Identity resolution in data intake of a distributed data processing system
First Claim
1. A computer-implemented method comprising:
- identifying a plurality of entities involved in a plurality of events on a computer network, the plurality of entities including a particular user represented by a user identifier and a machine represented by a machine identifier;
determining that the machine identifier is to be associated with the particular user, based on a statistical analysis of events, of the plurality of events, that satisfy a criterion; and
in response to a determination that the machine identifier is to be associated with the particular user, annotating raw, unstructured machine data of a particular event to include an indication that the particular event is associated with the particular user.
2 Assignments
0 Petitions
Accused Products
Abstract
A security platform employs a variety techniques and mechanisms to detect security related anomalies and threats in a computer network environment. The security platform is “big data” driven and employs machine learning to perform security analytics. The security platform performs user/entity behavioral analytics (UEBA) to detect the security related anomalies and threats, regardless of whether such anomalies/threats were previously known. The security platform can include both real-time and batch paths/modes for detecting anomalies and threats. By visually presenting analytical results scored with risk ratings and supporting evidence, the security platform enables network security administrators to respond to a detected anomaly or threat, and to take action promptly.
50 Citations
30 Claims
-
1. A computer-implemented method comprising:
-
identifying a plurality of entities involved in a plurality of events on a computer network, the plurality of entities including a particular user represented by a user identifier and a machine represented by a machine identifier; determining that the machine identifier is to be associated with the particular user, based on a statistical analysis of events, of the plurality of events, that satisfy a criterion; and in response to a determination that the machine identifier is to be associated with the particular user, annotating raw, unstructured machine data of a particular event to include an indication that the particular event is associated with the particular user. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21, 22, 23, 24, 25, 26)
-
-
27. A computer system comprising:
-
a communication device; and a processor configured to; identify a plurality of entities involved in a plurality of events on a computer network, the plurality of entities including a particular user represented by a user identifier and a machine represented by a machine identifier; determine that the machine identifier is to be associated with the particular user, based on a statistical analysis of events, of the plurality of events, that satisfy a criterion; and in response to a determination that the machine identifier is to be associated with the particular user, annotate raw, unstructured machine data of a particular event to include an indication that the particular event is associated with the particular user. - View Dependent Claims (28)
-
-
29. A non-transitory machine-readable storage medium for use in a processing system, the non-transitory machine-readable storage medium storing instructions, an execution of which in the processing system causes the processing system to perform operations comprising:
-
identifying a plurality of entities involved in a plurality of events on a computer network, the plurality of entities including a particular user represented by a user identifier and a machine represented by a machine identifier; determining that the machine identifier is to be associated with the particular user, based on a statistical analysis of events, of the plurality of events, that satisfy a criterion; and in response to a determination that the machine identifier is to be associated with the particular user, annotating raw, unstructured machine data of a particular event to include an indication that the particular event is associated with the particular user. - View Dependent Claims (30)
-
Specification