| 摘要 |
Embodiments relate to the generation of alerts in an event management system based upon risk. When an event device associated with the event management system, presents a logon page to a client device, the event device includes a beacon as part of the page to monitor and collect web device profile characteristics related to the client device. In response to a logon attempt by the client device, an event management device receives a notification regarding logon attempt and a risk assessment associated with the web device profile characteristics of the client device. Based upon a correlation of the notification and the corresponding risk assessment, the event management device can generate an alert, such as a SIEM alert, and can include an indication of priority, whether relatively low or high, and/or a confidence factor, whether or not the alert can be suppressed as part of the alert. |
| 主权项 |
1. A method for generating alerts by an event management device, comprising:
receiving, by the event management device, a request for access from a client device; transmitting, by the event management device and in response to receiving the request, an authentication webpage to the client device, the authentication webpage including a beacon configured to execute on the client device when the webpage is displayed on the client device to retrieve a client device profile characteristic; receiving, by the event management device, logon event information from an event device in response to a logon event associated between the event device and the client device, the logon event information including authentication input from the authentication webpage; receiving, by the event management device, a risk assessment from a risk assessment device, the risk assessment based upon a web device profile characteristic associated with the logon event, the web device profile characteristic having been gathered by the beacon executing on the client device in the authentication webpage transmitted to the client device; correlating, by the event management device, the logon event information and the risk assessment; and in response to detecting the logon event as corresponding to an authentication attack, generating, by the event management device, an alert having an associated priority level based upon the risk assessment; wherein receiving the risk assessment from the risk assessment device comprises receiving, by the event management device, the risk assessment based upon the web device profile characteristic associated with the logon event, the web device profile characteristic identifying click stream information associated with a web page accessed by the client device, and wherein the method further comprises: receiving, by the event management device, in response to the request for access to an enterprise network access device from a client device, a first client geographical location based upon the web device profile characteristic associated with the logon event gathered by the beacon executing on the client device; subsequently receiving, by the event management device, in response to a request for access to a website in the enterprise network, at least a second client geographical location based upon a second set of web device profile characteristics gathered by a second beacon executing on the device from which the request was received; and in response to detecting a difference between the first and second geographical locations, generating, by the risk assessment device, a risk assessment based upon the difference. |
