US2023169170A1PendingUtilityA1

Techniques for fixing configuration and for fixing code using contextually enriched alerts

57
Assignee: DAZZ INCPriority: Oct 21, 2021Filed: Feb 1, 2023Published: Jun 1, 2023
Est. expiryOct 21, 2041(~15.3 yrs left)· nominal 20-yr term from priority
G06F 21/552G06F 21/577G06F 21/563G06F 2221/033
57
PatentIndex Score
0
Cited by
0
References
0
Claims

Abstract

Systems and methods for automating alert remediation. A method includes extracting entity-identifying values from cybersecurity event data included in alerts generated for a software infrastructure. Queries are generated based on the entity-identifying values. An entity graph is queried. The entity graph has nodes representing respective entities. The entities include software components of the software infrastructure and event logic components of cybersecurity event logic deployed with respect to the software infrastructure. Paths are identified in the entity graph based on the query results. Each identified path is between one of the software components and one of the event logic components. One or more root cause entities are identified based on the identified paths. A fix action plan is generated for the alerts based on the root cause entities.

Claims

exact text as granted — not AI-modified
What is claimed is: 
     
         1 . A method for automating alert remediation, comprising:
 extracting a plurality of entity-identifying values from cybersecurity event data included in a plurality of alerts generated for a software infrastructure;   generating at least one query based on the plurality of entity-identifying values;   querying an entity graph using the at least one query, wherein the entity graph has a plurality of nodes representing respective entities of the plurality of entities, wherein the plurality of entities includes a plurality of software components of the software infrastructure and a plurality of event logic components of cybersecurity event logic deployed with respect to the software infrastructure;   identifying at least one path in the entity graph based on the results of the at least one query, wherein each identified path is between one of the plurality of software components and one of the plurality of event logic components;   identifying at least one root cause entity based on the identified at least one path; and   generating a fix action plan for the plurality of alerts based on the identified at least one root cause entity.   
     
     
         2 . The method of  claim 1 , wherein the at least one query is generated based further on a plurality of semantic concepts, further comprising:
 creating a semantic concepts dictionary, wherein the semantic concepts dictionary defines a plurality of semantic concepts describing potential characteristics for the plurality of software components, wherein the plurality of semantic concepts is extracted from the cybersecurity event data using the semantic concepts dictionary.   
     
     
         3 . The method of  claim 1 , wherein generating the fix action plan further comprises:
 applying a plurality of fix determination rules based on the identified at least one root cause entity, wherein the plurality of fix determination rules define a plurality of predetermined fixes for a plurality of types of root causes.   
     
     
         4 . The method of  claim 3 , wherein the plurality of predetermined fixes are defined further with respect to locations within the software infrastructure, wherein applying the plurality of fix determination rules further comprises:
 identifying a location of each of the at least one root cause entity within the software infrastructure based on the entity graph.   
     
     
         5 . The method of  claim 1 , wherein the fix action plan includes a plurality of computer-readable instructions, further comprising:
 executing the plurality of computer-readable instructions in order to implement at least a portion of the fix action plan, wherein the plurality of computer-readable instructions, when executed by a processing circuitry, configure the processing circuitry to perform at least one mitigation action defined in the fix action plan.   
     
     
         6 . The method of  claim 1 , wherein the fix action plan defines at least one mitigation action, further comprising:
 integrating with a plurality of native development lifecycle tools deployed with respect to the software infrastructure, wherein the at least one mitigation action utilizes at least one tool of the plurality of native development lifecycle tools.   
     
     
         7 . The method of  claim 6 , wherein each of the at least one root cause entity has a respective location within the software infrastructure represented in the entity graph, wherein the at least one tool used for the at least one mitigation action is deployed with respect to the location of each of the at least one root cause entity. 
     
     
         8 . The method of  claim 1 , wherein the entity graph further includes a plurality of owner nodes representing a plurality of respective owners of the plurality of software components, further comprising:
 generating at least one notification based on the fix action plan; and   sending each of the generated at least one notification to a respective owner of the plurality of owners.   
     
     
         9 . The method of  claim 1 , further comprising:
 analyzing the plurality of alerts in order to identify a plurality of matches between alerts of the plurality of alerts, wherein the plurality of matches is identified with respect to issues indicated in the plurality of alerts;   identifying a plurality of correlations between respective software components of the plurality of software components linked to the plurality of alerts based on the entity graph; and   deduplicating the plurality of alerts based on the plurality of matches and the plurality of correlations.   
     
     
         10 . The method of  claim 1 , further comprising:
 prioritizing the plurality of alerts by applying at least one alert prioritization rule, wherein the at least one alert prioritization rule defines how to prioritize alerts with respect to a mapping of the entity graph.   
     
     
         11 . The method of  claim 1 , further comprising:
 identifying a first plurality of properties in a plurality of original definitions of a plurality of computing infrastructure resources, wherein each original definition is a definition of a respective software component of the plurality of software components;   mapping the first plurality of properties to a second plurality of properties of a plurality of universal definition templates in order to determine a matching universal definition template for each original definition, wherein each of the plurality of universal definitions corresponds to a respective type of computing infrastructure resource and is defined in a unified format; and   transforming the plurality of original definitions into a plurality of universal definitions using the plurality of universal definition templates.   
     
     
         12 . A non-transitory computer readable medium having stored thereon instructions for causing a processing circuitry to execute a process, the process comprising:
 extracting a plurality of entity-identifying values from cybersecurity event data included in a plurality of alerts generated for a software infrastructure;   generating at least one query based on the plurality of entity-identifying values;   querying an entity graph using the at least one query, wherein the entity graph has a plurality of nodes representing respective entities of the plurality of entities, wherein the plurality of entities includes a plurality of software components of the software infrastructure and a plurality of event logic components of cybersecurity event logic deployed with respect to the software infrastructure;   identifying at least one path in the entity graph based on the results of the at least one query, wherein each identified path is between one of the plurality of software components and one of the plurality of event logic components;   identifying at least one root cause entity based on the identified at least one path; and   generating a fix action plan for the plurality of alerts based on the identified at least one root cause entity.   
     
     
         13 . A system for automating alert remediation, comprising:
 a processing circuitry; and   a memory, the memory containing instructions that, when executed by the processing circuitry, configure the system to:   
       extracting a plurality of entity-identifying values from cybersecurity event data included in a plurality of alerts generated for a software infrastructure;
 generate at least one query based on the plurality of entity-identifying values; 
 query an entity graph using the at least one query, wherein the entity graph has a plurality of nodes representing respective entities of the plurality of entities, wherein the plurality of entities includes a plurality of software components of the software infrastructure and a plurality of event logic components of cybersecurity event logic deployed with respect to the software infrastructure; 
 identify at least one path in the entity graph based on the results of the at least one query, wherein each identified path is between one of the plurality of software components and one of the plurality of event logic components; 
 identify at least one root cause entity based on the identified at least one path; and 
 generate a fix action plan for the plurality of alerts based on the identified at least one root cause entity. 
 
     
     
         14 . The system of  claim 13 , wherein the at least one query is generated based further on a plurality of semantic concepts, wherein the system is further configured to:
 create a semantic concepts dictionary, wherein the semantic concepts dictionary defines a plurality of semantic concepts describing potential characteristics for the plurality of software components, wherein the plurality of semantic concepts is extracted from the cybersecurity event data using the semantic concepts dictionary.   
     
     
         15 . The system of  claim 13 , wherein the system is further configured to:
 apply a plurality of fix determination rules based on the identified at least one root cause entity, wherein the plurality of fix determination rules define a plurality of predetermined fixes for a plurality of types of root causes.   
     
     
         16 . The system of  claim 15 , wherein the plurality of predetermined fixes are defined further with respect to locations within the software infrastructure, wherein the system is further configured to:
 Identify a location of each of the at least one root cause entity within the software infrastructure based on the entity graph.   
     
     
         17 . The system of  claim 13 , wherein the fix action plan includes a plurality of computer-readable instructions, wherein the system is further configured to:
 execute the plurality of computer-readable instructions in order to implement at least a portion of the fix action plan, wherein the plurality of computer-readable instructions, when executed by a processing circuitry, configure the processing circuitry to perform at least one mitigation action defined in the fix action plan.   
     
     
         18 . The system of  claim 13 , wherein the fix action plan defines at least one mitigation action, wherein the system is further configured to:
 integrate with a plurality of native development lifecycle tools deployed with respect to the software infrastructure, wherein the at least one mitigation action utilizes at least one tool of the plurality of native development lifecycle tools.   
     
     
         19 . The system of  claim 18 , wherein each of the at least one root cause entity has a respective location within the software infrastructure represented in the entity graph, wherein the at least one tool used for the at least one mitigation action is deployed with respect to the location of each of the at least one root cause entity. 
     
     
         20 . The system of  claim 13 , wherein the entity graph further includes a plurality of owner nodes representing a plurality of respective owners of the plurality of software components, wherein the system is further configured to:
 generate at least one notification based on the fix action plan; and   send each of the generated at least one notification to a respective owner of the plurality of owners.   
     
     
         21 . The system of  claim 13 , wherein the system is further configured to:
 analyze the plurality of alerts in order to identify a plurality of matches between alerts of the plurality of alerts, wherein the plurality of matches is identified with respect to issues indicated in the plurality of alerts;   identify a plurality of correlations between respective software components of the plurality of software components linked to the plurality of alerts based on the entity graph; and   deduplicate the plurality of alerts based on the plurality of matches and the plurality of correlations.   
     
     
         22 . The system of  claim 13 , wherein the system is further configured to:
 prioritize the plurality of alerts by applying at least one alert prioritization rule, wherein the at least one alert prioritization rule defines how to prioritize alerts with respect to a mapping of the entity graph.   
     
     
         23 . The system of  claim 13 , wherein the system is further configured to:
 identify a first plurality of properties in a plurality of original definitions of a plurality of computing infrastructure resources, wherein each original definition is a definition of a respective software component of the plurality of software components;   map the first plurality of properties to a second plurality of properties of a plurality of universal definition templates in order to determine a matching universal definition template for each original definition, wherein each of the plurality of universal definitions corresponds to a respective type of computing infrastructure resource and is defined in a unified format; and   transform the plurality of original definitions into a plurality of universal definitions using the plurality of universal definition templates.

Cited by (0)

No later patents cite this yet.

References (0)

No backward citations on record.