USER ACTIVITY MONITORING

US 20160306965A1
Filed: 04/20/2015
Published: 10/20/2016
Est. Priority Date: 04/20/2015
Status: Active Grant

First Claim

Patent Images

1. A method comprising:

identifying, from a set of entities to be monitored, a subset of the set of entities for additional monitoring;

performing the additional monitoring byaccessing a scoring rule that defines a search query and a risk modifier, the risk modifier indicative of an amount by which to adjust a risk score of a particular entity when a triggering condition is satisfied;

after said accessing the scoring rule, executing the search query against a plurality of events associated with the activity of the subset of set of entities, wherein the search query produces a search result pertaining to activity of the particular entity, wherein each event of the plurality of events is associated with a timestamp and includes machine data;

determining whether the search result meets the triggering condition; and

responsive to determining that the search result meets the triggering condition, updating the risk score for the particular entity based on the risk modifier in the scoring rule, the risk score indicating a security threat associated with activity of the particular entity; and

causing at least one of;

display of an indication of the updated risk score, transmission of an indication of the updated risk score, or remedial action based on the updated risk score.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Systems and methods are disclosed for associating an entity with a risk score that may indicate a security threat associated with the entity'"'"'s activity. An exemplary method may involve monitoring the activity of a subset of the set of entities (e.g., entities included in a watch list) by executing a search query against events indicating the activity of the subset of entities. The events may be associated with timestamps and may include machine data. Executing the search query may produce search results that pertain to activity of a particular entity from the subset. The search results may be evaluated based on a triggering condition corresponding to the statistical baseline. When the triggering condition is met, a risk score for the particular entity may be updated. The updated risk score may be displayed to a user via a graphical user interface (GUI).

118 Citations

32 Claims

1. A method comprising:
- identifying, from a set of entities to be monitored, a subset of the set of entities for additional monitoring;
  
  performing the additional monitoring byaccessing a scoring rule that defines a search query and a risk modifier, the risk modifier indicative of an amount by which to adjust a risk score of a particular entity when a triggering condition is satisfied;
  
  after said accessing the scoring rule, executing the search query against a plurality of events associated with the activity of the subset of set of entities, wherein the search query produces a search result pertaining to activity of the particular entity, wherein each event of the plurality of events is associated with a timestamp and includes machine data;
  
  determining whether the search result meets the triggering condition; and
  
  responsive to determining that the search result meets the triggering condition, updating the risk score for the particular entity based on the risk modifier in the scoring rule, the risk score indicating a security threat associated with activity of the particular entity; and
  
  causing at least one of;
  
  display of an indication of the updated risk score, transmission of an indication of the updated risk score, or remedial action based on the updated risk score.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15)
- - 2. The method of claim 1, further comprising causing display of a graphical user interface (GUI) for displaying the risk score associated with the particular entity of the subset of the set of entities.
  - 3. The method of claim 1, further comprising causing display of a graphical interface (GUI) enabling a user to select and modify the subset of the set of entities for additional monitoring.
  - 4. The method of claim 1, wherein the plurality of events comprise email events, and the activity of the particular entity is associated with emailing documents to an email address external to an organization.
  - 5. The method of claim 1, wherein the plurality of events comprise web proxy events, and the activity of the particular entity is associated with transferring data to a domain external to an organization.
  - 6. The method of claim 1, wherein the plurality of events comprise domain name system (DNS) events, and the activity of the particular entity is associated with accessing a quantity of web sites external to an organization, wherein the quantity exceeds a threshold derived from a statistical baseline.
  - 7. The method of claim 1, wherein the plurality of events comprise login events and the activity of the particular entity is associated with a set of credentials being shared by multiple entities of an organization.
  - 8. The method of claim 1, wherein the plurality of events comprise remote login events, and the activity of the particular entity is associated with multiple remote logins from multiple geographic locations within a duration of time, wherein the duration of time is less than the time needed for the particular entity to travel from between the multiple geographic locations.
  - 9. The method of claim 1, wherein the plurality of events are derived from one or more of web access logs, email logs, DNS logs or authentication logs.
  - 10. The method of claim 1,wherein the scoring rule further defines the triggering condition.
  - 11. The method of claim 1, wherein the triggering condition is satisfied only when criteria of the triggering condition are satisfied a minimum number of times by the plurality of events.
  - 12. The method of claim 1, further comprising:
    - adding an entity to the subset of the set of entities in response to determining that the risk score of the entity exceeds a risk score threshold value.
  - 13. The method of claim 1, further comprising determining a statistical baseline of activity of the set of entities, the statistical baseline being based on an average amount of the activity of the set of entities, wherein the triggering condition corresponds to the statistical baseline.
  - 14. The method of claim 1, further comprising determining a statistical baseline, wherein determining the statistical baseline comprises:
    - accessing the plurality of events indicating the activity of the set of entities; and
      
      determining a variance for the activity of the set of entities based on the plurality of events, wherein the triggering condition is satisfied when the search result indicates that the activity of the particular entity exceeds the statistical baseline by a predetermined portion of the variance.
  - 15. The method of claim 1, wherein executing the search query comprises:
    - applying a late-binding schema to the plurality of events, the late-binding schema associated with one or more extraction rules defining one or more fields in the plurality of events.

16. A computer system, comprising:
- a memory; and
  
  one or more processing devices, coupled to the memory, to;
  
  identify, from a set of entities to be monitored, a subset of the set of entities for additional monitoring;
  
  perform the additional monitoring by;
  
  accessing a scoring rule that defines a search query and a risk modifier, the risk modifier indicative of an amount by which to adjust a risk score of a particular entity when a triggering condition is satisfied;
  
  after said accessing the scoring rule, executing the search query against a plurality of events associated with the activity of the subset of the set of entities, wherein the search query produces a search result pertaining to activity of the particular entity, wherein each event of the plurality of events is associated with a timestamp and includes machine data;
  
  determining whether the search result meets the triggering condition; and
  
  responsive to determining that the search result meets the triggering condition, updating the risk score for the particular entity based on the risk modifier in the scoring rule, the risk score indicating a security threat associated with activity of the particular entity; and
  
  causing at least one of;
  
  display of an indication of the updated risk score, transmission of an indication of the updated risk score, or remedial action based on the updated risk score.
- View Dependent Claims (17, 18, 19, 20, 21, 22, 23, 24, 32)
- - 17. The system of claim 16, wherein the processing device causes display of a graphical user interface (GUI) for displaying the risk score associated with the particular entity of the subset of the set of entities.
  - 18. The system of claim 16, wherein the processing device causes display of a graphical interface (GUI) enabling a user to select and modify the subset of the set of entities for additional monitoring.
  - 19. The system of claim 16, wherein the plurality of events comprise email events, and the activity of the particular entity is associated with emailing documents to an email address external to an organization.
  - 20. The system of claim 16, wherein the plurality of events comprise web proxy events, and the activity of the particular entity is associated with transferring data to a domain external to an organization.
  - 21. The system of claim 16, wherein the plurality of events comprise domain name system (DNS) events, and the activity of the particular entity is associated with accessing a quantity of web sites external to an organization, wherein the quantity exceeds a threshold derived from a statistical baseline.
  - 22. The system of claim 16, wherein the plurality of events comprise login events and the activity of the particular entity is associated with a set of credentials being shared by multiple entities of an organization.
  - 23. The system of claim 16, wherein the plurality of events comprise remote login events, and the activity of the particular entity is associated with multiple remote logins from multiple geographic locations within a duration of time, wherein the duration of time is less than the time needed for the particular entity to travel from between the multiple geographic locations.
  - 24. The system of claim 16, wherein the plurality of events are derived from one or more of web access logs, email logs, DNS logs or authentication logs.
  - 32. The computer system of claim 16, wherein the scoring rule further defines the triggering condition.

25. A non-transitory computer-readable storage medium comprising executable instructions that, when executed by a computer system, cause the computer system to perform operations comprising:
- identifying, from a set of entities to be monitored, a subset of the set of entities for additional monitoring;
  
  performing the additional monitoring byaccessing a scoring rule that defines a search query and a risk modifier, the risk modifier indicative of an amount by which to adjust a risk score of a particular entity when a triggering condition is satisfied;
  
  after said accessing the scoring rule, executing the search query against a plurality of events associated with the activity of the subset of the set of entities, wherein the search query produces a search result pertaining to activity of the particular entity, wherein each event of the plurality of events is associated with a timestamp and includes machine data;
  
  determining whether the search result meets the triggering condition; and
  
  responsive to determining that the search result meets the triggering condition;
  
  updating the risk score for the particular entity based on the risk modifier in the scoring rule; and
  
  providing a graphical user interface (GUI) for displaying an indication of the risk score associated with the particular entity of the subset of entities, the risk score indicating a security threat associated with activity of the particular entity.
- View Dependent Claims (26, 27, 28, 29, 30, 31)
- - 26. The computer-readable non-transitory storage medium of claim 25, further comprising causing display of a graphical user interface (GUI) for displaying the risk score associated with the particular entity of the subset of the set of entities.
  - 27. The computer-readable non-transitory storage medium of claim 25, further comprising causing display of a graphical interface (GUI) enabling a user to select and modify the subset of the set of entities for additional monitoring.
  - 28. The computer-readable non-transitory storage medium of claim 25, wherein the plurality of events comprise email events, and the activity of the particular entity is associated with emailing documents to an email address external to an organization.
  - 29. The computer-readable non-transitory storage medium of claim 25, wherein the plurality of events comprise web proxy events, and the activity of the particular entity is associated with transferring data to a domain external to an organization.
  - 30. The computer-readable non-transitory storage medium of claim 25, wherein the plurality of events comprise domain name system (DNS) events, and the activity of the particular entity is associated with accessing a quantity of web sites external to an organization, wherein the quantity exceeds a threshold derived from a statistical baseline.
  - 31. The computer-readable non-transitory storage medium of claim 25, wherein the scoring rule further defines the triggering condition.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Splunk Inc.
Original Assignee
Splunk Inc.
Inventors
Iyer, Ravi, Badhani, Devendra, Chauhan, Vijay

Granted Patent

US 9,836,598 B2
Time in Patent Office

Days
Field of Search
US Class Current

1/1
CPC Class Codes

G06F 21/552   involving long-term monitor...

G06F 21/566   Dynamic detection, i.e. det...

G06Q 10/00   Administration; Management

G06Q 10/0635   Risk analysis of enterprise...

G06Q 10/105   Human resources

USER ACTIVITY MONITORING

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

118 Citations

32 Claims

Specification

Solutions

Use Cases

Quick Links

USER ACTIVITY MONITORING

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

118 Citations

32 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links