Event specific relationship graph generation and application in a machine data processing platform
First Claim
1. A method comprising:
- receiving, by a computer system, raw machine data produced by an information technology environment, the raw machine data indicative of activity of one or more components of the information technology environment;
wherein the received raw machine data include a plurality of data units, wherein the raw machine data in each data unit of the plurality of data units includes data indicative of an activity, entities that participated in the activity, and a timestamp for the activity;
for each data unit of the plurality of data units, by the computer system,identifying a relationship between the entities indicated in the data unit, the relationship indicative of the activity indicated in the data unit, andannotating, by using a data structure corresponding to a graph, the raw machine data in the data unit to incorporate data indicative of the relationship into the raw machine data in the data unit; and
providing, to an anomaly detection module, each of the plurality of data units including annotated raw machine data, for detection of a security-oriented anomaly in the information technology environment,wherein the anomaly detection module is in a real-time path or a batch path, and wherein information regarding identified security-oriented anomalies is shared between the real-time path and the batch path.
2 Assignments
0 Petitions
Accused Products
Abstract
A security platform employs a variety techniques and mechanisms to detect security related anomalies and threats in a computer network environment. The security platform is “big data” driven and employs machine learning to perform security analytics. The security platform performs user/entity behavioral analytics (UEBA) to detect the security related anomalies and threats, regardless of whether such anomalies/threats were previously known. The security platform can include both real-time and batch paths/modes for detecting anomalies and threats. By visually presenting analytical results scored with risk ratings and supporting evidence, the security platform enables network security administrators to respond to a detected anomaly or threat, and to take action promptly.
-
Citations
29 Claims
-
1. A method comprising:
-
receiving, by a computer system, raw machine data produced by an information technology environment, the raw machine data indicative of activity of one or more components of the information technology environment; wherein the received raw machine data include a plurality of data units, wherein the raw machine data in each data unit of the plurality of data units includes data indicative of an activity, entities that participated in the activity, and a timestamp for the activity; for each data unit of the plurality of data units, by the computer system, identifying a relationship between the entities indicated in the data unit, the relationship indicative of the activity indicated in the data unit, and annotating, by using a data structure corresponding to a graph, the raw machine data in the data unit to incorporate data indicative of the relationship into the raw machine data in the data unit; and providing, to an anomaly detection module, each of the plurality of data units including annotated raw machine data, for detection of a security-oriented anomaly in the information technology environment, wherein the anomaly detection module is in a real-time path or a batch path, and wherein information regarding identified security-oriented anomalies is shared between the real-time path and the batch path. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21, 22, 23, 24, 25, 26, 27)
-
-
28. A computer system for detection of an anomaly in a distributed computer environment, the system comprising:
-
a communication device; and a processor configured to; receive, by the computer system, raw machine data produced by an information technology environment, the raw machine data indicative of activity of one or more components of the information technology environment; wherein the received raw machine data include a plurality of data units, wherein the raw machine data in each data unit of the plurality of data units includes data indicative of an activity, entities that participated in the activity, and a timestamp for the activity; for each data unit of the plurality of data units, by the computer system, identify a relationship between the entities indicated in the data unit, the relationship indicative of the activity indicated in the data unit, and annotate, by using a data structure corresponding to a graph, the raw machine data in the data unit to incorporate data indicative of the relationship into the raw machine data in the data unit; and provide, to an anomaly detection module, each of the plurality of data units including annotated raw machine data, for detection of a security-oriented anomaly in the information technology environment, wherein the anomaly detection module is in a real-time path or a batch path, and wherein information regarding identified security-oriented anomalies is shared between the real-time path and the batch path.
-
-
29. A non-transitory machine-readable storage medium for use in a processing system for detection of an anomaly in a distributed computer environment, the non-transitory machine-readable storage medium storing instructions, an execution of which in the processing system causes the processing system to perform operations comprising:
-
receiving raw machine data produced by an information technology environment, the raw machine data indicative of activity of one or more components of the information technology environment; wherein the received raw machine data include a plurality of data units, wherein the raw machine data in each data unit of the plurality of data units includes data indicative of an activity, entities that participated in the activity, and a timestamp for the activity; for each data unit of the plurality of data units, identifying a relationship between the entities indicated in the data unit, the relationship indicative of the activity indicated in the data unit, and annotating, by using a data structure corresponding to a graph, the raw machine data in the data unit to incorporate data indicative of the relationship into the raw machine data in the data unit; and providing, to an anomaly detection module, each of the plurality of data units including annotated raw machine data, for detection of a security-oriented anomaly in the information technology environment, wherein the anomaly detection module is in a real-time path or a batch path, and wherein information regarding identified security-oriented anomalies is shared between the real-time path and the batch path.
-
Specification