Location enrichment in enterprise threat detection
First Claim
1. A computer-implemented method, comprising:
- receiving subnet information and location information from a database into a smart data streaming engine (SDS) subnet-location cache, wherein a particular subnet of the subnet information is associated with a particular location of the location information by a globally unique location ID value, and wherein the information is stored in the subnet-location cache in the form of a dictionary table and a vector for fast data enrichment;
receiving log event data in the SDS;
normalizing the log event data in the SDS as normalized log event data;
enriching the normalized log event data with the subnet information and the location information as enriched log event data;
writing the enriched log event data into a log event persistence in the database; and
using a subnet ID value retrieved from an enriched log event of the enriched log event data by an enterprise threat detection (ETD) system to determine a location associated with the enriched log event using the location ID value associated with the subnet ID value.
1 Assignment
0 Petitions
Accused Products
Abstract
Subnet information and location information is received from a database by a smart data streaming engine (SDS). A particular subnet of the subnet information is associated with a particular location of the location information by a globally unique location ID value. Log event data received in the SDS is normalized as normalized log event data. The normalized log event data is enriched with subnet and location information as enriched log event data and written into a log event persistence in the database. A subnet ID value retrieved from an enriched log event of the enriched log event data is used by an enterprise threat detection (ETD) system to determine a location associated with the enriched log event using a location ID value associated with the subnet ID.
-
Citations
20 Claims
-
1. A computer-implemented method, comprising:
-
receiving subnet information and location information from a database into a smart data streaming engine (SDS) subnet-location cache, wherein a particular subnet of the subnet information is associated with a particular location of the location information by a globally unique location ID value, and wherein the information is stored in the subnet-location cache in the form of a dictionary table and a vector for fast data enrichment; receiving log event data in the SDS; normalizing the log event data in the SDS as normalized log event data; enriching the normalized log event data with the subnet information and the location information as enriched log event data; writing the enriched log event data into a log event persistence in the database; and using a subnet ID value retrieved from an enriched log event of the enriched log event data by an enterprise threat detection (ETD) system to determine a location associated with the enriched log event using the location ID value associated with the subnet ID value. - View Dependent Claims (2, 3, 4, 5, 6, 7)
-
-
8. A non-transitory, computer-readable medium storing one or more instructions executable by a computer system to perform operations comprising:
-
receiving subnet information and location information from a database into a smart data streaming engine (SDS) subnet-location cache, wherein a particular subnet of the subnet information is associated with a particular location of the location information by a globally unique location ID value, and wherein the information is stored in the subnet-location cache in the form of a dictionary table and a vector for fast data enrichment; receiving log event data in the SDS; normalizing the log event data in the SDS as normalized log event data; enriching the normalized log event data with the subnet information and the location information as enriched log event data; writing the enriched log event data into a log event persistence in the database; and using a subnet ID value retrieved from an enriched log event of the enriched log event data by an enterprise threat detection (ETD) system to determine a location associated with the enriched log event using the location ID value associated with the subnet ID value. - View Dependent Claims (9, 10, 11, 12, 13, 14)
-
-
15. A computer-implemented system, comprising:
-
a computer memory; and a hardware processor interoperably coupled with the computer memory and configured to perform operations comprising; receiving subnet information and location information from a database into a smart data streaming engine (SDS) subnet-location cache, wherein a particular subnet of the subnet information is associated with a particular location of the location information by a globally unique location ID value, and wherein the information is stored in the subnet-location cache in the form of a dictionary table and a vector for fast data enrichment; receiving log event data in the SDS; normalizing the log event data in the SDS as normalized log event data; enriching the normalized log event data with the subnet information and the location information as enriched log event data; writing the enriched log event data into a log event persistence in the database; and using a subnet ID value retrieved from an enriched log event of the enriched log event data by an enterprise threat detection (ETD) system to determine a location associated with the enriched log event using the location ID value associated with the subnet ID value. - View Dependent Claims (16, 17, 18, 19, 20)
-
Specification