Real-time push API for log events in enterprise threat detection

US 10,630,705 B2
Filed: 09/23/2016
Issued: 04/21/2020
Est. Priority Date: 09/23/2016
Status: Active Grant

First Claim

Patent Images

1. A computer-implemented method, comprising:

receiving a log entry at a streaming component of an enterprise threat detection (ETD) system from a real-time push application programming interface (API) associated with a backend computing system, wherein a kernel log writing component of the backend computing system calls the real-time push API associated with the backend computing system to transmit the log entry to the streaming component of the ETD system when the log entry is written into the kernel log writing component of the backend computing system;

parsing the log entry using a runtime parser associated with the streaming component into mapped data in an ETD format compatible with the ETD system;

transferring the mapped data to an ETD streaming project for enrichment;

enriching the mapped data as enriched data; and

writing, using the streaming component, the enriched data into a database associated with the ETD system.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A log entry is received at a streaming component of an enterprise threat detection (ETD) system from a real-time push application programming interface (API) associated with a backend computing system. The received log entry is parsed using a runtime parser associated with the streaming component into mapped data in an ETD format compatible with the ETD system. The mapped data is transferred to an ETD streaming project and enriched. The streaming component writes the enriched data into a database associated with the ETD system.

200 Citations

20 Claims

1. A computer-implemented method, comprising:
- receiving a log entry at a streaming component of an enterprise threat detection (ETD) system from a real-time push application programming interface (API) associated with a backend computing system, wherein a kernel log writing component of the backend computing system calls the real-time push API associated with the backend computing system to transmit the log entry to the streaming component of the ETD system when the log entry is written into the kernel log writing component of the backend computing system;
  
  parsing the log entry using a runtime parser associated with the streaming component into mapped data in an ETD format compatible with the ETD system;
  
  transferring the mapped data to an ETD streaming project for enrichment;
  
  enriching the mapped data as enriched data; and
  
  writing, using the streaming component, the enriched data into a database associated with the ETD system.
- View Dependent Claims (2, 3, 4, 5, 6, 7)
- - 2. The computer-implemented method of claim 1, comprising receiving the log entry generated by an application on the backend computing system at the kernel log writing component.
  - 3. The computer-implemented method of claim 2, comprising the log writing component instructing the real-time push API to send the log entry to the streaming component.
  - 4. The computer-implemented method of claim 1, comprising:
    - splitting the received log entry into elements; and
      
      mapping the elements into the ETD format.
  - 5. The computer-implemented method of claim 1, wherein parsing the received log entry includes the runtime parser using mapping information for mapping a format of the received log entry to the ETD format.
  - 6. The computer-implemented method of claim 1, wherein enriching the mapped data includes at least one of normalizing the mapped data, pseudonymizing users, or incorporating at least one of user information, subnet information, or a MAC address.
  - 7. The computer-implemented method of claim 1, comprising writing the enriched data from the ETD streaming project to the streaming component.

8. A non-transitory, computer-readable medium storing one or more instructions executable by a computer system to perform operations comprising:
- receiving a log entry at a streaming component of an enterprise threat detection (ETD) system from a real-time push application programming interface (API) associated with a backend computing system, wherein a kernel log writing component of the backend computing system calls the real-time push API associated with the backend computing system to transmit the log entry to the streaming component of the ETD system when the log entry is written into the kernel log writing component of the backend computing system;
  
  parsing the log entry using a runtime parser associated with the streaming component into mapped data in an ETD format compatible with the ETD system;
  
  transferring the mapped data to an ETD streaming project for enrichment;
  
  enriching the mapped data as enriched data; and
  
  writing, using the streaming component, the enriched data into a database associated with the ETD system.
- View Dependent Claims (9, 10, 11, 12, 13, 14)
- - 9. The non-transitory, computer-readable medium of claim 8, comprising one or more instructions to receive the log entry generated by an application on the backend computing system at the kernel log writing component.
  - 10. The non-transitory, computer-readable medium of claim 9, comprising one or more instructions for the log writing component to instruct the real-time push API to send the log entry to the streaming component.
  - 11. The non-transitory, computer-readable medium of claim 8, comprising one or more instructions to:
    - split the received log entry into elements; and
      
      map the elements into the ETD format.
  - 12. The non-transitory, computer-readable medium of claim 8, wherein parsing the received log entry includes the runtime parser using mapping information for mapping a format of the received log entry to the ETD format.
  - 13. The non-transitory, computer-readable medium of claim 8, wherein enriching the mapped data includes at least one of normalizing the mapped data, pseudonymizing users, or incorporating at least one of user information, subnet information, or a MAC address.
  - 14. The non-transitory, computer-readable medium of claim 8, comprising one or more instructions to write the enriched data from the ETD streaming project to the streaming component.

15. A computer-implemented system, comprising:
- a computer memory; and
  
  a hardware processor interoperably coupled with the computer memory and configured to perform operations comprising;
  
  receiving a log entry at a streaming component of an enterprise threat detection (ETD) system from a real-time push application programming interface (API) associated with a backend computing system, wherein a kernel log writing component of the backend computing system calls the real-time push API associated with the backend computing system to transmit the log entry to the streaming component of the ETD system when the log entry is written into the kernel log writing component of the backend computing system;
  
  parsing the log entry using a runtime parser associated with the streaming component into mapped data in an ETD format compatible with the ETD system;
  
  transferring the mapped data to an ETD streaming project for enrichment;
  
  enriching the mapped data as enriched data; and
  
  writing, using the streaming component, the enriched data into a database associated with the ETD system.
- View Dependent Claims (16, 17, 18, 19, 20)
- - 16. The computer-implemented system of claim 15, further configured to:
    - receive the log entry generated by an application on the backend computing system at the kernel log writing component; and
      
      to permit the log writing component to instruct the real-time push API to send the log entry to the streaming component.
  - 17. The computer-implemented system of claim 15, further configured to:
    - split the received log entry into elements; and
      
      map the elements into the ETD format.
  - 18. The computer-implemented system of claim 15, wherein parsing the received log entry includes the runtime parser using mapping information for mapping a format of the received log entry to the ETD format.
  - 19. The computer-implemented system of claim 15, wherein enriching the mapped data includes at least one of normalizing the mapped data, pseudonymizing users, or incorporating at least one of user information, subnet information, or a MAC address.
  - 20. The computer-implemented system of claim 15, further configured to write the enriched data from the ETD streaming project to the streaming component.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
SAP SE
Original Assignee
SAP SE
Inventors
Chrosziel, Florian, Kunz, Thomas, Nos, Kathrin, Rodeck, Marco
Primary Examiner(s)
Steinle, Andrew J

Application Number

US15/274,693
Publication Number

US 20180091536A1
Time in Patent Office

1,306 Days
Field of Search

None
US Class Current
CPC Class Codes

G06F 21/552   involving long-term monitor...

H04L 63/1416   Event detection, e.g. attac...

H04L 63/1425   Traffic logging, e.g. anoma...

H04L 63/1433   Vulnerability analysis

Real-time push API for log events in enterprise threat detection

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

200 Citations

20 Claims

Specification

Use Cases

Quick Links

Others

Real-time push API for log events in enterprise threat detection

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

200 Citations

20 Claims

Specification

Subscription Required

Use Cases

Quick Links

Others