Retention and accessibility of data characterizing events on an endpoint computer
First Claim
1. A system for retaining data regarding potential software-based attacks on a computer, the system comprising:
- computer hardware configured to perform operations comprising;
harvesting, by an endpoint computer system, data relating to a plurality of events occurring within an operating environment of the endpoint computer system, the harvesting comprising receiving and/or inferring the data using one or more sensors executing on the endpoint computer system;
adding the data to a local data store maintained on the endpoint computer system; and
generating a query response in response to a query, the generating comprising identifying and retrieving responsive data from the local data store, the responsive data being related to an artifact on the endpoint computer system and/or to an event of the plurality of events;
wherein;
the data is initially harvested according to a first set of data collection criteria;
a software-based threat detection module executing on the endpoint computer system determines that a heightened level of alert is necessary; and
in response to the heightened level of alert, the data is harvested according to a second set of data collection criteria that are broader than the first set of data collection criteria which captures more data than what was harvested according to the first set of data collection criteria;
wherein the generating the query response comprises mitigating an amount of the data returned as part of the responsive data, the mitigating comprising interpreting the query at the endpoint computer system and focusing on specific data of the responsive data that are most likely to be relevant to a subject of the query.
1 Assignment
0 Petitions
Accused Products
Abstract
An endpoint computer system can harvest data relating to a plurality of events occurring within an operating environment of the endpoint computer system and can add the harvested data to a local data store maintained on the endpoint computer system. A query response can be generated, for example by identifying and retrieving responsive data from the local data store. The responsive data are related to an artifact on the endpoint computer system and/or to an event of the plurality of events. In some examples, the local data store can be an audit log and/or can include one or more tamper resistant features. Systems, methods, and computer program products are described.
15 Citations
27 Claims
-
1. A system for retaining data regarding potential software-based attacks on a computer, the system comprising:
-
computer hardware configured to perform operations comprising; harvesting, by an endpoint computer system, data relating to a plurality of events occurring within an operating environment of the endpoint computer system, the harvesting comprising receiving and/or inferring the data using one or more sensors executing on the endpoint computer system; adding the data to a local data store maintained on the endpoint computer system; and generating a query response in response to a query, the generating comprising identifying and retrieving responsive data from the local data store, the responsive data being related to an artifact on the endpoint computer system and/or to an event of the plurality of events; wherein; the data is initially harvested according to a first set of data collection criteria; a software-based threat detection module executing on the endpoint computer system determines that a heightened level of alert is necessary; and in response to the heightened level of alert, the data is harvested according to a second set of data collection criteria that are broader than the first set of data collection criteria which captures more data than what was harvested according to the first set of data collection criteria; wherein the generating the query response comprises mitigating an amount of the data returned as part of the responsive data, the mitigating comprising interpreting the query at the endpoint computer system and focusing on specific data of the responsive data that are most likely to be relevant to a subject of the query. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21, 22, 23, 24, 25)
-
-
26. A non-transitory computer readable medium storing instructions that, when executed by one or more programmable processors, cause the one or more programmable processors to perform operations for retaining data regarding potential software-based attacks on a computer comprising:
-
harvesting, by an endpoint computer system, data relating to a plurality of events occurring within an operating environment of the endpoint computer system, the harvesting comprising receiving and/or inferring the data using one or more sensors executing on the endpoint computer system; adding the data to a local data store maintained on the endpoint computer system; and generating a query response in response to a query, the generating comprising identifying and retrieving responsive data from the local data store, the responsive data being related to an artifact on the endpoint computer system and/or to an event of the plurality of events; wherein; the data is initially harvested according to a first set of data collection criteria; it is determined on the endpoint computer system that a heightened level of alert is necessary; and in response to the heightened level of alert, the data is harvested according to a second set of data collection criteria that are broader than the first set of data collection criteria which captures more data than what was harvested according to the first set of data collection criteria wherein the generating the query response comprises mitigating an amount of the data returned as part of the responsive data, the mitigating comprising interpreting the query at the endpoint computer system and focusing on specific data of the responsive data that are most likely to be relevant to a subject of the query.
-
-
27. A computer-implemented method for retaining data regarding potential software-based attacks on a computer, the method comprising:
-
harvesting, by an endpoint computer system, data relating to a plurality of events occurring within an operating environment of the endpoint computer system, the harvesting comprising receiving and/or inferring the data using one or more sensors executing on the endpoint computer system; adding the data to a local data store maintained on the endpoint computer system; and generating a query response in response to a query, the generating comprising identifying and retrieving responsive data from the local data store, the responsive data being related to an artifact on the endpoint computer system and/or to an event of the plurality of events; wherein; the data is initially harvested according to a first set of data collection criteria; it is determined on the endpoint computer system that a heightened level of alert is necessary; and in response to the heightened level of alert, the data is harvested according to a second set of data collection criteria that are broader than the first set of data collection criteria which captures more data than what was harvested according to the first set of data collection criteria; wherein the generating the query response comprises mitigating an amount of the data returned as part of the responsive data, the mitigating comprising interpreting the query at the endpoint computer system and focusing on specific data of the responsive data that are most likely to be relevant to a subject of the query.
-
Specification