Pattern creation in enterprise threat detection

US 10,530,794 B2
Filed: 06/30/2017
Issued: 01/07/2020
Est. Priority Date: 06/30/2017
Status: Active Grant

First Claim

Patent Images

1. A computer-implemented method, comprising:

receiving search results from an initiated free text search of log data from one or more logs, the free text performed using search terms entered into a free text search graphical user interface;

selecting a set of at least one search result from the search results containing an event desired to be identified in a completed enterprise threat detection (ETD) pattern;

rendering a forensic lab application to complete an ETD pattern;

adding an event filter for an event type based on normalized log data to a path;

setting a relative ETD pattern time range; and

completing an ETD pattern based on the added event filter.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Search results are received from an initiated free text search of log data from one or more logs, where the free text is performed using search terms entered into a free text search graphical user interface. A set of at least one search result is selected from the search results containing an event desired to be identified in a completed enterprise threat detection (ETD) pattern. A forensic lab application is rendered to complete an ETD pattern. An event filter is added for an event type based on normalized log data to a path. A relative ETD pattern time range is set and an ETD pattern is completed based on the added event filter.

183 Citations

21 Claims

1. A computer-implemented method, comprising:
- receiving search results from an initiated free text search of log data from one or more logs, the free text performed using search terms entered into a free text search graphical user interface;
  
  selecting a set of at least one search result from the search results containing an event desired to be identified in a completed enterprise threat detection (ETD) pattern;
  
  rendering a forensic lab application to complete an ETD pattern;
  
  adding an event filter for an event type based on normalized log data to a path;
  
  setting a relative ETD pattern time range; and
  
  completing an ETD pattern based on the added event filter.
- View Dependent Claims (2, 3, 4, 5, 6, 7)
- - 2. The computer-implemented method of claim 1, further comprising:
    - analyzing the search results of the free text search to determine that the search result corresponds to a user expectation;
      
      refining the search terms; and
      
      reinitiating the free text search using the refined search terms.
  - 3. The computer-implemented method of claim 1, wherein the event filter based on normalized log data is added to the path by selecting a bubble corresponding to the event type in a bubblegram view rendered in the forensic lab application.
  - 4. The computer-implemented method of claim 1, further comprising analyzing a search result based on the added event filter to determine whether there has been a change in the search result value.
  - 5. The computer-implemented method of claim 4, further comprising removing previously-added filters from the path upon determining that there has been a change in the search result value.
  - 6. The computer-implemented method of claim 4, further comprising:
    - removing one raw-data-based filter from the path upon determining that there has not been a change in the search result value; and
      
      analyzing the search result based on the added event filter to determine whether there has been a change in the search result value.
  - 7. The computer-implemented method of claim 6, further comprising:
    - determining if another raw-data-based filter exists upon determining that there has not been a change in the search result value;
      
      orundoing the removal of the one raw-data-based filter from the path upon determining that there has been a change in the search result value.

8. A non-transitory, computer-readable medium storing one or more instructions executable by a computer system to perform operations comprising:
- receiving search results from an initiated free text search of log data from one or more logs, the free text performed using search terms entered into a free text search graphical user interface;
  
  selecting a set of at least one search result from the search results containing an event desired to be identified in a completed enterprise threat detection (ETD) pattern;
  
  rendering a forensic lab application to complete an ETD pattern;
  
  adding an event filter for an event type based on normalized log data to a path;
  
  setting a relative ETD pattern time range; and
  
  completing an ETD pattern based on the added event filter.
- View Dependent Claims (9, 10, 11, 12, 13, 14)
- - 9. The non-transitory, computer-readable medium of claim 8, further comprising one or more instructions to:
    - analyze the search results of the free text search to determine that the search result corresponds to a user expectation;
      
      refine the search terms; and
      
      reinitiate the free text search using the refined search terms.
  - 10. The non-transitory, computer-readable medium of claim 8, wherein the event filter based on normalized log data is added to the path by selecting a bubble corresponding to the event type in a bubblegram view rendered in the forensic lab application.
  - 11. The non-transitory, computer-readable medium of claim 8, further comprising one or more instructions to analyze a search result based on the added event filter to determine whether there has been a change in the search result value.
  - 12. The non-transitory, computer-readable medium of claim 11, further comprising one or more instructions to remove previously-added filters from the path upon determining that there has been a change in the search result value.
  - 13. The non-transitory, computer-readable medium of claim 11, further comprising one or more instructions to:
    - remove one raw-data-based filter from the path upon determining that there has not been a change in the search result value; and
      
      analyze the search result based on the added event filter to determine whether there has been a change in the search result value.
  - 14. The non-transitory, computer-readable medium of claim 13, further comprising one or more instructions to:
    - determine if another raw-data-based filter exists upon determining that there has not been a change in the search result value;
      
      orundo the removal of the one raw-data-based filter from the path upon determining that there has been a change in the search result value.

15. A computer-implemented system, comprising:
- a computer memory; and
  
  a hardware processor interoperably coupled with the computer memory and configured to perform operations comprising;
  
  receiving search results from an initiated free text search of log data from one or more logs, the free text performed using search terms entered into a free text search graphical user interface;
  
  selecting a set of at least one search result from the search results containing an event desired to be identified in a completed enterprise threat detection (ETD) pattern;
  
  rendering a forensic lab application to complete an ETD pattern;
  
  adding an event filter for an event type based on normalized log data to a path;
  
  setting a relative ETD pattern time range; and
  
  completing an ETD pattern based on the added event filter.
- View Dependent Claims (16, 17, 18, 19, 20, 21)
- - 16. The computer-implemented system of claim 15, further configured to:
    - analyze the search results of the free text search to determine that the search result corresponds to a user expectation;
      
      refine the search terms; and
      
      reinitiate the free text search using the refined search terms.
  - 17. The computer-implemented system of claim 15, wherein the event filter based on normalized log data is added to the path by selecting a bubble corresponding to the event type in a bubblegram view rendered in the forensic lab application.
  - 18. The computer-implemented system of claim 15, further configured to analyze a search result based on the added event filter to determine whether there has been a change in the search result value.
  - 19. The computer-implemented system of claim 18, further configured to remove previously-added filters from the path upon determining that there has been a change in the search result value.
  - 20. The computer-implemented system of claim 18, further configured to:
    - remove one raw-data-based filter from the path upon determining that there has not been a change in the search result value; and
      
      analyze the search result based on the added event filter to determine whether there has been a change in the search result value.
  - 21. The computer-implemented system of claim 20, further configured to:
    - determine if another raw-data-based filter exists upon determining that there has not been a change in the search result value;
      
      orundo the removal of the one raw-data-based filter from the path upon determining that there has been a change in the search result value.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
SAP SE
Original Assignee
SAP SE
Inventors
Pritzkau, Eugen, Bohn, Joscha Philipp, Kartmann, Daniel, Peng, Wei-Guo, Dinkova, Hristina, Luo, Lin, Kunz, Thomas, Rodeck, Marco, Seifert, Hartwig, Mehta, Harish, Zhang, Nan, Merkel, Rita, Chrosziel, Florian
Primary Examiner(s)
McNally, Michael S

Application Number

US15/639,907
Publication Number

US 20190007435A1
Time in Patent Office

921 Days
Field of Search

726 23
US Class Current
CPC Class Codes

G06F 16/3344   using natural language anal...

G06F 21/55   Detecting local intrusion o...

G06F 3/0482   Interaction with lists of s...

H04L 63/1416   Event detection, e.g. attac...

H04L 63/1425   Traffic logging, e.g. anoma...

Pattern creation in enterprise threat detection

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

183 Citations

21 Claims

Specification

Use Cases

Quick Links

Others

Pattern creation in enterprise threat detection

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

183 Citations

21 Claims

Specification

Subscription Required

Use Cases

Quick Links

Others