Chain of events representing an issue based on an enriched representation
First Claim
Patent Images
1. A non-transitory machine-readable storage medium storing instructions that upon execution cause a system to:
- electronically collect event data, wherein the collected event data is in a form of a least one of electronic network event data, electronic host event data, and electronic application event data from at least one of a plurality of entities in a computing environment;
construct, based on the collected event data representing a plurality of events in the computing environment, a representation of the plurality of events, the representation including links relating the plurality of events,wherein the representation includes a graphical representation of the plurality of events and the links include temporal links including sequential directional edges relating the plurality of events;
compute issue indications corresponding to potential issues in the computing environment;
add information based on the issue indications to the representation to form an enriched representation;
search the enriched representation to find a chain of events representing an issue in the computing environment,wherein each event of the plurality of events represents an activity of the at least one of the plurality of entities; and
electronically perform a countermeasure to resolve the issue represented by the chain of events in the computer environment, andwherein the issue indications comprise threat scores derived based on anomaly scores based on features of the collected event data, each threat score of the threat scores representing a likelihood of a threat in the computing environment.
6 Assignments
0 Petitions
Accused Products
Abstract
In some examples, a system constructs, based on event data representing a plurality of events in a system, a representation of the plurality of events, the representation including information relating the events, and computes issue indications corresponding to potential issues in the system. The system adds information based on the issue indications to the representation to form an enriched representation, and searches the enriched representation to find a chain of events representing an issue in the system.
19 Citations
18 Claims
-
1. A non-transitory machine-readable storage medium storing instructions that upon execution cause a system to:
-
electronically collect event data, wherein the collected event data is in a form of a least one of electronic network event data, electronic host event data, and electronic application event data from at least one of a plurality of entities in a computing environment; construct, based on the collected event data representing a plurality of events in the computing environment, a representation of the plurality of events, the representation including links relating the plurality of events, wherein the representation includes a graphical representation of the plurality of events and the links include temporal links including sequential directional edges relating the plurality of events; compute issue indications corresponding to potential issues in the computing environment; add information based on the issue indications to the representation to form an enriched representation; search the enriched representation to find a chain of events representing an issue in the computing environment, wherein each event of the plurality of events represents an activity of the at least one of the plurality of entities; and electronically perform a countermeasure to resolve the issue represented by the chain of events in the computer environment, and wherein the issue indications comprise threat scores derived based on anomaly scores based on features of the collected event data, each threat score of the threat scores representing a likelihood of a threat in the computing environment. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
-
-
11. A system, comprising:
-
a processor; and a non-transitory storage medium comprising instructions executable on the processor to; electronically collect event data, wherein the collected event data is in a form of a least one of electronic network event data, electronic host event data, and electronic application event data from at least one of a plurality of entities in a computing environment; construct, based on the collected event data representing a plurality of events in the computing environment, a representation of the plurality of events, the representation including links relating the plurality of events, wherein the representation includes a graphical representation of the plurality of events and the links include temporal links including sequential directional edges relating the plurality of events; compute scores corresponding to potential issues in the computing environment; add information based on the scores to the representation to form an enriched representation; search the enriched representation to find a chain of events representing an issue in the computing environment, wherein each event of the plurality of events represents an activity of the at least one of the plurality of entities; and electronically perform a countermeasure to resolve the issue represented by the chain of events in the computer environment, wherein the search of the enriched representation to find the chain of events representing the issue comprises; identify a node, in the enriched representation, that represents an event associated with a score that exceeds a threshold; and identify a path from the identified node to other nodes in the enriched representation, the other nodes in the enriched representation representing events having a specified relationship with the event represented by the identified node, wherein the chain of events includes the events represented by the nodes connected by the identified path. - View Dependent Claims (12, 13, 14, 15)
-
-
16. A method performed by a system comprising a hardware processor, comprising:
-
electronically collecting event data, wherein the collected event data is in a form of a least one of electronic network event data, electronic host event data, and electronic application event data from at least one of a plurality of entities in a computing environment; constructing, based on the collected event data representing a plurality of events in the computing environment, a graph including nodes representing events of the plurality of events and temporal links including sequential directional edges relating the plurality of events; computing issue indications corresponding to potential issues in the computing environment; adding information based on the issue indications to the graph to form an enriched graph; searching the enriched graph to find a chain of events representing an issue in the computing environment; and electronically performing a countermeasure to resolve the issue represented by the chain of events in the computing environment, wherein each event of the plurality of events represents an activity of the at least one of the plurality of entities, wherein the searching of the enriched graph to find the chain of events representing the issue comprises; identify a node, in the enriched graph, that represents an event associated with a score that exceeds a threshold; and identify a path from the identified node to other nodes in the enriched graph the other nodes representing events having a specified relationship with the event represented by the identified node, wherein the chain of events includes the events represented by the nodes connected by the identified path. - View Dependent Claims (17, 18)
-
Specification