CN110990233B - Method and system for displaying SOAR by utilizing Gantt chart - Google Patents
Method and system for displaying SOAR by utilizing Gantt chart Download PDFInfo
- Publication number
- CN110990233B CN110990233B CN201911197727.2A CN201911197727A CN110990233B CN 110990233 B CN110990233 B CN 110990233B CN 201911197727 A CN201911197727 A CN 201911197727A CN 110990233 B CN110990233 B CN 110990233B
- Authority
- CN
- China
- Prior art keywords
- processing
- response
- soar
- target
- alarm event
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Images
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F11/00—Error detection; Error correction; Monitoring
- G06F11/30—Monitoring
- G06F11/32—Monitoring with visual or acoustical indication of the functioning of the machine
- G06F11/324—Display of status information
- G06F11/327—Alarm or error message display
-
- Y—GENERAL TAGGING OF NEW TECHNOLOGICAL DEVELOPMENTS; GENERAL TAGGING OF CROSS-SECTIONAL TECHNOLOGIES SPANNING OVER SEVERAL SECTIONS OF THE IPC; TECHNICAL SUBJECTS COVERED BY FORMER USPC CROSS-REFERENCE ART COLLECTIONS [XRACs] AND DIGESTS
- Y02—TECHNOLOGIES OR APPLICATIONS FOR MITIGATION OR ADAPTATION AGAINST CLIMATE CHANGE
- Y02P—CLIMATE CHANGE MITIGATION TECHNOLOGIES IN THE PRODUCTION OR PROCESSING OF GOODS
- Y02P90/00—Enabling technologies with a potential contribution to greenhouse gas [GHG] emissions mitigation
- Y02P90/30—Computing systems specially adapted for manufacturing
Landscapes
- Engineering & Computer Science (AREA)
- Theoretical Computer Science (AREA)
- Quality & Reliability (AREA)
- Physics & Mathematics (AREA)
- General Engineering & Computer Science (AREA)
- General Physics & Mathematics (AREA)
- Alarm Systems (AREA)
Abstract
The invention provides a method and a system for displaying an SOAR by utilizing Gantt chart, which relate to the technical field of network security and comprise the following steps: acquiring processing rules of the alarm event processing system and a response component in the alarm event processing system, and determining an identification sequence number of the processing rules and an identification sequence number of the response component; acquiring target alarm information, and determining a trigger time node of a processing rule based on the target alarm information; acquiring a response time node of the response component; and constructing a Gantt chart by using the trigger time node, the response time node and the identification sequence number, wherein the Gantt chart is used for representing the safety arrangement and automatic response processing process of the alarm event processing system, and the technical problems that each rule, the execution sequence of each response component and the execution time in the SOAR (safety arrangement and automatic response) process of the alarm event processing system cannot be intuitively reflected in the prior art are solved.
Description
Technical Field
The invention relates to the technical field of network security, in particular to a method and a system for displaying SOAR by utilizing Gantt charts.
Background
The SOAR (Security Orchestration, automation and Response, security orchestration and automated response) has been popular for some time in the field of network security and is a direction of development of enterprise security. The SOAR improves the efficiency of event response, improves team efficiency through integrated case management and task automation, and well shares a lot of transactional work of security analysts.
The SOAR programs the work content and the work flow of each rule and each response component, and does not have an intuitive time axis to represent the execution sequence, the execution time and the execution completion and non-execution.
An effective solution to the above-mentioned problems has not been proposed yet.
Disclosure of Invention
In view of the above, the present invention aims to provide a method and a system for displaying an SOAR by using a gante graph, so as to alleviate the technical problems of the prior art that each rule, the execution sequence of each response component, and the execution time in the SOAR (security arrangement and automation response) process of an alarm event processing system cannot be intuitively reflected.
In a first aspect, an embodiment of the present invention provides a method for displaying an SOAR by using a gante graph, including: acquiring a processing rule of an alarm event processing system and a response component in the alarm event processing system, and determining an identification sequence number of the processing rule and an identification sequence number of the response component; acquiring target alarm information and determining a trigger time node of the processing rule based on the target alarm information, wherein the target alarm information is used for representing a processing result of the alarm event processing system on a target alarm event, and the target alarm event is any alarm event in alarm events processed by the alarm event processing system; acquiring a response time node of the response component; and constructing a Gantt chart by using the trigger time node, the response time node and the identification sequence number.
Further, determining the identification sequence number of the processing rule and the identification sequence number of the response component includes: based on the processing rules and the response component, an SOAR script is constructed, wherein the SOAR script is used for representing a flow of the alarm event processing system for processing alarm events; and determining the identification sequence number of the processing rule and the identification sequence number of the response component according to the SOAR script.
Further, constructing an SOAR script based on the processing rules and the response component, comprising: adding the processing rule and the response component to a preset canvas to obtain a target canvas; and combining the processing flow of the alarm event processing system, and connecting the processing rule and the response component in the target canvas to obtain the SOAR script.
Further, determining the identification sequence number of the processing rule and the identification sequence number of the response component according to the SOAR scenario includes: acquiring a target sequence based on the SOAR script; the target sequence is the sequence of adding the processing rule and the response component to a preset canvas; and respectively configuring corresponding identification serial numbers for the processing rules and the response components according to the target sequence.
Further, the target alarm information carries a trigger time node of a final processing rule and an identification serial number of an initial processing rule, wherein the initial processing rule is a preset number of processing rules triggered by the target alarm event before the final processing rule is triggered, and the final processing rule is a last processing rule triggered by the target alarm event;
determining a trigger time node of the processing rule based on the target alarm information, including: an acquisition step of acquiring initial alarm information based on the identification information of a preset number of processing rules triggered before the final processing rule, wherein the initial alarm information is alarm information corresponding to the initial processing rule; a first determining step, determining trigger time nodes of the preset number of processing rules according to the initial alarm information; a second determining step of determining a preset number of processing rules before the final processing rule as the final processing rule and determining the initial alarm information as the target alarm information; and repeating the obtaining step and the first determining step until the trigger time nodes of all the processing rules are determined.
Further, constructing a gatekeeper graph by using the response time node, the trigger time node, and the identification sequence number, including: constructing a coordinate system, wherein the abscissa of the coordinate system is a time node, and the ordinate of the coordinate system is an identification serial number; and adding the processing rule and the response component to the coordinate system by using the response time node, the trigger time node and the identification sequence number to obtain the Gantt chart.
In a second aspect, an embodiment of the present invention further provides a system for displaying an SOAR by using a gante graph, including: the system comprises a first acquisition unit, a second acquisition unit, a third acquisition unit and a construction unit, wherein the first acquisition unit is used for acquiring processing rules of an alarm event processing system and response components in the alarm event processing system, and determining identification serial numbers of the processing rules and the response components; the second acquisition unit is used for acquiring target alarm information and determining a trigger time node of the processing rule based on the target alarm information, wherein the target alarm information is used for representing a processing result of the alarm event processing system on a target alarm event, and the target alarm event is any alarm event in alarm events processed by the alarm event processing system; the third acquisition unit is used for acquiring a response time node of the response component; the construction unit is used for constructing a Gantt chart by utilizing the trigger time node, the response time node and the identification sequence number.
Further, the first acquisition unit is further configured to: based on the processing rules and the response component, an SOAR script is constructed, wherein the SOAR script is used for representing a flow of the alarm event processing system for processing alarm events; and determining the identification sequence number of the processing rule and the identification sequence number of the response component according to the SOAR script.
In a third aspect, embodiments of the present invention also provide a computer readable medium having non-volatile program code executable by a processor, the program code causing the processor to perform the method of the first aspect for displaying an SOAR using a gante graph.
In a fourth aspect, the present invention further provides an electronic device, including a memory, a processor, and a computer program stored on the memory and executable on the processor, where the processor implements the method for displaying SOAR using a gand diagram described in the first aspect when the computer program is executed by the processor.
In the embodiment of the invention, firstly, a processing rule of an alarm event processing system and a response component in the alarm event processing system are obtained, and an identification sequence number of the processing rule and an identification sequence number of the response component are determined; then, acquiring target alarm information, and determining a trigger time node of a processing rule based on the target alarm information, wherein the target alarm information is used for representing a processing result of an alarm event processing system on a target alarm event, and the target alarm event is any alarm event in alarm events processed by the alarm event processing system; then, acquiring a response time node of the response component; and finally, constructing a Gantt chart of the SOAR script by using the trigger time node, the response time node and the identification sequence number.
In the embodiment of the invention, the Gantt chart is constructed by acquiring the processing rules of the alarm event processing system and the response components in the alarm event processing system, determining the identification sequence numbers of the processing rules and the identification sequence numbers of the response components, and acquiring the time nodes of the processing rules and the response time nodes of the response components determined according to the target alarm information.
Additional features and advantages of the invention will be set forth in the description which follows, and in part will be obvious from the description, or may be learned by practice of the invention. The objectives and other advantages of the invention will be realized and attained by the structure particularly pointed out in the written description and claims hereof as well as the appended drawings.
In order to make the above objects, features and advantages of the present invention more comprehensible, preferred embodiments accompanied with figures are described in detail below.
Drawings
In order to more clearly illustrate the embodiments of the present invention or the technical solutions in the prior art, the drawings that are needed in the description of the embodiments or the prior art will be briefly described, and it is obvious that the drawings in the description below are some embodiments of the present invention, and other drawings can be obtained according to the drawings without inventive effort for a person skilled in the art.
FIG. 1 is a flow chart of a method for displaying SOAR using Gantt chart according to an embodiment of the present invention;
FIG. 2 is a flowchart of a method for determining an identification number of a processing rule and an identification number of a response component according to an embodiment of the present invention;
FIG. 3 is a schematic diagram of a system for displaying SOAR using Gantt charts according to an embodiment of the present invention;
fig. 4 is a schematic diagram of a server according to an embodiment of the present invention.
Detailed Description
For the purpose of making the objects, technical solutions and advantages of the embodiments of the present invention more apparent, the technical solutions of the present invention will be clearly and completely described below with reference to the accompanying drawings, and it is apparent that the described embodiments are some embodiments of the present invention, but not all embodiments. All other embodiments, which can be made by those skilled in the art based on the embodiments of the invention without making any inventive effort, are intended to be within the scope of the invention.
Embodiment one:
in accordance with an embodiment of the present invention, there is provided an embodiment of a method for exhibiting SOAR using a gand diagram, it being noted that the steps shown in the flowchart of the figure may be performed in a computer system, such as a set of computer executable instructions, and, although a logical order is shown in the flowchart, in some cases, the steps shown or described may be performed in an order other than that shown.
FIG. 1 is a method for displaying SOAR using Gantt chart according to an embodiment of the present invention, as shown in FIG. 1, the method comprising the steps of:
step S102, acquiring a processing rule of an alarm event processing system and a response component in the alarm event processing system, and determining an identification serial number of the processing rule and an identification serial number of the response component;
step S104, obtaining target alarm information, and determining a trigger time node of the processing rule based on the target alarm information, wherein the target alarm information is used for representing a processing result of the alarm event processing system on a target alarm event, and the target alarm event is any alarm event in alarm events processed by the alarm event processing system.
Specifically, the target alarm information may be obtained from a Kafka platform connected to the alarm event processing system, where Kafka is an open source stream processing platform and is written by Scala and Java. Kafka is a high-throughput distributed publish-subscribe messaging system that can handle all action flow data for consumers in a web site. This action (web browsing, searching and other user actions) is a key factor in many social functions on modern networks. These action flow data are typically addressed by processing logs and log aggregations due to throughput requirements. The purpose of Kafka is to unify on-line and off-line message processing through the Hadoop parallel loading mechanism, and also to provide real-time messages through the clusters.
Step S106, obtaining the response time node of the response component.
Specifically, the response time node of the response component responds to the time node of the interface of the component to process the alarm event.
Step S108, constructing a Gantt chart by utilizing the trigger time node, the response time node and the identification sequence number, wherein the Gantt chart is used for representing the safety arrangement and the automatic response processing process of the alarm event processing system.
In the embodiment of the invention, the Gantt chart is constructed by acquiring the processing rules of the alarm event processing system and the response components in the alarm event processing system, determining the identification sequence numbers of the processing rules and the identification sequence numbers of the response components, and acquiring the time nodes of the processing rules and the response time nodes of the response components determined according to the target alarm information.
In the embodiment of the present invention, as shown in fig. 2, the determining the identification serial number of the processing rule and the identification serial number of the response component further includes the following steps:
step S11, based on the processing rules and the response components, an SOAR script is constructed, wherein the SOAR script is used for representing the flow of the alarm event processing system for processing the alarm event;
and step S12, determining the identification sequence number of the processing rule and the identification sequence number of the response component according to the SOAR script.
In the embodiment of the invention, in order to determine the identification serial number of the processing rule and the identification serial number of the response component, firstly, a flow block diagram for representing the processing flow of the alarm event processing system for processing the alarm event is constructed based on the processing rule and the response component, and the flow block diagram is used as an SOAR script.
Then, the identification sequence number of the processing rule is determined according to the SOAR script to respond to the identification sequence number of the component.
Specifically, in order to construct the SOAR script, the processing rules and the response components are added into a preset canvas in the form of a block diagram, and then the block diagrams for representing the processing rules and the response components are connected by line segments according to the processing flow of the alarm event processing system on the alarm event, so that the SOAR script is obtained.
In order to determine the identification sequence number of the management rule and the identification sequence number of the response component, the sequence of adding the management rule and the response component to the preset canvas is determined according to the SOAR script, and then the corresponding identification sequence numbers are respectively configured for the management rule and the response component according to the sequence, so that the identification sequence number of the management rule and the identification sequence number of the response component are determined.
In the embodiment of the invention, the trigger time node of the processing rule is determined based on the target alarm information, and the method further comprises the following steps:
an acquisition step of acquiring initial alarm information based on the identification information of a preset number of processing rules triggered before the final processing rule, wherein the initial alarm information is alarm information corresponding to the initial processing rule;
step S21, a first determining step, namely determining the triggering time nodes of the preset number of processing rules according to the initial alarm information;
step S22, a second determining step, wherein a preset number of processing rules before the final processing rule are determined as the final processing rule, and the initial alarm information is determined as the target alarm information;
step S23, repeating the obtaining step and the first determining step until the trigger time nodes of all the processing rules are determined.
It should be noted that, the target alarm information carries a trigger time node of a final processing rule and an identification serial number of an initial processing rule, where the initial processing rule is a preset number of processing rules triggered by a target alarm event before the final processing rule is triggered, and the final processing rule is a last processing rule triggered by the target alarm event.
The preset number may be set by the user according to the actual situation, and is not specifically limited in the embodiment of the present application, and preferably, the preset number is 1 or 2.
In the embodiment of the present invention, first, the alarm information (i.e., the initial alarm information) corresponding to the initial processing rule needs to be obtained according to the identification information of the preset number of processing rules triggered before the final processing rule.
Then, according to the initial alarm information, determining the trigger time nodes of the preset number of processing rules, wherein the initial alarm information is similar to the target alarm information, and the initial alarm information carries the trigger time nodes of the processing rules corresponding to the initial alarm information, so that the trigger time nodes of the preset number of processing rules can be determined through the initial alarm information.
And then, determining a preset number of processing rules before the final processing rule as the final processing rule, determining initial alarm information as the target alarm information, and executing the acquisition step and the first determination step again until the trigger time nodes of all the processing rules are determined.
By the reverse push tracing method, the trigger time nodes of all the processing rules can be determined.
For example, the alarm event processing system includes 5 processing rules, namely rule 1 to rule 5, and when the target alarm event is acquired, the 5 processing rules of the alarm event processing system are triggered sequentially according to the sequence of rule 1 to rule 5, the final processing rule is rule 5, if the preset number is 2, the identification serial numbers of the initial processing rules carried by the target alarm information are rule 4 and rule 3, the initial alarm information corresponding to rule 4 carries the trigger time node of rule 4, and similarly, the initial alarm information corresponding to rule 3 carries the trigger time node of rule 3.
In the embodiment of the present invention, step S108 further includes the following steps:
s31, constructing a coordinate system, wherein the abscissa of the coordinate system is a time node, and the ordinate of the coordinate system is an identification serial number;
and S32, adding the processing rule and the response component to the coordinate system by using the response time node, the trigger time node and the identification sequence number to obtain the Gantt chart.
In the embodiment of the invention, since the Gantt chart is a case that the project is displayed through a bar chart (corresponding to a block diagram corresponding to the processing rule and the response component), and the internal relation of progress and other time-related system progress is progressed with time, the Gantt chart can be displayed in the form of a coordinate system.
First, a coordinate system is constructed with time nodes as the abscissa of the coordinate system and identification numbers as the ordinate of the coordinate system.
Then, according to the trigger time node of each processing rule and the corresponding identification serial number, the processing rule is added into a coordinate system, and according to the trigger time node of each response component and the corresponding identification serial number, the response component is added into the coordinate system, so that a Gantt chart capable of reflecting the execution sequence and execution time of each rule and each response component in the security arrangement and automatic response process of the alarm event processing system is obtained, and therefore security analysts can intuitively determine the execution sequence and execution time of each rule and each response component in the security arrangement and automatic response process of the alarm event processing system through the Gantt chart, and further working pressure of the security analysts is relieved.
It should be noted that, in the Gantt chart, whether the response component completes processing the target alarm event may be characterized by adding identification information to the response component, for example, the response component that completes processing the target alarm event is displayed in green, and the response component that completes processing the target alarm event is displayed in gray.
In addition, the Gantt chart can also display the processing progress of the alarm event, and the processing progress is represented by the ratio of the number of response components to the total number of response components for completing the processing of the target alarm event.
The security analyst intuitively knows the flow trend of the alarm event processing system when the alarm event is processed by adding the identification information to the response component, and intuitively knows the working progress of the alarm event processing system by displaying the processing progress of the alarm event in the Gantt chart.
Embodiment two:
the invention also provides an embodiment of a system for displaying the SOAR by using the Gantt chart, which is used for executing the method for displaying the SOAR by using the Gantt chart provided by the embodiment of the invention, and the following is a specific description of the system for displaying the SOAR by using the Gantt chart provided by the embodiment of the invention.
As shown in fig. 3, the system for displaying the SOAR by using the gand diagram includes: a first acquisition unit 10, a second acquisition unit 20, a third acquisition unit 30 and a construction unit 40.
The first acquiring unit 10 is configured to acquire a processing rule of an alarm event processing system and a response component in the alarm event processing system, and determine an identification sequence number of the processing rule and an identification sequence number of the response component;
the second obtaining unit 20 is configured to obtain target alarm information, and determine a trigger time node of the processing rule based on the target alarm information, where the target alarm information is used to characterize a processing result of the alarm event processing system on a target alarm event, and the target alarm event is any alarm event in alarm events processed by the alarm event processing system;
the third obtaining unit 30 is configured to obtain a response time node of the response component;
the construction unit 40 is configured to construct a gand chart using the trigger time node, the response time node and the identification number, where the gand chart is used to characterize a process procedure of security arrangement and automation response of the alarm event processing system.
In the embodiment of the invention, the Gantt chart is constructed by acquiring the processing rules of the alarm event processing system and the response components in the alarm event processing system, determining the identification sequence numbers of the processing rules and the identification sequence numbers of the response components, and acquiring the time nodes of the processing rules and the response time nodes of the response components determined according to the target alarm information.
Preferably, the first acquisition unit is further configured to: based on the processing rules and the response component, an SOAR script is constructed, wherein the SOAR script is used for representing a flow of the alarm event processing system for processing alarm events; and determining the identification sequence number of the processing rule and the identification sequence number of the response component according to the SOAR script.
Preferably, the first acquisition unit is further configured to: adding the processing rule and the response component to a preset canvas to obtain a target canvas; and combining the processing flow of the alarm event processing system, and connecting the processing rule and the response component in the target canvas to obtain the SOAR script.
Preferably, the first acquisition unit is further configured to: acquiring a target sequence based on the SOAR script; the target sequence is the sequence of adding the processing rule and the response component to a preset canvas; and respectively configuring corresponding identification serial numbers for the processing rules and the response components according to the target sequence.
Preferably, the target alarm information carries a trigger time node of a final processing rule and an identification serial number of an initial processing rule, where the initial processing rule is a preset number of processing rules triggered by the target alarm event before the final processing rule is triggered, the final processing rule is a last processing rule triggered by the target alarm event, and the second obtaining unit is further configured to: acquiring initial alarm information based on the identification information of a preset number of processing rules triggered before the final processing rule, wherein the initial alarm information is alarm information corresponding to the initial processing rule; determining trigger time nodes of the preset number of processing rules according to the initial alarm information; determining a preset number of processing rules before the final processing rule as the final processing rule, and determining the initial alarm information as the target alarm information; and repeating the obtaining step and the first determining step until the trigger time nodes of all the processing rules are determined.
Preferably, the construction unit is further configured to: constructing a coordinate system, wherein the abscissa of the coordinate system is a time node, and the ordinate of the coordinate system is an identification serial number; and adding the processing rule and the response component to the coordinate system by using the response time node, the trigger time node and the identification sequence number to obtain the Gantt chart.
An embodiment of the present invention provides a computer readable medium having non-volatile program code executable by a processor, where the program code causes the processor to execute the method for displaying an SOAR using a gand chart in the first embodiment.
Embodiment III:
an electronic device provided in an embodiment of the present invention includes a memory, a processor, and a computer program stored in the memory and executable on the processor, where the processor implements the method for displaying the SOAR using the gante graph in the first embodiment when executing the computer program.
Referring to fig. 4, an embodiment of the present invention further provides a server 100, including: a processor 60, a memory 61, a bus 62 and a communication interface 63, the processor 60, the communication interface 63 and the memory 61 being connected by the bus 62; the processor 60 is arranged to execute executable modules, such as computer programs, stored in the memory 61.
The memory 61 may include a high-speed random access memory (RAM, random Access Memory), and may further include a non-volatile memory (non-volatile memory), such as at least one magnetic disk memory. The communication connection between the system network element and at least one other network element is achieved via at least one communication interface 63 (which may be wired or wireless), and may use the internet, a wide area network, a local network, a metropolitan area network, etc.
Bus 62 may be an ISA bus, a PCI bus, an EISA bus, or the like. The buses may be classified as address buses, data buses, control buses, etc. For ease of illustration, only one bi-directional arrow is shown in FIG. 4, but not only one bus or type of bus.
The memory 61 is configured to store a program, and the processor 60 executes the program after receiving an execution instruction, and the method executed by the apparatus for flow defining disclosed in any of the foregoing embodiments of the present invention may be applied to the processor 60 or implemented by the processor 60.
The processor 60 may be an integrated circuit chip having signal processing capabilities. In implementation, the steps of the above method may be performed by integrated logic circuitry in hardware or instructions in software in the processor 60. The processor 60 may be a general-purpose processor, including a central processing unit (Central Processing Unit, CPU), a network processor (Network Processor, NP), etc.; but may also be a digital signal processor (Digital Signal Processing, DSP for short), application specific integrated circuit (Application Specific Integrated Circuit, ASIC for short), off-the-shelf programmable gate array (Field-Programmable Gate Array, FPGA for short), or other programmable logic device, discrete gate or transistor logic device, discrete hardware components. The disclosed methods, steps, and logic blocks in the embodiments of the present invention may be implemented or performed. A general purpose processor may be a microprocessor or the processor may be any conventional processor or the like. The steps of the method disclosed in connection with the embodiments of the present invention may be embodied directly in the execution of a hardware decoding processor, or in the execution of a combination of hardware and software modules in a decoding processor. The software modules may be located in a random access memory, flash memory, read only memory, programmable read only memory, or electrically erasable programmable memory, registers, etc. as well known in the art. The storage medium is located in a memory 61 and the processor 60 reads the information in the memory 61 and in combination with its hardware performs the steps of the method described above.
In addition, in the description of embodiments of the present invention, unless explicitly stated and limited otherwise, the terms "mounted," "connected," and "connected" are to be construed broadly, and may be, for example, fixedly connected, detachably connected, or integrally connected; can be mechanically or electrically connected; can be directly connected or indirectly connected through an intermediate medium, and can be communication between two elements. The specific meaning of the above terms in the present invention will be understood in specific cases by those of ordinary skill in the art.
In the description of the present invention, it should be noted that the directions or positional relationships indicated by the terms "center", "upper", "lower", "left", "right", "vertical", "horizontal", "inner", "outer", etc. are based on the directions or positional relationships shown in the drawings, are merely for convenience of describing the present invention and simplifying the description, and do not indicate or imply that the devices or elements referred to must have a specific orientation, be configured and operated in a specific orientation, and thus should not be construed as limiting the present invention. Furthermore, the terms "first," "second," and "third" are used for descriptive purposes only and are not to be construed as indicating or implying relative importance.
In the several embodiments provided in this application, it should be understood that the disclosed systems, devices, and methods may be implemented in other manners. The above-described apparatus embodiments are merely illustrative, for example, the division of the units is merely a logical function division, and there may be other manners of division in actual implementation, and for example, multiple units or components may be combined or integrated into another system, or some features may be omitted, or not performed. Alternatively, the coupling or direct coupling or communication connection shown or discussed with each other may be through some communication interface, device or unit indirect coupling or communication connection, which may be in electrical, mechanical or other form.
The units described as separate units may or may not be physically separate, and units shown as units may or may not be physical units, may be located in one place, or may be distributed on a plurality of network units. Some or all of the units may be selected according to actual needs to achieve the purpose of the solution of this embodiment.
In addition, each functional unit in the embodiments of the present invention may be integrated in one processing unit, or each unit may exist alone physically, or two or more units may be integrated in one unit.
Finally, it should be noted that: the above examples are only specific embodiments of the present invention, and are not intended to limit the scope of the present invention, but it should be understood by those skilled in the art that the present invention is not limited thereto, and that the present invention is described in detail with reference to the foregoing examples: any person skilled in the art may modify or easily conceive of the technical solution described in the foregoing embodiments, or perform equivalent substitution of some of the technical features, while remaining within the technical scope of the present disclosure; such modifications, changes or substitutions do not depart from the spirit and scope of the technical solutions of the embodiments of the present invention, and are intended to be included in the scope of the present invention. Therefore, the protection scope of the present invention shall be subject to the protection scope of the claims.
Claims (10)
1. A method for displaying an SOAR using a gante graph, comprising:
acquiring a processing rule of an alarm event processing system and a response component in the alarm event processing system, and determining an identification sequence number of the processing rule and an identification sequence number of the response component;
acquiring target alarm information and determining a trigger time node of the processing rule based on the target alarm information, wherein the target alarm information is used for representing a processing result of the alarm event processing system on a target alarm event, and the target alarm event is any alarm event in alarm events processed by the alarm event processing system;
acquiring a response time node of the response component;
and constructing a Gantt chart by utilizing the trigger time node, the response time node and the identification sequence number, wherein the Gantt chart is used for representing the safety arrangement and the automatic response processing process of the alarm event processing system.
2. The method of claim 1, wherein determining the identification sequence number of the processing rule and the identification sequence number of the responding component comprises:
based on the processing rules and the response component, an SOAR script is constructed, wherein the SOAR script is used for representing a flow of the alarm event processing system for processing alarm events;
and determining the identification sequence number of the processing rule and the identification sequence number of the response component according to the SOAR script.
3. The method of claim 2, wherein constructing an SOAR script based on the processing rules and the response component comprises:
adding the processing rule and the response component to a preset canvas to obtain a target canvas;
and combining the processing flow of the alarm event processing system, and connecting the processing rule and the response component in the target canvas to obtain the SOAR script.
4. The method of claim 3, wherein determining the identification number of the processing rule and the identification number of the response component from the SOAR script comprises:
acquiring a target sequence based on the SOAR script; the target sequence is the sequence of adding the processing rule and the response component to a preset canvas;
and respectively configuring corresponding identification serial numbers for the processing rules and the response components according to the target sequence.
5. The method of claim 1, wherein the target alert information carries a trigger time node of a final processing rule, and an identification sequence number of an initial processing rule, wherein the initial processing rule is a preset number of processing rules triggered by the target alert event before the final processing rule is triggered, and the final processing rule is a last processing rule triggered by the target alert event;
determining a trigger time node of the processing rule based on the target alarm information, including:
an acquisition step of acquiring initial alarm information based on the identification information of a preset number of processing rules triggered before the final processing rule, wherein the initial alarm information is alarm information corresponding to the initial processing rule;
a first determining step, determining trigger time nodes of the preset number of processing rules according to the initial alarm information;
a second determining step of determining a preset number of processing rules before the final processing rule as the final processing rule and determining the initial alarm information as the target alarm information;
and repeating the obtaining step and the first determining step until the trigger time nodes of all the processing rules are determined.
6. The method of claim 1, wherein constructing a gatekeeper graph using the response time node, the trigger time node, and the identification sequence number comprises:
constructing a coordinate system, wherein the abscissa of the coordinate system is a time node, and the ordinate of the coordinate system is an identification serial number;
and adding the processing rule and the response component to the coordinate system by using the response time node, the trigger time node and the identification sequence number to obtain the Gantt chart.
7. A system for displaying SOAR using a gante plot, comprising: a first acquisition unit, a second acquisition unit, a third acquisition unit and a construction unit, wherein,
the first acquisition unit is used for acquiring processing rules of the alarm event processing system and response components in the alarm event processing system, and determining identification serial numbers of the processing rules and the response components;
the second acquisition unit is used for acquiring target alarm information and determining a trigger time node of the processing rule based on the target alarm information, wherein the target alarm information is used for representing a processing result of the alarm event processing system on a target alarm event, and the target alarm event is any alarm event in alarm events processed by the alarm event processing system;
the third acquisition unit is used for acquiring a response time node of the response component;
the construction unit is used for constructing a Gantt chart by utilizing the trigger time node, the response time node and the identification sequence number, wherein the Gantt chart is used for representing the safety arrangement and the automatic response processing process of the alarm event processing system.
8. The system of claim 7, wherein the first acquisition unit is further configured to:
based on the processing rules and the response component, an SOAR script is constructed, wherein the SOAR script is used for representing a flow of the alarm event processing system for processing alarm events;
and determining the identification sequence number of the processing rule and the identification sequence number of the response component according to the SOAR script.
9. A computer readable medium having non-volatile program code executable by a processor, the program code causing the processor to perform the method of exhibiting SOAR using a gand diagram of any of the preceding claims 1 to 6.
10. An electronic device comprising a memory, a processor and a computer program stored on the memory and executable on the processor, wherein the processor implements the method of exhibiting SOAR using a gand diagram as claimed in any one of claims 1 to 6 when the computer program is executed by the processor.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201911197727.2A CN110990233B (en) | 2019-11-28 | 2019-11-28 | Method and system for displaying SOAR by utilizing Gantt chart |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201911197727.2A CN110990233B (en) | 2019-11-28 | 2019-11-28 | Method and system for displaying SOAR by utilizing Gantt chart |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN110990233A CN110990233A (en) | 2020-04-10 |
| CN110990233B true CN110990233B (en) | 2023-05-30 |
Family
ID=70088219
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201911197727.2A Active CN110990233B (en) | 2019-11-28 | 2019-11-28 | Method and system for displaying SOAR by utilizing Gantt chart |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN110990233B (en) |
Families Citing this family (7)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN111818068B (en) * | 2020-07-14 | 2022-07-15 | 绿盟科技集团股份有限公司 | Editing verification method, device, medium and computer equipment for micro-scene case |
| CN111818069B (en) * | 2020-07-14 | 2022-07-15 | 绿盟科技集团股份有限公司 | Method, device, medium and computer equipment for presenting security event processing flow |
| CN112202724B (en) * | 2020-09-09 | 2023-04-07 | 绿盟科技集团股份有限公司 | Data aggregation method and device of all-in-one arrangement mode |
| CN112529417A (en) * | 2020-12-14 | 2021-03-19 | 杭州安恒信息技术股份有限公司 | Security event processing method, device, equipment and storage medium |
| CN112508448A (en) * | 2020-12-21 | 2021-03-16 | 中电福富信息科技有限公司 | Safety arrangement and response system based on big data and AI drive and method thereof |
| CN113259371B (en) * | 2021-06-03 | 2022-04-19 | 上海雾帜智能科技有限公司 | Network attack event blocking method and system based on SOAR system |
| CN113726744A (en) * | 2021-08-02 | 2021-11-30 | 南京南瑞信息通信科技有限公司 | Visual safety alarm processing system and method based on task arrangement |
Citations (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN103107907A (en) * | 2013-01-04 | 2013-05-15 | 西安交大捷普网络科技有限公司 | Safe responding method based on event flow adding promotion pattern |
| CN106302788A (en) * | 2016-08-29 | 2017-01-04 | 成都泛米科技有限公司 | A kind of interactive approach based on network dynamic Gantt chart and system |
| CN106649123A (en) * | 2016-12-28 | 2017-05-10 | 中国银行股份有限公司 | Continuous integration-oriented alarm system and method |
| CN107193714A (en) * | 2017-03-30 | 2017-09-22 | 武汉斗鱼网络科技有限公司 | One kind alarm methods of exhibiting and device |
| CN109272293A (en) * | 2018-09-12 | 2019-01-25 | 宫辉 | A kind of affairs prompt method based on program method of principal axes rule transaction management system |
| CN109510726A (en) * | 2018-12-21 | 2019-03-22 | 深圳市万网博通科技有限公司 | Network visualization implementation method, device, computer equipment and storage medium |
Family Cites Families (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US10643137B2 (en) * | 2016-12-23 | 2020-05-05 | Cerner Innovation, Inc. | Integrating flexible rule execution into a near real-time streaming environment |
-
2019
- 2019-11-28 CN CN201911197727.2A patent/CN110990233B/en active Active
Patent Citations (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN103107907A (en) * | 2013-01-04 | 2013-05-15 | 西安交大捷普网络科技有限公司 | Safe responding method based on event flow adding promotion pattern |
| CN106302788A (en) * | 2016-08-29 | 2017-01-04 | 成都泛米科技有限公司 | A kind of interactive approach based on network dynamic Gantt chart and system |
| CN106649123A (en) * | 2016-12-28 | 2017-05-10 | 中国银行股份有限公司 | Continuous integration-oriented alarm system and method |
| CN107193714A (en) * | 2017-03-30 | 2017-09-22 | 武汉斗鱼网络科技有限公司 | One kind alarm methods of exhibiting and device |
| CN109272293A (en) * | 2018-09-12 | 2019-01-25 | 宫辉 | A kind of affairs prompt method based on program method of principal axes rule transaction management system |
| CN109510726A (en) * | 2018-12-21 | 2019-03-22 | 深圳市万网博通科技有限公司 | Network visualization implementation method, device, computer equipment and storage medium |
Non-Patent Citations (1)
| Title |
|---|
| 李放 ; 王保青 ; 师玉洁 ; 姜涛 ; .结合SOAR与ARKit的增强现实工程模拟***仿真.辽宁师范大学学报(自然科学版).2018,(03),全文. * |
Also Published As
| Publication number | Publication date |
|---|---|
| CN110990233A (en) | 2020-04-10 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN110990233B (en) | Method and system for displaying SOAR by utilizing Gantt chart | |
| CN108427705B (en) | Electronic device, distributed system log query method and storage medium | |
| CN109634561B (en) | Online visual programming method and device | |
| CN112052111B (en) | Processing method, device and equipment for server abnormity early warning and storage medium | |
| CN111178760A (en) | Risk monitoring method and device, terminal equipment and computer readable storage medium | |
| CN110222535B (en) | Processing device, method and storage medium for block chain configuration file | |
| CN113220540B (en) | Service management method, device, computer equipment and storage medium | |
| CN104579830A (en) | Service monitoring method and device | |
| CN111738463A (en) | Operation and maintenance method, device, system, electronic equipment and storage medium | |
| CN112306471A (en) | Task scheduling method and device | |
| CN110941632A (en) | Database auditing method, device and equipment | |
| CN114844768A (en) | Information analysis method and device and electronic equipment | |
| CN104468222A (en) | Method, device and system for reporting log information | |
| CN111309743A (en) | Report pushing method and device | |
| CN114564297A (en) | Task execution sequence calculation method, device and equipment and readable storage medium | |
| CN111767481B (en) | Access processing method, device, equipment and storage medium | |
| CN104219219A (en) | Method, server and system for handling data | |
| CN115629951A (en) | Task full-link tracking method, first node, link system and medium | |
| US20170293773A1 (en) | A report comprising a masked value | |
| CN113918204A (en) | Metadata script management method and device, electronic equipment and storage medium | |
| CN114490238A (en) | Method, system, terminal and storage medium for monitoring whole server diagnosis process | |
| CN114968696A (en) | Index monitoring method, electronic equipment and chip system | |
| CN112187543A (en) | Cloud platform event monitoring system and method and electronic equipment | |
| CN113704016B (en) | Cloud function component diagnosis method, device, equipment and storage medium | |
| US20220100631A1 (en) | Microservices graph generation |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |