Risk monitoring system

US 10,643,214 B2
Filed: 04/28/2017
Issued: 05/05/2020
Est. Priority Date: 04/28/2017
Status: Active Grant

First Claim

Patent Images

1. A computer-implemented method, comprising:

displaying a representation of one or more risk objects and one or more logical operators via a user interface (UI), wherein each risk object of the one or more risk objects has a corresponding stored risk definition, the stored risk definition associating the risk object with raw machine data pertaining to the risk object, the raw machine data reflecting activity in an information technology (IT) environment;

receiving, via the UI, selections of a first risk object and a second risk object included in the one or more risk objects, the first risk object having a corresponding stored first risk definition and the second risk object having a corresponding stored second risk definition;

receiving, via the UI, a selection of a first logical operator included in the one or more logical operators, wherein the first logical operator defines a relationship between the first risk object and the second risk object;

in response to receiving the selections of the first risk object, the second risk object, and the first logical operator via the UI, including the first risk object, the second risk object, and the first logical operator in an object group that specifies a search of the raw machine data;

performing the search of the raw machine data according to the object group by receiving the first risk definition that corresponds to the first risk object and the second risk definition that corresponds to the second risk object, wherein a risk is identified based on the search of the raw machine data; and

performing an action based on identifying the risk.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Various embodiments of the present invention set forth techniques for monitoring risk in a computing system. The technique includes creating one or more risk objects, where each risk object of the one or more risk objects has a corresponding stored risk definition, the stored risk definition associating the risk object with raw machine data pertaining to the risk object, the raw machine data reflecting activity in an information technology (IT) environment. The technique further includes receiving a selection of a first risk object included in the one or more risk objects and receiving a first risk definition that corresponds to the first risk object. The technique further includes performing a search of the raw machine data according to the first risk definition, wherein a risk is identified based on the search of the raw machine data and performing an action based on identifying the risk.

Citations

27 Claims

1. A computer-implemented method, comprising:
- displaying a representation of one or more risk objects and one or more logical operators via a user interface (UI), wherein each risk object of the one or more risk objects has a corresponding stored risk definition, the stored risk definition associating the risk object with raw machine data pertaining to the risk object, the raw machine data reflecting activity in an information technology (IT) environment;
  
  receiving, via the UI, selections of a first risk object and a second risk object included in the one or more risk objects, the first risk object having a corresponding stored first risk definition and the second risk object having a corresponding stored second risk definition;
  
  receiving, via the UI, a selection of a first logical operator included in the one or more logical operators, wherein the first logical operator defines a relationship between the first risk object and the second risk object;
  
  in response to receiving the selections of the first risk object, the second risk object, and the first logical operator via the UI, including the first risk object, the second risk object, and the first logical operator in an object group that specifies a search of the raw machine data;
  
  performing the search of the raw machine data according to the object group by receiving the first risk definition that corresponds to the first risk object and the second risk definition that corresponds to the second risk object, wherein a risk is identified based on the search of the raw machine data; and
  
  performing an action based on identifying the risk.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16)
- - 2. The computer-implemented method of claim 1,wherein the risk is identified based on at least the first risk object, the second risk object, and the first logical operator.
  - 3. The computer-implemented method of claim 1,wherein the first logical operator causes the risk to be identified when both the first risk object and a second risk object included in the one or more risk objects evaluate as true.
  - 4. The computer-implemented method of claim 1,wherein the first logical operator causes the risk to be identified when at least one of the first risk object and a second risk object included in the one or more risk objects evaluates as true.
  - 5. The computer-implemented method of claim 1, wherein the raw machine data is included in one or more events, each event being associated with a different timestamp and including raw machine data reflective of activity in the IT environment.
  - 6. The computer-implemented method of claim 1, wherein the first risk definition comprises at least one of a search query command, a search algorithm, and a machine-learning algorithm.
  - 7. The computer-implemented method of claim 1, wherein the action comprises at least one of generating an alert based on the risk, causing a script to be executed, and restricting access to at least one of a service or resource.
  - 8. The computer-implemented method of claim 1, further comprising:
    - receiving first criteria for identifying raw machine data that is relevant to the risk;
      
      creating the first risk definition based on the first criteria; and
      
      storing the first risk definition in a memory.
  - 9. The computer-implemented method of claim 1, further comprising:
    - receiving first criteria for identifying raw machine data that is relevant to the risk;
      
      creating the first risk definition based on the first criteria;
      
      storing the first risk definition in a memory; and
      
      associating the first risk definition with the first risk object.
  - 10. The computer-implemented method of claim 1, wherein the raw machine data is stored in a field-searchable data store.
  - 11. The computer-implemented method of claim 1, wherein each stored risk definition is implemented to extract raw machine data that reflects activity in the IT environment via a late-binding schema.
  - 12. The computer-implemented method of claim 1, wherein each stored risk definition identifies raw machine data that reflects activity in the IT environment related to at least one of fraud, data security, operational performance, and business analytics.
  - 13. The computer-implemented method of claim 1, wherein the first risk object is associated with a first risk score, and the risk is identified based on the first risk score.
  - 14. The computer-implemented method of claim 1, wherein the first risk object is associated with a first risk score, the first risk score is generated based on the raw machine data that is identified based on a first risk definition that corresponds to the first risk object, and the risk is identified based on the first risk score.
  - 15. The computer-implemented method of claim 1, wherein the first risk object is associated with a first risk score, the second risk object is associated with a second risk score, a result is generated by combining, based on the first logical operator, the first risk score and the second risk score, and the risk is identified based on comparing the result to a threshold value.
  - 16. The computer-implemented method of claim 1, further comprising receiving a selection of a plurality of risk objects included in the one or more risk objects, wherein the result is generated based on determining that a threshold number of risk objects included in the plurality of risk objects evaluated as true.

17. A non-transitory computer-readable storage medium including instructions that, when executed by a processor, cause the processor to perform the steps of:
- displaying a representation of one or more risk objects and one or more logical operators via a user interface (UI), wherein each risk object of the one or more risk objects has a corresponding stored risk definition, the stored risk definition associating the risk object with raw machine data pertaining to the risk object, the raw machine data reflecting activity in an information technology (IT) environment;
  
  receiving, via the UI, selections of a first risk object and a second risk object included in the one or more risk objects, the first risk object having a corresponding stored first risk definition and the second risk object having a corresponding stored second risk definition;
  
  receiving, via the UI, a selection of a first logical operator included in the one or more logical operators, wherein the first logical operator defines a relationship between the first risk object and the second risk object;
  
  in response to receiving the selections of the first risk object, the second risk object, and the first logical operator via the UI, including the first risk object, the second risk object, and the first logical operator in an object group that specifies a search of the raw machine data;
  
  performing the search of the raw machine data according to the object group by receiving the first risk definition that corresponds to the first risk object and the second risk definition that corresponds to the second risk object, wherein a risk is identified based on the search of the raw machine data; and
  
  performing an action based on identifying the risk.
- View Dependent Claims (18, 19, 20, 21, 22)
- - 18. The non-transitory computer-readable storage medium of claim 17,wherein the risk is identified based on at least the first risk object, the second risk object, and the first logical operator.
  - 19. The non-transitory computer-readable storage medium of claim 17, wherein the raw machine data is included in one or more events, each event being associated with a different timestamp and including raw machine data reflective of activity in the IT environment.
  - 20. The non-transitory computer-readable storage medium of claim 17, wherein the first risk definition comprises at least one of a search query command, a search algorithm, and a machine-learning algorithm.
  - 21. The non-transitory computer-readable storage medium of claim 17, further comprising:
    - receiving first criteria for identifying raw machine data that is relevant to the risk;
      
      creating the first risk definition based on the first criteria;
      
      storing the first risk definition in a memory; and
      
      associating the first risk definition with the first risk object.
  - 22. The non-transitory computer-readable storage medium of claim 17, wherein the first risk object is associated with a first risk score, the second risk object is associated with a second risk score, a result is generated by combining, based on the first logical operator, the first risk score and the second risk score, and the risk is identified based on comparing the result to a threshold value.

23. A computing device, comprising:
- a memory that includes instructions; and
  
  a processor that is coupled to the memory and, when executing the instructions, is configured to;
  
  displaying a representation of one or more risk objects and one or more logical operators via a user interface (UI), wherein each risk object of the one or more risk objects has a corresponding stored risk definition, the stored risk definition associating the risk object with raw machine data pertaining to the risk object, the raw machine data reflecting activity in an information technology (IT) environment;
  
  receive, via the UI, selections of a first risk object and a second risk object included in the one or more risk objects, the first risk object having a corresponding stored first risk definition and the second risk object having a corresponding stored second risk definition;
  
  receive, via the UI, a selection of a first logical operator included in the one or more logical operators, wherein the first logical operator defines a relationship between the first risk object and the second risk object;
  
  in response to receiving the selections of the first risk object, the second risk object, and the first logical operator via the UI, include the first risk object, the second risk object, and the first logical operator in an object group that specifies a search of the raw machine data;
  
  perform the search of the raw machine data according to the object group by receiving the first risk definition that corresponds to the first risk object and the second risk definition that corresponds to the second risk object, wherein a risk is identified based on the search of the raw machine data; and
  
  perform an action based on identifying the risk.
- View Dependent Claims (24, 25, 26, 27)
- - 24. The computing device of claim 23, wherein the processor, when executing the instructions,wherein the risk is identified based on at least the first risk object, the second risk object, and the first logical operator.
  - 25. The computing device of claim 23, wherein the raw machine data is included in one or more events, each event being associated with a different timestamp and including raw machine data reflective of activity in the IT environment.
  - 26. The computing device of claim 23, wherein the first risk definition comprises at least one of a search query command, a search algorithm, and a machine-learning algorithm.
  - 27. The computing device of claim 23, wherein the processor, when executing the instructions, is further configured to:
    - receive first criteria for identifying raw machine data that is relevant to the risk;
      
      create the first risk definition based on the first criteria;
      
      store the first risk definition in a memory; and
      
      associate the first risk definition with the first risk object.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Splunk Inc. (Cisco Systems, Inc.)
Original Assignee
Splunk Inc. (Cisco Systems, Inc.)
Inventors
Esman, Gleb
Primary Examiner(s)
Hirl, Joseph P
Assistant Examiner(s)
Choy, Ka Shan

Application Number

US15/582,564
Publication Number

US 20180316695A1
Time in Patent Office

1,103 Days
Field of Search
US Class Current
CPC Class Codes

G06Q 20/4016   involving fraud or risk lev...

G06Q 20/405   Establishing or using trans...

H04L 63/1433   Vulnerability analysis

Risk monitoring system

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

27 Claims

Specification

Solutions

Use Cases

Quick Links

Risk monitoring system

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

27 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links