Field
Embodiments of the present invention generally relate to the field of network security techniques. In particular, various embodiments relate to work flow processing for a security information and event management (SIEM) system.
Description of the Related Art
A large computer network may comprise hundreds of client computers, servers and other network devices that may be located at different places. Multiple security devices, including, but not limited to firewalls, antivirus devices, Intrusion Prevention System (IPS) devices or Unified Threat Management (UTM) devices, can be deployed to regulate network access and protect the network from attacks. The security devices may conduct various tasks to find vulnerabilities of the network, regulate network access and protect the network from attacks. AN SIEM device may be deployed to collect results of the tasks performed by the security devices. The SIEM device may send out an alarm message to the administrator when a high risk event is identified. The SIEM device may also generate a report to show the status of the network, such as the number, targets and sources of attacks that have been captured within a certain period. However, tasks that can be conducted by security devices of the network are independent and results of such tasks cannot be transferred to another task. Furthermore, tasks conducted by different security devices may require different parameters. Even the same task may require different parameters when it is conducted by security devices from different manufacturers. Thus, there is a need for improved SIEM devices that may schedule multiple tasks of various security devices to automatically achieve comprehensive management.