Runtime Updatable and Dynamic Event Processing Using Embedded ECMAScript Engines

Understanding events produced by IT systems is a vital part of effectively managing and maintaining medium and large sized computer networks. As a result, Security Information and Management (SIEM) systems have become an indispensable part of modern networks. One of the main challenges facing SIEM systems is the ability to parse and extract relevant information from the processed events in near real-time. The more diverse the processed events are, the more complicated it becomes to extract the necessary information. Deep event correlation tasks perform very differently over structured data than they do over unstructured data. As an example, a text search for an IP address can take very long, but can return instantly if the IP address is extracted and stored in an appropriate field of its own. Dealing with dozens of different formats using the same event parsing module quickly becomes infeasible. As a result, the parsing of events has largely been outsourced to regular expressions. Although very affective at extracting information from events, they lack sophisticated logic operations. This paper presents a novel method of event processing using an embedded ECMAScript engine to effectively outsource the logic operations needed for deeper event processing.