USER ACTIVITY MONITORING
First Claim
1. A method comprising:
- identifying, from a set of entities to be monitored, a subset of the set of entities for additional monitoring;
performing the additional monitoring byaccessing a scoring rule that defines a search query and a risk modifier, the risk modifier indicative of an amount by which to adjust a risk score of a particular entity when a triggering condition is satisfied;
after said accessing the scoring rule, executing the search query against a plurality of events associated with the activity of the subset of set of entities, wherein the search query produces a search result pertaining to activity of the particular entity, wherein each event of the plurality of events is associated with a timestamp and includes machine data;
determining whether the search result meets the triggering condition; and
responsive to determining that the search result meets the triggering condition, updating the risk score for the particular entity based on the risk modifier in the scoring rule, the risk score indicating a security threat associated with activity of the particular entity; and
causing at least one of;
display of an indication of the updated risk score, transmission of an indication of the updated risk score, or remedial action based on the updated risk score.
1 Assignment
0 Petitions
Accused Products
Abstract
Systems and methods are disclosed for associating an entity with a risk score that may indicate a security threat associated with the entity'"'"'s activity. An exemplary method may involve monitoring the activity of a subset of the set of entities (e.g., entities included in a watch list) by executing a search query against events indicating the activity of the subset of entities. The events may be associated with timestamps and may include machine data. Executing the search query may produce search results that pertain to activity of a particular entity from the subset. The search results may be evaluated based on a triggering condition corresponding to the statistical baseline. When the triggering condition is met, a risk score for the particular entity may be updated. The updated risk score may be displayed to a user via a graphical user interface (GUI).
118 Citations
32 Claims
-
1. A method comprising:
-
identifying, from a set of entities to be monitored, a subset of the set of entities for additional monitoring; performing the additional monitoring by accessing a scoring rule that defines a search query and a risk modifier, the risk modifier indicative of an amount by which to adjust a risk score of a particular entity when a triggering condition is satisfied; after said accessing the scoring rule, executing the search query against a plurality of events associated with the activity of the subset of set of entities, wherein the search query produces a search result pertaining to activity of the particular entity, wherein each event of the plurality of events is associated with a timestamp and includes machine data; determining whether the search result meets the triggering condition; and responsive to determining that the search result meets the triggering condition, updating the risk score for the particular entity based on the risk modifier in the scoring rule, the risk score indicating a security threat associated with activity of the particular entity; and causing at least one of;
display of an indication of the updated risk score, transmission of an indication of the updated risk score, or remedial action based on the updated risk score. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15)
-
-
16. A computer system, comprising:
-
a memory; and one or more processing devices, coupled to the memory, to; identify, from a set of entities to be monitored, a subset of the set of entities for additional monitoring; perform the additional monitoring by; accessing a scoring rule that defines a search query and a risk modifier, the risk modifier indicative of an amount by which to adjust a risk score of a particular entity when a triggering condition is satisfied; after said accessing the scoring rule, executing the search query against a plurality of events associated with the activity of the subset of the set of entities, wherein the search query produces a search result pertaining to activity of the particular entity, wherein each event of the plurality of events is associated with a timestamp and includes machine data; determining whether the search result meets the triggering condition; and responsive to determining that the search result meets the triggering condition, updating the risk score for the particular entity based on the risk modifier in the scoring rule, the risk score indicating a security threat associated with activity of the particular entity; and causing at least one of;
display of an indication of the updated risk score, transmission of an indication of the updated risk score, or remedial action based on the updated risk score. - View Dependent Claims (17, 18, 19, 20, 21, 22, 23, 24, 32)
-
-
25. A non-transitory computer-readable storage medium comprising executable instructions that, when executed by a computer system, cause the computer system to perform operations comprising:
-
identifying, from a set of entities to be monitored, a subset of the set of entities for additional monitoring; performing the additional monitoring by accessing a scoring rule that defines a search query and a risk modifier, the risk modifier indicative of an amount by which to adjust a risk score of a particular entity when a triggering condition is satisfied; after said accessing the scoring rule, executing the search query against a plurality of events associated with the activity of the subset of the set of entities, wherein the search query produces a search result pertaining to activity of the particular entity, wherein each event of the plurality of events is associated with a timestamp and includes machine data; determining whether the search result meets the triggering condition; and responsive to determining that the search result meets the triggering condition; updating the risk score for the particular entity based on the risk modifier in the scoring rule; and providing a graphical user interface (GUI) for displaying an indication of the risk score associated with the particular entity of the subset of entities, the risk score indicating a security threat associated with activity of the particular entity. - View Dependent Claims (26, 27, 28, 29, 30, 31)
-
Specification