US 12,267,339 B1
Executing modular alerts and associated security actions
Banipal Shahbaz, Santa Clara, CA (US); Sri Atma Oaklander de Licori, San Francisco, CA (US); John Robert Coates, San Francisco, CA (US); David Hazekamp, Tinley Park, IL (US); Devendra Badhani, Santa Clara, CA (US); Luke Murphey, Wadsworth, IL (US); and Patrick Schulz, San Francisco, CA (US)
Assigned to Splunk Inc., San Francisco, CA (US)
Filed by Splunk Inc., San Francisco, CA (US)
Filed on Apr. 28, 2023, as Appl. No. 18/309,624.
Application 18/309,624 is a continuation of application No. 16/944,433, filed on Jul. 31, 2020, granted, now 11,677,760.
Application 16/944,433 is a continuation of application No. 15/276,756, filed on Sep. 26, 2016, granted, now 10,771,479, issued on Sep. 8, 2020.
This patent is subject to a terminal disclaimer.
Int. Cl. G06F 21/55 (2013.01); G06F 21/53 (2013.01); H04L 9/40 (2022.01); G06F 16/248 (2019.01); G06F 16/26 (2019.01)
CPC H04L 63/1416 (2013.01) [G06F 21/53 (2013.01); G06F 21/554 (2013.01); H04L 63/145 (2013.01); H04L 63/1458 (2013.01); H04L 63/1475 (2013.01); G06F 16/248 (2019.01); G06F 16/26 (2019.01); G06F 2221/2151 (2013.01); H04L 2463/121 (2013.01); H04L 2463/141 (2013.01)] 15 Claims
OG exemplary drawing
 
1. A computer-implemented method comprising:
receiving input defining a custom response action to be executed by a network security application in response to a detection of a potential security incident in an information technology (IT) environment, wherein the input specifies a command to be sent to a device or service related to the network security application in response to the detection of the potential security incident in the IT environment, and wherein the input defining the custom response action further comprises a script file that includes code for performing the custom response action;
generating a package containing executable logic for the custom response action;
sending the package to an application programming interface (API) or other component;
receiving a determination that the package conforms to one or more standards for executing actions within the network security application;
based on receiving the determination that the package conforms to one or more standards for executing actions within the network security application, applying the package to an instance of the network security application;
receiving input defining an adaptive response, wherein the input identifies:
a correlation search used to identify notable events from event data stored by a data intake and query system, wherein the data intake and query system includes event data from a plurality of input data sources in the IT environment, and
the custom response action to be executed by the network security application in response to the detection of the potential security incident in the IT environment;
executing, by the data intake and query system, the correlation search against the event data stored by the data intake and query system;
identifying a notable event based on executing the correlation search against the event data stored by the data intake and query system; and
executing the custom response action based on identifying the notable event, wherein executing the custom response action comprises running the script file.