The present invention relates generally to network security, and more particularly to automatic transformation of security event detection rules.
SIEM (Security Information and Event Management) events are processed by event processors (EPs) distributed across a network. Each of the event processors (EPs) is directly connected to one or more event sources (ESs) which raise events to the each of the event processors (EPs). Each of the event processors (EPs) carries a set of rules. When events from locally connected event sources (ESs) are processed, the set of rules are applied. When a security violation is detected, the event processor (EP) raises a security alert.
In distributed SIEM (Security Information and Event Management), when an event processor (EP) applies the rules, event processors (EPs) may need to be aware of events raised at remotes event processors (EPs). In this case, the EPs have to properly communicate with each other to share event information. If every event information is shared among the EPs, it often leads to poor performance due to substantial network traffic and redundant event processing on the EPs. This is the most challenging part of distributed SIEM (Security Information and Event Management).