Computer network and security devices and software have the ability to generate records of certain system operations. Such records are commonly referred to as system “events”. System events are recorded by many types of systems operating on a computer network, including switches, routers, firewalls, intrinsic detection systems, servers, desktop computers, and the like. System events are typically generated when a system abnormality is encountered, but events can also be used to record normal system operations.
Contemporary applications, including security event managers (SEMs) and network event managers (NEMs), provide for event management and consolidation. An example of such a system is disclosed in U.S. patent application Ser. No. 10/455,940, filed Jun. 6, 2003, the content of which is incorporated herein by reference. In many such applications, events are stored in an event repository file. The management tool may prioritize certain events, for example by categorizing an event as a security event that requires a high level of attention. Correlation operations can be performed on the stored events in an effort to extract forensic information from the events. For example, a certain pattern of events over a specified time period may indicate an attempted system security breach. Event management applications define correlation parameters in the form of rules, which take the form of scripts, for example structured query language (SQL) scripts and regular expressions, that can be processed by the system on the event repository.
Event rule creation is typically a manual process that is performed by a trained professional. When a new rule, or group of rules, is to be added to the event management application, human interaction is necessary. This is a costly and time-consuming process that does not always produce accurate results. In addition, with the need for manual interaction, there is significant delay in event identification, classification and reaction. Rule-builder applications improve the process of formulating rules, and generating scripts. However, these applications are limited in that they still involve a high degree of human review for effectiveness.