information that allows access to a processing device used to respond to the incident. processing program. A processing method in a processing device, comprising:
a first processing step of monitoring a monitoring device that is a monitoring target and determining whether an incident has occurred in the monitoring device;
In the first processing step, when the monitoring device determines that the incident has occurred, the occurrence of the incident is sent to a terminal device operated by a response processor for responding to the incident. a second processing step of transmitting first information including information indicating that the incident has occurred, and second information including communication procedure information that allows access to a response processing device used to respond to the incident; ,
A processing method characterized by comprising: