Event specific entity relationship discovery in data intake stage of a distributed data processing system
First Claim
1. A method comprising:
- accessing machine data representing an event, the event resulting from an activity that occurred on a computer network;
identifying, in the event, a first entity that participated in the activity and a relationship between the first entity and a second entity, the relationship being indicative of the activity; and
annotating, by using a graph data structure, raw machine data of the event to include the identified relationship between the first and second entities in the event, wherein annotation in the event enables an event processing engine to detect an anomaly in the computer network.
2 Assignments
0 Petitions
Accused Products
Abstract
A security platform employs a variety techniques and mechanisms to detect security related anomalies and threats in a computer network environment. The security platform is “big data” driven and employs machine learning to perform security analytics. The security platform performs user/entity behavioral analytics (UEBA) to detect the security related anomalies and threats, regardless of whether such anomalies/threats were previously known. The security platform can include both real-time and batch paths/modes for detecting anomalies and threats. By visually presenting analytical results scored with risk ratings and supporting evidence, the security platform enables network security administrators to respond to a detected anomaly or threat, and to take action promptly.
-
Citations
30 Claims
-
1. A method comprising:
-
accessing machine data representing an event, the event resulting from an activity that occurred on a computer network; identifying, in the event, a first entity that participated in the activity and a relationship between the first entity and a second entity, the relationship being indicative of the activity; and annotating, by using a graph data structure, raw machine data of the event to include the identified relationship between the first and second entities in the event, wherein annotation in the event enables an event processing engine to detect an anomaly in the computer network. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21, 22, 23, 24, 25, 26, 27, 28)
-
-
29. A computer system for detection of an anomaly in a distributed computer environment, the system comprising:
-
a communication device; and a processor configured to; access machine data representing an event, the event resulting from an activity that occurred on a computer network; identify, in the event, a first entity that participated in the activity and a relationship between the first entity and a second entity, the relationship being indicative of the activity; and annotate, by using a graph data structure, raw machine data of the event to include the identified relationship between the first and second entities in the event, wherein annotation in the event enables an event processing engine to detect an anomaly in the computer network.
-
-
30. A non-transitory machine-readable storage medium for use in a processing system for detection of an anomaly in a distributed computer environment, the non-transitory machine-readable storage medium storing instructions, execution of which in the processing system causes the processing system to perform operations comprising:
-
accessing machine data representing an event, the event resulting from an activity that occurred on a computer network; identifying, in the event, a first entity that participated in the activity and a relationship between the first entity and a second entity, the relationship being indicative of the activity; and annotating, by using a graph data structure, raw machine data of the event to include the identified relationship between the first and second entities in the event, wherein annotation in the event enables an event processing engine to detect an anomaly in the computer network.
-
Specification