| CPC H04L 9/0643 (2013.01) | 20 Claims |
|
1. A method for deduplication of security case alerts based on an identification of a plurality of Key: Value pairs for behavioral observation data and asset identifies, the method comprising:
receiving, by a processor, a dataset comprising behavioral observation data from one or more data source;
executing, by the processor, a query comprising security detection saved searches, wherein the query searches the dataset of behavioral observation data for data entries that match the security detection saved searches;
generating, by the processor, search results from the dataset, wherein the search results comprise matching dataset entries to the security detection saved searches, wherein each matching entry of the search results is generated as a row with a plurality of fields, and wherein the plurality of fields include at least an asset identifier;
determining, by the processor, one or more dynamic fields for each of the security detection saved searches based on the search results for each of the security detection saved searches respectively;
excluding, by the processor, the one or more dynamic fields from the query;
concatenating, by the processor, a search string that includes all non-excluded fields to create a concatenated search string;
generating, by the processor, a hash value for the concatenated search string;
generating, by the processor, a first Key: Value pair with the hash value that summarizes an asset behavior and the asset identifier;
determining, by the processor, a throttling interval for the Key: Value Pair, wherein the throttling interval indicates an amount of time between a security case alert for the first Key: Value pair;
emitting, by the processor, a first security case alert for the first Key: Value pair and initiate a counter for the first Key: Value pair, wherein the first security case alert is the first security case emitted in the throttling interval;
detecting, by the processor, a second query result matching the first Key: Value pair;
determining, by the processor, that the counter is less than the throttling interval;
suppressing, by the processor, a subsequent security case alert for the second query result matching the first Key: Value pair during the throttling interval; and
updating, by the processor, a throttling log associated with each of the plurality of Key: Value pairs, wherein the throttling log includes a total number of matching Key: Value pairs in the throttling interval.
|