USING NETWORK LOCATIONS OBTAINED FROM MULTIPLE THREAT LISTS TO EVALUATE NETWORK DATA OR MACHINE DATA
1 Assignment
0 Petitions
Accused Products
Abstract
Systems and methods are provided for identifying network addresses and/or IDs of a deduplicated list among network data, machine data, and/or events derived from network data and/or machine data, and for identifying notable events by searching for the presence of network addresses and/or network IDs that are deduplicated across lists received from multiple external sources. One method includes receiving a plurality of lists of network locations, wherein each list is received from over a network, wherein each of the network locations includes a domain name or an IP address, and wherein at least two of the plurality of lists each include a same network location; aggregating the plurality of lists of network locations into a deduplicated list of unique network locations; and searching network data or machine data for a network location included in the deduplicated list of unique network locations.
-
Citations
66 Claims
-
1-30. -30. (canceled)
-
31. A computer-implemented method, comprising:
-
accessing a set of events, wherein each event in the set comprises a portion of raw data representing activity data from at least one host in a plurality of hosts distributed across an enterprise'"'"'s network; applying an aggregated threat location list to analyze, using a processor, values extracted from the raw data at analysis time, wherein preparing the aggregated threat location list includes merging and deduplicating a plurality of threat location lists received from separate third-party sources; and searching the activity data from the hosts to identify and report on one or more suspicious activity patterns involving activity tied to one or more threat locations listed in the aggregated threat location list. - View Dependent Claims (32, 33, 34, 35, 36, 37, 38, 39, 40, 61, 62)
-
-
41. A computer-implemented system, comprising:
-
processing resources and memory coupled to the processing resources, the memory holding instructions that, when executed by the processing resources, cause the system to; access a set of events, wherein each event in the set comprises a portion of raw data representing activity data from at least one host in a plurality of hosts distributed across an enterprise'"'"'s network; apply an aggregated threat location list to analyze, using a processor, values extracted from the raw data at analysis time, wherein preparing the aggregated threat location list includes merging and deduplicating a plurality of threat location lists received from separate third-party sources; and search the activity data from the hosts to identify and report on one or more suspicious activity patterns involving activity tied to one or more threat locations listed in the aggregated threat location list. - View Dependent Claims (42, 43, 44, 45, 46, 47, 48, 49, 50, 63, 64)
-
-
51. A computer readable non-transitory storage medium, comprising:
-
instructions that, when executed by processing resources, cause the processing resources to; access a set of events, wherein each event in the set comprises a portion of raw data representing activity data from at least one host in a plurality of hosts distributed across an enterprise'"'"'s network; apply an aggregated threat location list to analyze, using a processor, values extracted from the raw data at analysis time, wherein preparing the aggregated threat location list includes merging and deduplicating a plurality of threat location lists received from separate third-party sources; and search the activity data from the hosts to identify and report on one or more suspicious activity patterns involving activity tied to one or more threat locations listed in the aggregated threat location list. - View Dependent Claims (52, 53, 54, 55, 56, 57, 58, 59, 60, 65, 66)
-
Specification