Anomaly detection based on information technology environment topology
First Claim
1. A computer implemented method comprising:
- accessing a set of events associated with activity by a plurality of entities in an information technology (IT) environment, wherein each event in the set of events includes a portion of raw machine data that reflects activity in the IT environment and that is produced by a component of the IT environment, wherein each event is associated with a timestamp extracted from the raw machine data;
determining a topology of the IT environment by processing at least some of the accessed set of events;
generating an entity relationship graph based on the topology of the IT environment;
wherein the entity relationship graph includes;
a plurality of nodes representative of the plurality of entities in the IT environment; and
edges connecting the plurality of nodes, the edges representing relationships and activity between entities represented by the plurality of nodes;
wherein each edge includes a directionality that indicates a normal flow of communication between the entities represented by the nodes connected to the edge; and
monitoring the entity relationship graph to detect an anomaly.
1 Assignment
0 Petitions
Accused Products
Abstract
Techniques are described for analyzing data regarding activity in an IT environment to determine information regarding the entities associated with the activity and using the information to detect anomalous activity that may be indicative of malicious activity. In an embodiment, a plurality of events reflecting activity by a plurality of entities in an IT environment are processed to resolve the identities of the entities, discover how the entities fit within a topology of the IT environment, and determine what the entities are. This information is then used to generate an entity relationship graph that includes nodes representing the entities in the IT environment and edges connecting the nodes representing interaction relationships between the entities. In some embodiments, baselines are established by monitoring the activity between entities. This baseline information can be represented in the entity relationship graph in the form of directionality applied to the edges. The entity relationship graph can then be monitored to detect anomalous activity.
-
Citations
30 Claims
-
1. A computer implemented method comprising:
-
accessing a set of events associated with activity by a plurality of entities in an information technology (IT) environment, wherein each event in the set of events includes a portion of raw machine data that reflects activity in the IT environment and that is produced by a component of the IT environment, wherein each event is associated with a timestamp extracted from the raw machine data; determining a topology of the IT environment by processing at least some of the accessed set of events; generating an entity relationship graph based on the topology of the IT environment; wherein the entity relationship graph includes; a plurality of nodes representative of the plurality of entities in the IT environment; and edges connecting the plurality of nodes, the edges representing relationships and activity between entities represented by the plurality of nodes; wherein each edge includes a directionality that indicates a normal flow of communication between the entities represented by the nodes connected to the edge; and monitoring the entity relationship graph to detect an anomaly. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21, 22, 23, 24, 25, 26, 27, 28)
-
-
29. A computer system comprising:
-
a processor; and a storage device having instructions stored thereon, which when executed by the processor cause the computer system to; access a set of events associated with activity by a plurality of entities in an information technology (IT) environment, wherein each event in the set of events includes a portion of raw machine data that reflects activity in the IT environment and that is produced by a component of the IT environment, wherein each event is associated with a timestamp extracted from the raw machine data; determine a topology of the IT environment by processing at least some of the accessed set of events; generate an entity relationship graph based on the topology of the IT environment; wherein the entity relationship graph includes; a plurality of nodes representative of the plurality of entities in the IT environment; and edges connecting the plurality of nodes, the edges representing relationships and activity between entities represented by the plurality of nodes; wherein each edge includes a directionality that indicates a normal flow of communication between the entities represented by the nodes connected to the edge; and monitor the entity relationship graph to detect an anomaly.
-
-
30. A non-transitory computer-readable medium containing instructions, execution of which in a computer system causes the computer system to:
-
access a set of events associated with activity by a plurality of entities in an information technology (IT) environment, wherein each event in the set of events includes a portion of raw machine data that reflects activity in the IT environment and that is produced by a component of the IT environment, wherein each event is associated with a timestamp extracted from the raw machine data; determine a topology of the IT environment by processing at least some of the accessed set of events; generate an entity relationship graph based on the topology of the IT environment; wherein the entity relationship graph includes; a plurality of nodes representative of the plurality of entities in the IT environment; and edges connecting the plurality of nodes, the edges representing relationships and activity between entities represented by the plurality of nodes; wherein each edge includes a directionality that indicates a normal flow of communication between the entities represented by the nodes connected to the edge; and monitor the entity relationship graph to detect an anomaly.
-
Specification