Event mini-graphs in data intake stage of machine data processing platform
First Claim
1. A method for processing data at data intake for detection of an anomaly in a distributed computer environment, the method comprising:
- receiving event data representing an event on a computer network, the event data being indicative of a plurality of entities and an action involved in the event;
identifying the entities and a relationship between the entities, based on the action in the event data;
creating, for the event, a record of the relationship between the entities by using a data structure representing a relationship graph, the relationship graph including at least two nodes and an edge between the two nodes, each node representing one of the entities, the edge representing the relationship between the entities; and
creating an updated event data by appending the event data representing the event with the record of the relationship;
wherein the record of the relationship is specific to the event;
sending the updated event data to an event processing engine for further processing;
generating a composite relationship graph that is combined from a plurality of the relationship graph corresponding to a plurality of the updated event data; and
using the event processing engine to perform analytics on the plurality of the updated event data and the composite relationship graph;
wherein the anomaly detection is performed based on applying a machine learning model to perform analytics on at least a portion of the composite relationship graph.
1 Assignment
0 Petitions
Accused Products
Abstract
A security platform employs a variety techniques and mechanisms to detect security related anomalies and threats in a computer network environment. The security platform is “big data” driven and employs machine learning to perform security analytics. The security platform performs user/entity behavioral analytics (UEBA) to detect the security related anomalies and threats, regardless of whether such anomalies/threats were previously known. The security platform can include both real-time and batch paths/modes for detecting anomalies and threats. By visually presenting analytical results scored with risk ratings and supporting evidence, the security platform enables network security administrators to respond to a detected anomaly or threat, and to take action promptly.
70 Citations
29 Claims
-
1. A method for processing data at data intake for detection of an anomaly in a distributed computer environment, the method comprising:
-
receiving event data representing an event on a computer network, the event data being indicative of a plurality of entities and an action involved in the event; identifying the entities and a relationship between the entities, based on the action in the event data; creating, for the event, a record of the relationship between the entities by using a data structure representing a relationship graph, the relationship graph including at least two nodes and an edge between the two nodes, each node representing one of the entities, the edge representing the relationship between the entities; and creating an updated event data by appending the event data representing the event with the record of the relationship; wherein the record of the relationship is specific to the event; sending the updated event data to an event processing engine for further processing; generating a composite relationship graph that is combined from a plurality of the relationship graph corresponding to a plurality of the updated event data; and using the event processing engine to perform analytics on the plurality of the updated event data and the composite relationship graph; wherein the anomaly detection is performed based on applying a machine learning model to perform analytics on at least a portion of the composite relationship graph. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21, 22, 23, 24, 25, 26, 29)
-
-
27. A computer system for detection of an anomaly in a distributed computer environment, the system comprising:
-
a communication device; and a processor configured to; receive, via the communication device, event data representing an event on a computer network, the event data being indicative of a plurality of entities and an action involved in the event; identify the entities and a relationship between the entities, based on the action in the event data; create, for the event, a record of the relationship between the entities by using a data structure representing a relationship graph, the relationship graph including at least two nodes and an edge between the two nodes, each node representing one of the entities, the edge representing the relationship between the entities; create an updated event data by appending the event data representing the event with the record of the relationship, wherein the record of the relationship is specific to the event; send the updated event data to an event processing engine for further processing; generate a composite relationship graph that is combined from a plurality of the relationship graph corresponding to a plurality of the updated event data; and use the event processing engine to perform analytics on the plurality of the updated event data and the composite relationship graph, wherein the anomaly detection is performed based on applying a machine learning model to perform analytics on at least a portion of a the composite relationship graph.
-
-
28. A non-transitory machine-readable storage medium for use in a processing system for detection of an anomaly in a distributed computer environment, the non-transitory machine-readable storage medium storing instructions, an execution of which in the processing system causes the processing system to perform operations comprising:
-
receiving event data representing an event on a computer network, the event data being indicative of a plurality of entities and an action involved in the event; identifying the entities and a relationship between the entities, based on the action in the event data; creating, for the event, a record of the relationship between the entities by using a data structure representing a relationship graph, the relationship graph including at least two nodes and an edge between the two nodes, each node representing one of the entities, the edge representing the relationship between the entities; and creating an updated event data by appending the event data representing the event with the record of the relationship, wherein the record of the relationship is specific to the event; sending the updated event data to an event processing engine for further processing; generating a composite relationship graph that is combined from a plurality of the relationship graph corresponding to a plurality of the updated event data; and using the event processing engine to perform analytics on the plurality of the updated event data and the composite relationship graph, wherein the anomaly detection is performed based on applying a machine learning model to perform analytics on at least a portion of the composite relationship graph.
-
Specification