Query engine for remote endpoint information retrieval

US 10,599,662 B2
Filed: 06/26/2015
Issued: 03/24/2020
Est. Priority Date: 06/26/2015
Status: Active Grant

First Claim

Patent Images

1. At least one machine readable storage medium comprising instructions that, when executed by at least one processor, cause the at least one processor to:

receive a master query by a query engine in an endpoint in a network environment from a query service via a network of the environment;

execute a set of one or more subqueries defined in the master query, wherein an execution of a first subquery of the set of one or more subqueries is to include;

causing a first function to execute on the endpoint to collect data associated with the endpoint and produce a first output based on the collected data;

applying one or more conditions to the first output to determine a first result; and

determining a result of the master query based, at least in part, on the first result; and

responsive to the result of the master query indicating the endpoint is compromised, cause a script to be executed by the endpoint to perform a remedial action on the endpoint, wherein the remedial action performed includes one or more of;

removing a file, deleting a file, terminating a process, rebooting, and shutting down.

View all claims

13 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Embodiments are disclosed herein for remote retrieval of information from endpoints and comprise receiving a master query at an endpoint in a network environment and executing a set of one or more subqueries defined in the master query. Embodiments also comprise an execution of a first subquery that includes executing a function to produce a first output, applying one or more conditions to the first output to determine a second output, and determining a result of the master query based, at least in part, on the second output. In specific embodiments, the master query is received from another node over a network connection. In more specific embodiments, the function is executed on the endpoint to collect real-time information based on one or more parameters. In further embodiments, the function is one of a plug-in or a script.

72 Citations

View as Search Results

24 Claims

1. At least one machine readable storage medium comprising instructions that, when executed by at least one processor, cause the at least one processor to:
- receive a master query by a query engine in an endpoint in a network environment from a query service via a network of the environment;
  
  execute a set of one or more subqueries defined in the master query, wherein an execution of a first subquery of the set of one or more subqueries is to include;
  
  causing a first function to execute on the endpoint to collect data associated with the endpoint and produce a first output based on the collected data;
  
  applying one or more conditions to the first output to determine a first result; and
  
  determining a result of the master query based, at least in part, on the first result; and
  
  responsive to the result of the master query indicating the endpoint is compromised, cause a script to be executed by the endpoint to perform a remedial action on the endpoint, wherein the remedial action performed includes one or more of;
  
  removing a file, deleting a file, terminating a process, rebooting, and shutting down.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14)
- - 2. The at least one machine readable storage medium according to claim 1, wherein the master query is received from another node over a network connection.
  - 3. The at least one machine readable storage medium according to claim 1, wherein the data includes real-time information that is collected based on one or more parameters.
  - 4. The at least one machine readable storage medium according to claim 1, wherein the first function is one of a plug-in or a script.
  - 5. The at least one machine readable storage medium according to claim 1, wherein the applying the one or more conditions to the first output includes filtering the first output to determine the first result.
  - 6. The at least one machine readable storage medium according to claim 1, wherein the instructions, when executed by the at least one processor, cause the at least one processor to:
    - determine a type of action indicated in the master query; and
      
      generate the set of one or more subqueries to be executed based, at least in part, on the type of action.
  - 7. The at least one machine readable storage medium according to claim 6, wherein the type of action is one of a search, a trigger, or a response.
  - 8. The at least one machine readable storage medium according to claim 1, wherein an execution of a second subquery of the set of one or more subqueries is to include:
    - causing a second function to execute on the endpoint to produce a second output; and
      
      applying one or more other conditions to the second output to determine a second result, wherein the result of the master query is determined, at least in part, by evaluating the first and second results according to a logical operator.
  - 9. The at least one machine readable storage medium according to claim 8, wherein the first function and the second function are to perform different operations on the endpoint.
  - 10. The at least one machine readable storage medium according to claim 1, wherein the applying the one or more conditions to the first output is to include:
    - applying a first condition to the first output to determine a first condition result;
      
      applying a second condition to the first output to determine a second condition result; and
      
      determining a condition chain result based, at least in part, on the first condition result, the second condition result and a condition operator.
  - 11. The at least one machine readable storage medium according to claim 1, wherein the first result includes at least one string of information in the data returned from the first function.
  - 12. The at least one machine readable storage medium according to claim 11, wherein the first result is filtered to exclude at least some information from the string of information.
  - 13. The at least one machine readable storage medium according to claim 1, wherein the result of the master query is communicated to a query service in another node.
  - 14. The at least one machine readable storage medium according to claim 1, wherein the master query comprises:
    - a plurality of query chains including a first query chain, the first query chain including the set of one or more subqueries; and
      
      a query chain operator, wherein the master query result is determined using the query chain operator to evaluate query chain results of the plurality query chains.

15. An apparatus, the apparatus being an endpoint in a network environment and comprising:
- at least one processor;
  
  a query engine operable to run on the at least one processor to;
  
  receive a master query from a query service via a network of the network environment;
  
  execute a set of one or more subqueries defined in the master query, wherein an execution of a first subquery of the set of one or more subqueries is to include;
  
  causing a first function to execute to collect data associated with the apparatus and produce a first output based on the collected data;
  
  applying one or more conditions to the first output to determine a first result; and
  
  determining a result of the master query based, at least in part, on the first result; and
  
  responsive to the result of the master query indicating the endpoint is compromised, cause a script to be executed by the endpoint to perform a remedial action on the endpoint, wherein the remedial action performed includes one or more of;
  
  removing a file, deleting a file, terminating a process, rebooting, and shutting down.
- View Dependent Claims (16, 17, 18, 19, 20, 21)
- - 16. The apparatus of claim 15, wherein the data includes real-time information that is collected based on one or more parameters.
  - 17. The apparatus of claim 15, wherein the applying the one or more conditions to the first output includes filtering the first output to determine the first result.
  - 18. The apparatus of claim 15, wherein the query engine operable to run on the at least one processor to:
    - execute a second function on the endpoint if the master query result indicates the endpoint is compromised.
  - 19. The apparatus of claim 15, wherein an execution of a second subquery of the set of one or more subqueries is to include:
    - causing a second function to execute to produce a second output;
      
      applying one or more other conditions to the second output to determine a second result, wherein the result of the master query is determined, at least in part, by evaluating the first and second results according to a query operator.
  - 20. The apparatus of claim 19, wherein the first function and the second function are to perform different operations on the endpoint.
  - 21. The apparatus of claim 15, wherein the applying the one or more conditions to the first output is to include:
    - applying a first condition to the first output to determine a first condition result;
      
      applying a second condition to the first output to determine a second condition result; and
      
      determining the condition chain result based on the first condition result, the second condition result and a logical operator.

22. A method, the method comprising:
- receiving a master query by a query engine of an endpoint in a network environment from a query service via a network of the environment;
  
  executing a set of one or more subqueries defined in the master query, wherein an execution of a first subquery of the set of one or more subqueries is to include;
  
  causing a first function to execute on the endpoint to collect data associated with the endpoint and produce a first output based on the collected data;
  
  applying one or more conditions to the first output to determine a first result; and
  
  determining a result of the master query based, at least in part, on the first result; and
  
  responsive to the result of the master query indicating the endpoint is compromised, causing a script to be executed by the endpoint to perform a remedial action on the endpoint, wherein the remedial action performed includes one or more of;
  
  removing a file, deleting a file, terminating a process, rebooting, and shutting down.
- View Dependent Claims (23, 24)
- - 23. The method of claim 22, wherein the data includes real-time information that is collected based on one or more parameters.
  - 24. The method of claim 22, wherein the applying the one or more conditions to the first output includes filtering the first output to determine the first result.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Musarubra US LLC (Musarubra US SellCo LLC)
Original Assignee
McAfee, LLC
Inventors
Costantino, Leandro Ignacio, Sanchez, Cristian A., Olle, Juan M., Pamio, Diego Naza
Primary Examiner(s)
Choudhury, Azizul

Application Number

US14/751,560
Publication Number

US 20160381121A1
Time in Patent Office

1,733 Days
Field of Search
US Class Current
CPC Class Codes

G06F 16/245 Query processing

G06F 16/2471 Distributed queries

Query engine for remote endpoint information retrieval

First Claim

13 Assignments

0 Petitions

Accused Products

Abstract

72 Citations

24 Claims

Specification

Solutions

Use Cases

Quick Links

Query engine for remote endpoint information retrieval

First Claim

13 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

72 Citations

24 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links