System and user context in enterprise threat detection
First Claim
Patent Images
1. A computer-implemented method, comprising:
- executing, by a computer, a transfer of master data in a backend computing system, wherein the master data includes user data and system data, and wherein the transfer of master data comprises;
receiving, by a computer, user data associated with a particular user id in the backend computing system;
transferring, by a computer, the received user data to an event stream processor (ESP), wherein a user context associated with the particular user id is created or updated;
receiving, by a computer, system data associated with a particular log providing computing system in the backend computing system;
transferring, by a computer, the received system data to the ESP, wherein a system context associated with the particular log providing system is created or updated; and
executing, by a computer, a transfer of log data associated with logs of computing systems connected to the backend computing system;
enriching one or more log entries of the transferred log data based on the user context and the system context; and
rendering a semantic graphical user interface for interaction with the transferred log data, wherein the semantic graphical user interface is configured to render distributions of selectable semantic attribute type values with respect to events in the transferred log data and selected semantic filter values;
wherein alert indications of malicious computing activities are identified in the semantic graphical user interface according to analysis with respect to one or more alert patterns defined using semantic events, and wherein one or more alerts are generated and transmitted based on the analysis.
1 Assignment
0 Petitions
Accused Products
Abstract
A transfer of master data is executed in a backend computing system. The master data includes user data and system data. The transfer of master data includes receiving user data associated with a particular user identifier in the backend computing system, transferring the received user data to an event stream processor, receiving system data associated with a particular log providing computing system in the backend computing system, transferring the received user data to the event stream processor, and executing a transfer of log data associated with logs of computing systems connected to the backend computing system.
51 Citations
20 Claims
-
1. A computer-implemented method, comprising:
-
executing, by a computer, a transfer of master data in a backend computing system, wherein the master data includes user data and system data, and wherein the transfer of master data comprises; receiving, by a computer, user data associated with a particular user id in the backend computing system; transferring, by a computer, the received user data to an event stream processor (ESP), wherein a user context associated with the particular user id is created or updated; receiving, by a computer, system data associated with a particular log providing computing system in the backend computing system; transferring, by a computer, the received system data to the ESP, wherein a system context associated with the particular log providing system is created or updated; and executing, by a computer, a transfer of log data associated with logs of computing systems connected to the backend computing system; enriching one or more log entries of the transferred log data based on the user context and the system context; and rendering a semantic graphical user interface for interaction with the transferred log data, wherein the semantic graphical user interface is configured to render distributions of selectable semantic attribute type values with respect to events in the transferred log data and selected semantic filter values;
wherein alert indications of malicious computing activities are identified in the semantic graphical user interface according to analysis with respect to one or more alert patterns defined using semantic events, and wherein one or more alerts are generated and transmitted based on the analysis. - View Dependent Claims (2, 3, 4, 5, 6, 7)
-
-
8. A non-transitory, computer-readable medium storing computer-readable instructions, the instructions executable by a computer and configured to:
-
execute a transfer of master data in a backend computing system, wherein the master data includes user data and system data, and wherein the transfer of master data comprises; receive user data associated with a particular user id in the backend computing system; transfer the received user data to an event stream processor (ESP), wherein a user context associated with the particular user id is created or updated; receive system data associated with a particular log providing computing system in the backend computing system; transfer the received system data to the ESP, wherein a system context associated with the particular log providing system is created or updated; and execute a transfer of log data associated with logs of computing systems connected to the backend computing system; enrich one or more log entries of the transferred log data based on the user context and the system context; and render a semantic graphical user interface for interaction with the transferred log data, wherein the semantic graphical user interface is configured to render distributions of selectable semantic attribute type values with respect to events in the transferred log data and selected semantic filter values;
wherein alert indications of malicious computing activities are identified in the semantic graphical user interface according to analysis with respect to one or more alert patterns defined using semantic events, and wherein one or more alerts are generated and transmitted based on the analysis. - View Dependent Claims (9, 10, 11, 12, 13, 14)
-
-
15. A system, comprising:
-
a memory; at least one hardware processor interoperably coupled with the memory and configured to; execute a transfer of master data in a backend computing system, wherein the master data includes user data and system data, and wherein the transfer of master data comprises; receive user data associated with a particular user id in the backend computing system; transfer the received user data to an event stream processor (ESP), wherein a user context associated with the particular user id is created or updated; receive system data associated with a particular log providing computing system in the backend computing system; transfer the received system data to the ESP, wherein a system context associated with the particular log providing system is created or updated; and execute a transfer of log data associated with logs of computing systems connected to the backend computing system; enrich one or more log entries of the transferred log data based on the user context and the system context; and render a semantic graphical user interface for interaction with the transferred log data, wherein the semantic graphical user interface is configured to render distributions of selectable semantic attribute type values with respect to events in the transferred log data and selected semantic filter values;
wherein alert indications of malicious computing activities are identified in the semantic graphical user interface according to analysis with respect to one or more alert patterns defined using semantic events, and wherein one or more alerts are generated and transmitted based on the analysis. - View Dependent Claims (16, 17, 18, 19, 20)
-
Specification