RISK MONITORING SYSTEM

US 20180316695A1
Filed: 04/28/2017
Published: 11/01/2018
Est. Priority Date: 04/28/2017
Status: Active Grant

First Claim

Patent Images

1. A computer-implemented method, comprising:

creating one or more risk objects, wherein each risk object of the one or more risk objects has a corresponding stored risk definition, the stored risk definition associating the risk object with raw machine data pertaining to the risk object, the raw machine data reflecting activity in an information technology (IT) environment;

receiving a selection of a first risk object included in the one or more risk objects;

receiving a first risk definition that corresponds to the first risk object;

performing a search of the raw machine data according to the first risk definition, wherein a risk is identified based on the search of the raw machine data; and

performing an action based on identifying the risk.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Various embodiments of the present invention set forth techniques for monitoring risk in a computing system. The technique includes creating one or more risk objects, where each risk object of the one or more risk objects has a corresponding stored risk definition, the stored risk definition associating the risk object with raw machine data pertaining to the risk object, the raw machine data reflecting activity in an information technology (IT) environment. The technique further includes receiving a selection of a first risk object included in the one or more risk objects and receiving a first risk definition that corresponds to the first risk object. The technique further includes performing a search of the raw machine data according to the first risk definition, wherein a risk is identified based on the search of the raw machine data and performing an action based on identifying the risk.

Citations

30 Claims

1. A computer-implemented method, comprising:
- creating one or more risk objects, wherein each risk object of the one or more risk objects has a corresponding stored risk definition, the stored risk definition associating the risk object with raw machine data pertaining to the risk object, the raw machine data reflecting activity in an information technology (IT) environment;
  
  receiving a selection of a first risk object included in the one or more risk objects;
  
  receiving a first risk definition that corresponds to the first risk object;
  
  performing a search of the raw machine data according to the first risk definition, wherein a risk is identified based on the search of the raw machine data; and
  
  performing an action based on identifying the risk.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17)
- - 2. The computer-implemented method of claim 1, further comprising causing display of a representation of the one or more risk objects, wherein the selection of the first risk object is received based on the representation.
  - 3. The computer-implemented method of claim 1, further comprising:
    - causing display of a representation of one or more logical operators; and
      
      receiving a selection of a first logical operator included in the one or more logical operators, wherein the first logical operator defines a relationship between the first risk object and a second risk object included in the one or more risk objects,wherein the risk is identified based on at least the first risk object, the second risk object, and the first logical operator.
  - 4. The computer-implemented method of claim 1, further comprising:
    - causing display of a representation of one or more logical operators; and
      
      receiving a selection of a first logical operator included in the one or more logical operators, wherein the first logical operator causes the risk to be identified when both the first risk object and a second risk object included in the one or more risk objects evaluate as true.
  - 5. The computer-implemented method of claim 1, further comprising:
    - causing display of a representation of one or more logical operators; and
      
      receiving a selection of a first logical operator included in the one or more logical operators, wherein the first logical operator causes the risk to be identified when at least one of the first risk object and a second risk object included in the one or more risk objects evaluates as true.
  - 6. The computer-implemented method of claim 1, wherein the raw machine data is included in one or more events, each event being associated with a different timestamp and including raw machine data reflective of activity in the IT environment.
  - 7. The computer-implemented method of claim 1, wherein the first risk definition comprises at least one of a search query command, a search algorithm, and a machine-learning algorithm.
  - 8. The computer-implemented method of claim 1, wherein the action comprises at least one of generating an alert based on the risk, causing a script to be executed, and restricting access to at least one of a service or resource.
  - 9. The computer-implemented method of claim 1, further comprising:
    - receiving first criteria for identifying raw machine data that is relevant to the risk;
      
      creating the first risk definition based on the first criteria; and
      
      storing the first risk definition in a memory.
  - 10. The computer-implemented method of claim 1, further comprising:
    - receiving first criteria for identifying raw machine data that is relevant to the risk;
      
      creating the first risk definition based on the first criteria;
      
      storing the first risk definition in a memory; and
      
      associating the first risk definition with the first risk object.
  - 11. The computer-implemented method of claim 1, wherein the raw machine data is stored in a field-searchable data store.
  - 12. The computer-implemented method of claim 1, wherein each stored risk definition is implemented to extract raw machine data that reflects activity in the IT environment via a late-binding schema.
  - 13. The computer-implemented method of claim 1, wherein each stored risk definition identifies raw machine data that reflects activity in the IT environment related to at least one of fraud, data security, operational performance, and business analytics.
  - 14. The computer-implemented method of claim 1, wherein the first risk object is associated with a first risk score, and the risk is identified based on the first risk score.
  - 15. The computer-implemented method of claim 1, wherein the first risk object is associated with a first risk score, the first risk score is generated based on the raw machine data that is identified based on a first risk definition that corresponds to the first risk object, and the risk is identified based on the first risk score.
  - 16. The computer-implemented method of claim 1, further comprising receiving a selection of a second risk object included in the one or more risk objects, wherein the first risk object is associated with a first risk score, the second risk object is associated with a second risk score, a result is generated by combining, based on the first logical operator, the first risk score and the second risk score, and the risk is identified based on comparing the result to a threshold value.
  - 17. The computer-implemented method of claim 1, further comprising receiving a selection of a plurality of risk objects included in the one or more risk objects, wherein the result is generated based on determining that a threshold number of risk events included in the plurality of risk events evaluated as true.

18. A non-transitory computer-readable storage medium including instructions that, when executed by a processor, cause the processor to perform the steps of:
- creating one or more risk objects, wherein each risk object of the one or more risk objects has a corresponding stored risk definition, the stored risk definition associating the risk object with raw machine data pertaining to the risk object, the raw machine data reflecting activity in an information technology (IT) environment;
  
  receiving a selection of a first risk object included in the one or more risk objects;
  
  receiving a first risk definition that corresponds to the first risk object;
  
  performing a search of the raw machine data according to the first risk definition, wherein a risk is identified based on the search of the raw machine data; and
  
  performing an action based on identifying the risk.
- View Dependent Claims (19, 20, 21, 22, 23, 24)
- - 19. The non-transitory computer-readable storage medium of claim 18, further comprising causing display of a representation of the one or more risk objects, wherein the selection of the first risk object is received based on the representation.
  - 20. The non-transitory computer-readable storage medium of claim 18, further comprising:
    - causing display of a representation of one or more logical operators; and
      
      receiving a selection of a first logical operator included in the one or more logical operators, wherein the first logical operator defines a relationship between the first risk object and a second risk object included in the one or more risk objects,wherein the risk is identified based on at least the first risk object, the second risk object, and the first logical operator.
  - 21. The non-transitory computer-readable storage medium of claim 18, wherein the raw machine data is included in one or more events, each event being associated with a different timestamp and including raw machine data reflective of activity in the IT environment.
  - 22. The non-transitory computer-readable storage medium of claim 18, wherein the first risk definition comprises at least one of a search query command, a search algorithm, and a machine-learning algorithm.
  - 23. The non-transitory computer-readable storage medium of claim 18, further comprising:
    - receiving first criteria for identifying raw machine data that is relevant to the risk;
      
      creating the first risk definition based on the first criteria;
      
      storing the first risk definition in a memory; and
      
      associating the first risk definition with the first risk object.
  - 24. The non-transitory computer-readable storage medium of claim 18, further comprising receiving a selection of a second risk object included in the one or more risk objects, wherein the first risk object is associated with a first risk score, the second risk object is associated with a second risk score, a result is generated by combining, based on the first logical operator, the first risk score and the second risk score, and the risk is identified based on comparing the result to a threshold value.

25. A computing device, comprising:
- a memory that includes instructions; and
  
  a processor that is coupled to the memory and, when executing the instructions, is configured to;
  
  create one or more risk objects, wherein each risk object of the one or more risk objects has a corresponding stored risk definition, the stored risk definition associating the risk object with raw machine data pertaining to the risk object, the raw machine data reflecting activity in an information technology (IT) environment;
  
  receive a selection of a first risk object included in the one or more risk objects;
  
  receive a first risk definition that corresponds to the first risk object;
  
  perform a search of the raw machine data according to the first risk definition, wherein a risk is identified based on the search of the raw machine data; and
  
  perform an action based on identifying the risk.
- View Dependent Claims (26, 27, 28, 29, 30)
- - 26. The computing device of claim 25, wherein the processor, when executing the instructions, is further configured to cause display of a representation of the one or more risk objects, wherein the selection of the first risk object is received based on the representation.
  - 27. The computing device of claim 25, wherein the processor, when executing the instructions, is further configured to:
    - cause display of a representation of one or more logical operators; and
      
      receive a selection of a first logical operator included in the one or more logical operators, wherein the first logical operator defines a relationship between the first risk object and a second risk object included in the one or more risk objects,wherein the risk is identified based on at least the first risk object, the second risk object, and the first logical operator.
  - 28. The computing device of claim 25, wherein the raw machine data is included in one or more events, each event being associated with a different timestamp and including raw machine data reflective of activity in the IT environment.
  - 29. The computing device of claim 25, wherein the first risk definition comprises at least one of a search query command, a search algorithm, and a machine-learning algorithm.
  - 30. The computing device of claim 25, wherein the processor, when executing the instructions, is further configured to:
    - receive first criteria for identifying raw machine data that is relevant to the risk;
      
      create the first risk definition based on the first criteria;
      
      store the first risk definition in a memory; and
      
      associate the first risk definition with the first risk object.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Splunk Inc. (Cisco Systems, Inc.)
Original Assignee
Splunk Inc. (Cisco Systems, Inc.)
Inventors
ESMAN, Gleb

Granted Patent

US 10,643,214 B2
Time in Patent Office

Days
Field of Search
US Class Current
CPC Class Codes

G06Q 20/4016   involving fraud or risk lev...

G06Q 20/405   Establishing or using trans...

H04L 63/1433   Vulnerability analysis

RISK MONITORING SYSTEM

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

30 Claims

Specification

Solutions

Use Cases

Quick Links

RISK MONITORING SYSTEM

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

30 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links