Various embodiments of the present application set forth a computer-implemented method that includes receiving, by a trusted tunnel bridge and from a first application executing in a first network, a first encrypted data packet, where the first encrypted data packet includes an encrypted portion of data, and a destination device identifier (DDI). The method further includes determining, by the trusted tunnel bridge, a particular device in a second network and associated with the DDI included in the first encrypted data packet. The method further includes sending, by the trusted tunnel bridge directly to the particular device, the first encrypted data packet.
G06F 16/27 - Réplication, distribution ou synchronisation de données entre bases de données ou dans un système de bases de données distribuéesArchitectures de systèmes de bases de données distribuées à cet effet
G06F 16/951 - IndexationTechniques d’exploration du Web
H04L 9/30 - Clé publique, c.-à-d. l'algorithme de chiffrement étant impossible à inverser par ordinateur et les clés de chiffrement des utilisateurs n'exigeant pas le secret
A client device executes a display layout application that receives a size of each display item included in a set of display items. The set of display items is associated with a first frame included in a bounding box associated with a display screen. The display layout application determines a reference size based on the sizes of the set of display items. The display layout application determines a size of the first frame based on the reference size. The display layout application determines a position for a first display item included in the set of display items based on a position of the first frame within the bounding box. The display layout application generates a layout for display on the display screen, where the layout includes the first display item.
G06F 40/154 - Transformation en arborescence pour documents en configuration arborescente ou balisés, p. ex. langages XSLT, XSL-FO ou feuilles de style
G06F 9/451 - Dispositions d’exécution pour interfaces utilisateur
G06F 40/103 - Mise en forme, c.-à-d. modification de l’apparence des documents
G06F 40/106 - Affichage de la mise en page des documentsPrévisualisation
G06T 3/20 - Translation linéaire d’images complètes ou de parties d’image, p. ex. panoramique
G06T 3/40 - Changement d'échelle d’images complètes ou de parties d’image, p. ex. agrandissement ou rétrécissement
G06T 11/60 - Édition de figures et de texteCombinaison de figures ou de texte
Various implementations of the present application set forth a method comprising generating, based on first sensor data captured by a depth sensor on a mobile device, three-dimensional data representing a physical space that includes a real-world asset, generating, based on second sensor data captured by an image sensor on the mobile device, two-dimensional data representing the physical space, combining, based on a correlation the three-dimensional data and the two-dimensional data, the two-dimensional data and the three-dimensional data into an extended reality (XR) stream, where the XR stream includes a digital representation of the real-world asset, and transmitting, to a remote device, the XR stream for rendering at least a portion of the digital representation of the real-world asset in a remote XR environment.
G06T 19/00 - Transformation de modèles ou d'images tridimensionnels [3D] pour infographie
G06T 7/521 - Récupération de la profondeur ou de la forme à partir de la télémétrie laser, p. ex. par interférométrieRécupération de la profondeur ou de la forme à partir de la projection de lumière structurée
A system generates a user interface that enables a user to interact with an interactive chart associated with a statement of a data processing package. Via one or more user interactions with the user interface, the system may receive one or more chart parameters for the chart. Using a statement from the data processing package and the one or more chart parameters, the system may generate an additional statement and append the generated statement to the data processing package to form an enriched data processing package. The system may communicate the enriched data processing package to a search service for execution. The system may display the results in the chart.
G06F 3/04845 - Techniques d’interaction fondées sur les interfaces utilisateur graphiques [GUI] pour la commande de fonctions ou d’opérations spécifiques, p. ex. sélection ou transformation d’un objet, d’une image ou d’un élément de texte affiché, détermination d’une valeur de paramètre ou sélection d’une plage de valeurs pour la transformation d’images, p. ex. glissement, rotation, agrandissement ou changement de couleur
Systems and methods are described for processing ingested data, detecting anomalies in the ingested data, and providing explanations of a possible cause of the detected anomalies as the data is being ingested. For example, a token or field in the ingested data may have an anomalous value. Tokens or fields from another portion of the ingested data can be extracted and analyzed to determine whether there is any correlation between the values of the extracted tokens or fields and the anomalous token or field having an anomalous value. If a correlation is detected, this information can be surfaced to a user.
G06F 17/18 - Opérations mathématiques complexes pour l'évaluation de données statistiques
G06F 18/21 - Conception ou mise en place de systèmes ou de techniquesExtraction de caractéristiques dans l'espace des caractéristiquesSéparation aveugle de sources
G06F 18/214 - Génération de motifs d'entraînementProcédés de Bootstrapping, p. ex. ”bagging” ou ”boosting”
A multitenant deployment includes a computing cluster that executes multiple containerized instances of a software application. Each containerized instance is associated with one or more datastores that can be assigned to different tenants. A registry store maintains a mapping between tenants and datastores, thereby allowing a registry manager to properly route tenant requests to the correct datastores. A capacity manager tracks tenant usage of datastores in the registry store and then scales computing resources for each tenant in proportion to usage. The capacity manager also migrates tenant resources in response to catastrophic failures or upgrades. In this fashion, the multitenant deployment can adapt a single-tenant software application for multi-tenancy in a manner that is both transparent and secure for the tenant.
G06F 15/173 - Communication entre processeurs utilisant un réseau d'interconnexion, p. ex. matriciel, de réarrangement, pyramidal, en étoile ou ramifié
G06F 9/46 - Dispositions pour la multiprogrammation
G06F 16/21 - Conception, administration ou maintenance des bases de données
G06F 16/22 - IndexationStructures de données à cet effetStructures de stockage
G06F 9/455 - ÉmulationInterprétationSimulation de logiciel, p. ex. virtualisation ou émulation des moteurs d’exécution d’applications ou de systèmes d’exploitation
A system generates a user interface that enables a user to generate a chart from one or more statements of a data processing package. Via one or more user interactions with the user interface, the system may receive one or more chart parameters for a chart. Using a statement from the data processing package and the one or more chart parameters, the system may generate an additional statement and append the generated statement to the data processing package to form an enriched data processing package. The system may communicate the enriched data processing package to a search service for execution. The system may display the results in an interactive chart.
G06F 16/248 - Présentation des résultats de requêtes
G06F 3/0481 - Techniques d’interaction fondées sur les interfaces utilisateur graphiques [GUI] fondées sur des propriétés spécifiques de l’objet d’interaction affiché ou sur un environnement basé sur les métaphores, p. ex. interaction avec des éléments du bureau telles les fenêtres ou les icônes, ou avec l’aide d’un curseur changeant de comportement ou d’aspect
G06F 3/04842 - Sélection des objets affichés ou des éléments de texte affichés
G06F 3/04847 - Techniques d’interaction pour la commande des valeurs des paramètres, p. ex. interaction avec des règles ou des cadrans
8.
VISUALIZATIONS OF QUERY RESULTS USING GENERATED FILES
Systems and methods are disclosed for generating one or more files to visualize query results. The systems and methods can include parsing one or more files that include one or more queries and computer-executable instructions for displaying results of the one or more queries. The one or more queries can identify a set of data to be processed and a manner of processing the set of data. The systems and methods can further include generating one or more files that include the results of the queries and computer-executable instructions for displaying one or more visualizations of the results.
G06F 16/27 - Réplication, distribution ou synchronisation de données entre bases de données ou dans un système de bases de données distribuéesArchitectures de systèmes de bases de données distribuées à cet effet
9.
Generating span related metric data streams by an analytic engine
A method of generating metrics data associated with a microservices-based application comprises ingesting a plurality of spans and mapping an ingested span of the plurality of spans to a span identity, wherein the span identity comprises a tuple of information identifying a type of span associated with the span identity, wherein the tuple of information comprises user-configured dimensions. The method further comprises grouping the ingested span by the span identity, wherein the ingested span is grouped with other spans from the plurality of spans comprising a same span identity. The method also comprises computing metrics associated with the span identity and using the metrics to generate a stream of metric data associated with the span identity.
Techniques are described for enabling a cloud-based IT and security operations application to execute playbooks containing custom code in a manner that mitigates types of risk related to the misuse of cloud-based resources and security of user data. Users use a client application to create and modify playbooks and, upon receiving input to save a playbook, the client application determines whether the playbook includes custom code. If the client application determines that the playbook includes custom code, the client application establishes a connection with a proxy application (also referred to as an “automation broker”) running in the user's own on-premises network and sends a representation of the playbook to the proxy application. The client application further sends to the IT and security operations application an identifier of the playbook and an indication that the playbook (or the custom code portions of the playbook) is stored within the user's on-premises network.
H04L 41/5054 - Déploiement automatique des services déclenchés par le gestionnaire de service, p. ex. la mise en œuvre du service par configuration automatique des composants réseau
H04L 41/0681 - Configuration des conditions de déclenchement
H04L 41/08 - Gestion de la configuration des réseaux ou des éléments de réseau
H04L 41/0816 - Réglages de configuration caractérisés par les conditions déclenchant un changement de paramètres la condition étant une adaptation, p. ex. en réponse aux événements dans le réseau
H04L 41/0894 - Gestion de la configuration du réseau basée sur des règles
H04L 41/22 - Dispositions pour la maintenance, l’administration ou la gestion des réseaux de commutation de données, p. ex. des réseaux de commutation de paquets comprenant des interfaces utilisateur graphiques spécialement adaptées [GUI]
G06F 3/0482 - Interaction avec des listes d’éléments sélectionnables, p. ex. des menus
A computerized method is disclosed for automated handling of data ingestion anomalies. The method features operations of detecting a data ingestion anomaly and determining a cause for the data ingestion anomaly. The causal determination may be conducted by at least (i) determining features of an anomalous data ingestion volume, (ii) training a second data model, after a first data model being used to detect the data ingestion anomaly, with data sets consistent with the determined features, (iii) applying the second data model to predict whether a data ingestion sub-volume is anomalous, (iv) obtaining system state information during ingestion of the anomalous data ingestion sub-volume, and (v) determining the cause of the anomalous data ingestion volume based on the system state information.
Techniques promote monitoring of hypervisor systems by presenting dynamic representations of hypervisor architectures that include performance indicators. A reviewer can interact with the representation to progressively view select lower-level performance indicators. Higher level performance indicators can be determined based on lower level state assessments. A reviewer can also view historical performance metrics and indicators, which can aid in understanding which configuration changes or system usages may have led to sub-optimal performance.
G06F 9/455 - ÉmulationInterprétationSimulation de logiciel, p. ex. virtualisation ou émulation des moteurs d’exécution d’applications ou de systèmes d’exploitation
G06F 3/0482 - Interaction avec des listes d’éléments sélectionnables, p. ex. des menus
G06F 11/32 - Surveillance du fonctionnement avec indication visuelle du fonctionnement de la machine
G06T 11/20 - Traçage à partir d'éléments de base, p. ex. de lignes ou de cercles
13.
Anomaly Detection Through Clustering of Time-Series Data Subsequences and Determination of Adaptive Thresholding
Computerized methodologies are disclosed that are directed to detecting anomalies within a time-series data set. An aspect of the anomaly detection process includes determining one or more seasonality patterns that correspond to a specific time-series data set by evaluating a set of candidate seasonality patterns (e.g., hourly, daily, weekly, day-start off-sets, etc.). The evaluation of a candidate seasonality pattern may include dividing the time-series data set into a collection of subsequences based on the particular candidate seasonality pattern. Further, the collection of subsequences may be divided into clusters and a silhouette score may be computed to measure the clustering quality of the candidate seasonality pattern. In some instances, the candidate seasonality pattern having the highest silhouette score is selected and utilized in anomaly detection process. In other instances, a plurality of seasonality patterns may be combined forming a time policy, where the time policy is utilized in anomaly detection process.
Implementations of this disclosure provide a machine learning model training system that receives user input being a natural language description of a search query, and packages and transmits the natural language description as a prompt to a plurality of large learning models (LLMs). The model training system also receives response from the plurality of LLMs being translations of the natural language descriptions to an executable search query and displays the translations to a user via a graphical user interface. The model training system receives user feedback via the graphical user interface that corresponds to indications as to whether each translation is correct, syntactically and/or semantically, and, in some examples, an indication of which response was preferred. The model training system also generates training data from the user input, translations generated by the plurality of LLMs, and user feedback, and subsequently, initiates training of a LLM using the training data.
A query coordinator can receive a query and identify a first portion of the query to be processed by a first data processing system and a second portion of the query to be processed by a second data processing system. The query coordinator can obtain a modified query based on identifying the first portion and the second portion of the query. The query coordinator can define a query processing scheme according to the modified query and provide the query processing scheme to the second data processing system. Based on providing the query processing scheme, the query coordinator can obtain an output of the second data processing system. The query coordinator can identify a second query based on the output and provide the second query to a component of the first data processing system.
Computerized methodologies are disclosed that are directed to detecting anomalies within a time-series data set. A first aspect of the anomaly detection process includes analyzing the regularity of the data points of the time-series data set and determining whether a data aggregation process is to be performed based on the regularity of the data points, which results in a time-series data set having data points occurring at regular intervals. A seasonality pattern may be determined for the time-series data set, where a silhouette score is computed to measure the quality of the fit of the seasonality pattern to the time-series data. The silhouette score may be compared to a threshold and based on the comparison, the seasonality pattern or a set of heuristics may be utilized in an anomaly detection process. When the seasonality pattern is utilized, the seasonality pattern may be utilized to generate thresholds indicating anomalous behavior.
A data intake and query system can manage the search of data stored at an external location relative to the data intake and query system using one or more indexers. The data intake and query system can receive data stored at the external location. The data intake and query system can process the data and generate an index using the one or more indexers. The data intake and query system can discard the data and store the index and a location identifier of the external location in one or more buckets. In response to a query, the data intake and query system can identify that at least a subset of the data is responsive to the query using the index and can obtain the at least the subset of the data from the external location using the location identifier.
Computerized methodologies are disclosed that are directed to detecting anomalies within a time-series data set. An aspect of the anomaly detection process includes determining one or more seasonality patterns that correspond to a specific time-series data set by evaluating a set of candidate seasonality patterns (e.g., hourly, daily, weekly, day-start off-sets, etc.). The evaluation of a candidate seasonality pattern may include dividing the time-series data set into a collection of subsequences based on the particular candidate seasonality pattern. Further, the collection of subsequences may be divided into clusters and a silhouette score may be computed to measure the clustering quality of the candidate seasonality pattern. In some instances, the candidate seasonality pattern having the highest silhouette score is selected and utilized in anomaly detection process. In other instances, a plurality of seasonality patterns may be combined forming a time policy, where the time policy is utilized in anomaly detection process.
Techniques, which may be embodied herein as systems, computing devices, methods, algorithms, software, code, computer readable media, or the like, are described herein for comparing a set of metrics generated during a simulated user interaction with a website to metrics generated by observing real user interactions with the website. Simulated user interactions with a website can be used to diagnose a website's performance issues, but it can be difficult to determine whether the simulated interactions reflect the experience of real users. In addition, the simulated user interactions can be challenging to contextualize because the number of observed real user interactions may significantly outnumber the simulated interactions. A graphical user interface can help with the interpretation of these website interactions by using the real user interactions to properly contextualize the simulated results.
Implementations of this disclosure provide a machine learning model training system that receives user input being a natural language description of a search query, and packages and transmits the natural language description as a prompt to a plurality of large learning models (LLMs). The model training system also receives response from the plurality of LLMs being translations of the natural language descriptions to an executable search query and displays the translations to a user via a graphical user interface. The model training system receives user feedback via the graphical user interface that corresponds to indications as to whether each translation is correct, syntactically and/or semantically, and, in some examples, an indication of which response was preferred. The model training system also generates training data from the user input, translations generated by the plurality of LLMs, and user feedback, and subsequently, initiates training of a LLM using the training data.
A computer-implemented method of configuring an anomalous behavior detector includes updating a distribution used for modeling anomalous behavior in telemetry data with information associated with observed anomalous behavior to generate an updated distribution representative of the observed anomalous behavior where, prior to the updating, the distribution is representative of theoretical anomalous behavior. The method further includes computing a threshold for a detector operable to alert on anomalous activity using the updated distribution. The method also comprises computing a divergence between the live telemetry data monitored by the detector and the anomalous behavior modeled by the updated distribution. Responsive to a determination that the divergence is above a critical threshold, the method comprises enabling the detector to continue to monitor the live telemetry data in the application.
A computerized method is disclosed that includes operations of obtaining network traffic data between a source device and a destination device, applying a set of one or more security rules to a plurality of metrics of the network traffic data to obtain a subset of network traffic metrics, applying a first trained machine learning model to the subset of network traffic metrics to generate a feature vector through feature extraction of the subset of network traffic metrics, and evaluate the feature vector for a presence of beaconing and classify the subset of network traffic metrics, and responsive to the classifying of the subset of network traffic metrics, generating a flag for a system administrator. The plurality of metrics include at least one or more of packet size, packet transmission rate, or a ratio of (i) packet size for inbound packets and (ii) packet size for outbound packets.
H04L 41/16 - Dispositions pour la maintenance, l’administration ou la gestion des réseaux de commutation de données, p. ex. des réseaux de commutation de paquets en utilisant l'apprentissage automatique ou l'intelligence artificielle
H04L 41/22 - Dispositions pour la maintenance, l’administration ou la gestion des réseaux de commutation de données, p. ex. des réseaux de commutation de paquets comprenant des interfaces utilisateur graphiques spécialement adaptées [GUI]
23.
Appending time ranges to distinct statements of a data processing package
A system generates a user interface that enables a user to modify time ranges associated with search-related statements of a data processing package. Via one or more user interactions with the user interface, the system may receive a modified time range for the statement. The modified time range may be appended to the data processing package to form an enriched data processing package. The system may communicate the enriched data processing package to a search service for execution. The system may display the results in the user interface.
Described herein are techniques for integrating external sensors to an edge device, such as for ingesting data into a data intake and query system. The edge device has an internal message broker for communicating with internal (e.g., preconfigured, recognized) sensors, and an external message broker for communicating with external (e.g., customer-configured, otherwise unrecognized) sensors. The external message broker provides access to customer configuration of external sensors, but is logically quarantined from the internal message broker to prevent unwanted customer access to internal configurations. The internal and external message brokers interface only via a bridging service that transforms external sensor data into data based on customer-configurable transformations. The transformed data can be handled by the edge device and/or downstream components (e.g., a data intake and query system) in the same manner as internal sensor data.
H04L 67/12 - Protocoles spécialement adaptés aux environnements propriétaires ou de mise en réseau pour un usage spécial, p. ex. les réseaux médicaux, les réseaux de capteurs, les réseaux dans les véhicules ou les réseaux de mesure à distance
H04L 67/63 - Ordonnancement ou organisation du service des demandes d'application, p. ex. demandes de transmission de données d'application en utilisant l'analyse et l'optimisation des ressources réseau requises en acheminant une demande de service en fonction du contenu ou du contexte de la demande
25.
Machine-learning based prioritization of alert groupings
Systems and methods are disclosed that are directed to improving the prioritization, display, and viewing of system alerts through the use of machine learning techniques to group the alerts and further to prioritize the groupings. Additionally, a graphical user interface is generated that illustrates the prioritized listing of the plurality of groupings. Thus, a system administrator or other user receives an improved experience as the number of notifications provided to the system administrator are reduced due to the grouping of individual alerts into related groupings and further due to the prioritization of the groupings. Previously, or in current technology, system alerts may be automatically generated and provided immediately to a system administrator. In some instances, any advantage of detecting system errors or system monitoring provided by the alerts is negated by the vast number of alerts and provision of minimally important alerts in a manner that concealed more important alerts.
G06F 11/07 - Réaction à l'apparition d'un défaut, p. ex. tolérance de certains défauts
G06F 18/21 - Conception ou mise en place de systèmes ou de techniquesExtraction de caractéristiques dans l'espace des caractéristiquesSéparation aveugle de sources
G06F 18/214 - Génération de motifs d'entraînementProcédés de Bootstrapping, p. ex. ”bagging” ou ”boosting”
26.
Framework for managing dynamic configurations of data intake and query systems deployed in remote computing environments
Implementations of this disclosure provide for automated monitoring of configuration parameters of a primary data intake and query system instance operating within a distributed deployment environment. Further implementations provide for automatically generating instructions in response to a detected change in a configuration parameter of the primary data intake and query system instance and transmitting those instructions to one or more secondary data intake and query system instances. The instructions, upon execution by one or more processors, cause the configuration parameters of the one or more secondary data intake and query system instances to be updated in accordance with the detected change in the configuration parameter of the primary data intake and query system instance.
A computerized method is disclosed for grouping alerts through machine learning while implementing certain time constraints. The method includes receiving an alert to be assigned to any of a plurality of existing issues or to a newly created issue, the alert including a temporal field that includes a timestamp of an arrival time of the alert, wherein an issue is a grouping of one or more alerts, determining a subset of existing issues from the plurality of existing issues that each satisfy time constraints, wherein the time constraints correspond to (i) a time elapsed between a most recent alert of a first existing issue and a timestamp of the alert, or (ii) a maximum issue time length of the first existing issue, and deploying a trained machine learning model to assign the alert to either an existing issue of the subset of existing issues or a newly created issue.
A search assistant engine is described that integrates with a data intake and query system and provides an intuitive user interface to assist a user in searching and evaluating indexed event data. Additionally, the search assistant engine provides logic to intelligently provide data to the user through the user interface such as determining fields of events likely to be of interest based on determining a mutual information score for each field and determining groups of related fields based on determining a mutual information score for each field grouping. Some implementations utilize machine learning techniques in certain analyses such as when clustering events and determining an event templates for each cluster. Additionally, the search assistant engine may import terms or characters from user interaction into predetermined search query templates to generate tailored search query for the user.
A system is described that receives a query model of a query that includes one or more query commands. The query model includes a command model that corresponds to at least query command of the one or more query commands. The system uses the command model to generate an interactive action model summary and causes a user interface to display the query and the interactive action model summary in a query actions panel. A modification to the query in the user interface causes an update to the query actions panel and a modification to the action model summary causes an update to the at least one query command of the query.
Metric time series (MTS) data objects stored within in-memory storage are marked as inactive in response to determining that no MTS data has been received for the MTS objects within a first predetermined time period. In response to determining that an MTS object has been inactive for longer than a second predetermined time period, the MTS data object is migrated from in-memory storage to on-disk storage. Queries directed to MTS objects are first run against MTS object data stored within in-memory storage, and then against MTS object data stored within on-disk storage. In this way, an amount of in-memory storage needed to store MTS objects may be minimized, while optimizing search performance.
A system generates a user interface that enables a user to generate a data summarization statement for a data processing package. Via one or more user interactions with the user interface, the system may receive one or more parameters for the summarization statement. Using the parameters, the system may generate a summarization statement for execution by a data service, an action model display object, a statement action model display object, and/or a filter token object for display in the user interface.
G06F 3/048 - Techniques d’interaction fondées sur les interfaces utilisateur graphiques [GUI]
G06F 3/0481 - Techniques d’interaction fondées sur les interfaces utilisateur graphiques [GUI] fondées sur des propriétés spécifiques de l’objet d’interaction affiché ou sur un environnement basé sur les métaphores, p. ex. interaction avec des éléments du bureau telles les fenêtres ou les icônes, ou avec l’aide d’un curseur changeant de comportement ou d’aspect
G06F 16/248 - Présentation des résultats de requêtes
G06F 40/284 - Analyse lexicale, p. ex. segmentation en unités ou cooccurrence
33.
Metric processing for streaming machine learning applications
An interface and improved data intake and query system is described herein that allows users to define metrics and that aggregates metric values regardless of the level at which a metric is defined and/or the level at which metric values are available. The improved data intake and query system can initialize a sketch in response to a user providing one or more metric definitions. The initialized sketch includes one or more instances, where each instance produces an output and collects metric value(s), appends the metric value(s) to the output, and forwards the appended data to a process function downstream in a data processing pipeline. The process function separates the output and the metric value(s), sending the output further downstream in the data processing pipeline and sending the metric value(s) to a parallel process function that sits outside the data processing pipeline. The parallel process function can persist the metric value(s).
Implementations of this disclosure provide an anomaly detection system and methods of performing anomaly detection on a time-series dataset. The anomaly detection may include utilization of a forecasting machine learning algorithm to obtain a prediction of points of the dataset and comparing the predicted value of a point in the dataset with the actual value to determine an error value associated with that point. Additionally, the anomaly detection may include determination of a sensitivity threshold that impacts whether points within the dataset associated with certain error values are flagged as anomalies. The forecasting machine learning algorithm may implement a seasonality component determination process that accounts for seasonality or patterns in the dataset. A search query statement may be automatically generated through importing the sensitivity threshold into a predetermined search query statement that implements that forecasting machine learning algorithm.
A method of computing real-time metrics for automated workflows includes aggregating a set of ingested spans into a set of traces. The method further includes executing a set of rules to determine a set of workflows associated with the set of traces, wherein each workflow of the set of workflows is associated with a respective trace of the set of traces, and wherein each workflow is operable to group together activity associated with a client process within a respective trace. The method also includes assigning a name to each workflow based on the rules and computing real-time metrics for each of the workflows.
Techniques are described for enabling an application to automatically generate text narratives explaining risk scores assigned to risk objects. The application uses natural language generation (NLG) techniques to enable the automatic create text narratives providing context and explanation for risk scores. The described approaches use data from a variety of data sources (e.g., risk event indexes, correlation search data, attack framework data, etc.) to create compelling and useful explanations of the risk analysis associated with identified risk objects. These automatically generated text narratives can be readily presented in any number of different interfaces without the need for complex visualizations or user effort to derive the same information. The automatically created text narratives enable users to better understand the risk analysis for particular risk objects, obtain storylines detailing risk objects' activity patterns over time, and to better analyze, triage, and mitigate IT environment risks based on such information.
G06F 21/57 - Certification ou préservation de plates-formes informatiques fiables, p. ex. démarrages ou arrêts sécurisés, suivis de version, contrôles de logiciel système, mises à jour sécurisées ou évaluation de vulnérabilité
A method for performing disaster recovery in a clustered environment comprises identifying, at a master device, a first indexer from a set of indexers to serve as a primary indexer for responding to queries pertaining to a subset of data. The method also comprises assigning, at the master device, a generation identifier indicating that the first indexer is the primary indexer for the subset of data. Responsive to an event prompting a change in a primary indexer designation for the subset of data, the method comprises identifying, at the master device, a second indexer from the set of indexers to serve as the primary indexer for responding to queries pertaining to the subset of data. Further, the method comprises assigning, at the master device, a new generation identifier indicating that the second indexer is the primary indexer for the subset of data.
G06F 16/27 - Réplication, distribution ou synchronisation de données entre bases de données ou dans un système de bases de données distribuéesArchitectures de systèmes de bases de données distribuées à cet effet
G06F 3/06 - Entrée numérique à partir de, ou sortie numérique vers des supports d'enregistrement
G06F 11/20 - Détection ou correction d'erreur dans une donnée par redondance dans le matériel en utilisant un masquage actif du défaut, p. ex. en déconnectant les éléments défaillants ou en insérant des éléments de rechange
G06F 11/32 - Surveillance du fonctionnement avec indication visuelle du fonctionnement de la machine
G06F 11/34 - Enregistrement ou évaluation statistique de l'activité du calculateur, p. ex. des interruptions ou des opérations d'entrée–sortie
G06F 16/22 - IndexationStructures de données à cet effetStructures de stockage
H04L 67/1097 - Protocoles dans lesquels une application est distribuée parmi les nœuds du réseau pour le stockage distribué de données dans des réseaux, p. ex. dispositions de transport pour le système de fichiers réseau [NFS], réseaux de stockage [SAN] ou stockage en réseau [NAS]
38.
WEB ANALYZER ENGINE FOR IDENTIFYING SECURITY-RELATED THREATS
Techniques are described for providing a threat analysis platform capable of automating actions performed to analyze security-related threats affecting IT environments. Users or applications can submit objects (e.g., URLs, files, etc.) for analysis by the threat analysis platform. Once submitted, the threat analysis platform routes the objects to dedicated engines that can perform static and dynamic analysis processes to determine a likelihood that an object is associated with malicious activity such as phishing attacks, malware, or other types of security threats. The automated actions performed by the threat analysis platform can include, for example, navigating to submitted URLs and recording activity related to accessing the corresponding resource, analyzing files and documents by extracting text and metadata, extracting and emulating execution of embedded macro source code, performing optical character recognition (OCR) and other types of image analysis, submitting objects to third-party security services for analysis, among many other possible actions.
A method for deployment of machine-learning based operators within a query is described. For this embodiment, a sequence of operators associated with a query is identified, which includes at least a first operator and at least a second operator. The second operator is configured to perform operations, in accordance with a machine learning (ML) component, on data received as input from execution of the first operator. Schemas associated with the machine learning component is retrieved along with schemas associated with other operators within the sequence. Compatibility between at least an output schema associated with the first operator and an input schema associated with the second operator associated with the ML component is determined. Thereafter, a portion of the sequence of operators including at least the second operator and another operator of the sequence of operators successive to the second operator may be stored within a data store for subsequent use.
A graphical user interface (GUI) for presentation of network security risk and threat information is disclosed. A listing is generated of incidents identified by use of event data obtained from a networked computing environment. A particular incident is determined to be associated with a risk object, wherein a risk object is a component of the networked computing environment. The listing is populated with a name associated with the risk object. Risk events associated with the incident are determined, wherein each risk event contributes to a risk score for the incident. The risk score indicates a potential security issue associated with the risk object. The listing is populated with the risk score and a summary of the events. An action is associated with the listing, for triggering display of additional information associated with the risk object. The listing can be displayed in a first display screen of the GUI.
G06F 21/55 - Détection d’intrusion locale ou mise en œuvre de contre-mesures
G06F 3/0482 - Interaction avec des listes d’éléments sélectionnables, p. ex. des menus
G06F 21/57 - Certification ou préservation de plates-formes informatiques fiables, p. ex. démarrages ou arrêts sécurisés, suivis de version, contrôles de logiciel système, mises à jour sécurisées ou évaluation de vulnérabilité
41.
System and method for identifying resource access faults based on webpage assessment
A method for identifying and indicating resource access faults associated with a webpage. The method includes receiving a machine-readable file that includes a plurality of instructions defining at least content and structure of a webpage. The method further comprises causing a browser to load the webpage based at least in part on the machine-readable file; determining resource utilization associated with the load of the webpage; identifying one or more resource access faults associated with the machine-readable file based at least in part on the determined resource utilization and a resource access instruction policy; for each of the one or more resource access faults, identifying an instruction of the plurality of instructions that corresponds to the particular resource access fault; and causing display of the one or more instructions.
An example method of utilizing shared search queries for defining multiple key performance indicators (KPIs) comprises: receiving input specifying one or more service definitions, each service definition of the one or more service definitions specifying an entity definition for an entity providing a service of one or more services executing in an information technology (IT) environment, wherein the IT environment is monitored by the service monitoring system, wherein the service monitoring system uses first machine data of a first entity specified by a first service definition of the one or more service definitions to monitor a first KPI for a first service of the one or more services, and wherein the service monitoring system uses second machine data of a second entity specified by a second service definition of the one or more service definitions to monitor a second KPI for a second service of the one or more services; determining that the first machine data and the second machine data include common machine data; defining, based on the first machine data and the second machine data including common machine data, a shared base search query for the first KPI and the second KPI; executing the shared based search query to generated shared base search query results for the first KPI and the second KPI; and generating, using results from executing the shared base search query, a first value for the first KPI and a second value for the second KPI.
Described are systems, methods, and techniques for collecting, analyzing, processing, and storing time series data and for evaluating and dynamically estimating a resolution of one or more streams of data points and updating an output resolution. Responsive to receiving a stream of data points, a data resolution can be derived and an output resolution can be set to a first value. When a change to the data resolution is detected, the output resolution can be changed, modifying a frequency at which output data points are generated and/or transmitted. In some instances, a detector can be implemented to trigger an alert responsive to ingested data points corresponding with triggering parameters. An output resolution for the detector can be dynamically modified based on dynamically detecting a change to the data resolution of the stream of data.
G06F 16/2458 - Types spéciaux de requêtes, p. ex. requêtes statistiques, requêtes floues ou requêtes distribuées
H04L 43/08 - Surveillance ou test en fonction de métriques spécifiques, p. ex. la qualité du service [QoS], la consommation d’énergie ou les paramètres environnementaux
44.
MANAGING SECURITY ACTIONS IN A COMPUTING ENVIRONMENT USING ENRICHMENT INFORMATION
Aspects described herein provide security actions based on a current state of a security threat. In one example, a computer-implemented method includes identifying a security threat within a computing environment comprising a plurality of computing assets. The method further includes obtaining state information for the security threat within the computing environment from computing assets of the plurality of computing assets in the computing environment. The method further includes determining a current state for the security threat within the computing environment based on the state information. The method further includes obtaining enrichment information for the security threat that relates kill-state information to an identity of the security threat. The method further includes determining one or more security actions for the security threat based on the enrichment information and the current state for the security threat.
G06F 16/28 - Bases de données caractérisées par leurs modèles, p. ex. des modèles relationnels ou objet
G06F 21/55 - Détection d’intrusion locale ou mise en œuvre de contre-mesures
H04L 47/2425 - Trafic caractérisé par des attributs spécifiques, p. ex. la priorité ou QoS pour la prise en charge de spécifications de services, p. ex. SLA
45.
Display screen or portion thereof with a graphical user interface for a visualization of a system status
Disclosed herein is a method that supports queries deploying operators based on multiple programming languages at least through determining schema compatibility between neighboring operators within a query. Upon receipt of a query, a sequence of operators of the query is identified, where the sequence of operators includes at least two neighboring operators including a first operator and a second operator representing a machine learning model. By determining schema compatibility between at least the first and second operators, the method either alerts a user to schema incompatibility before attempting to execute the query or determine that the schemas are compatible such that the query may be executed without the occurrence of errors due to schema incompatibility between neighboring operators. Advantageously, the method enables the integration of a machine learning model into the query while still ensuring schema compatibility.
Techniques are described for providing a built-in “app” editor for an information technology (IT) and security operations application that enables users to create, modify, and test operation of apps under development within the editor. Some IT and security operations applications enable users to extend the applications by adding connectivity to third party technologies to run custom actions. For example, a user might create a custom app to enable an IT and security operations application to connect to an external service providing information about malicious Internet Protocol (IP) addresses, to connect to a relevant cloud provider service, or to interact with a firewall or other type of computing device used in a user's computing environment. Given the broad set of technologies that can be orchestrated by an IT and security operations application, apps broadly enable users to add custom functionality to interface with virtually any technology of interest.
A machine data validation system can track and validate the integrity of machine data generated by machines. The system can generate hashes for the items and batch hashes that can be validated using an immutable data store, such one or more blockchains in a tiered blockchain structure. The system can store machine data and additional associated data in a first lightweight blockchain, and store grouped sets of the data in a second robust blockchain. The system can implement the tiered blockchain structure to efficiently store and reference the hashes to validate the machine data at different times or upon request from an end-user.
G06F 21/64 - Protection de l’intégrité des données, p. ex. par sommes de contrôle, certificats ou signatures
H04L 9/00 - Dispositions pour les communications secrètes ou protégéesProtocoles réseaux de sécurité
H04L 9/32 - Dispositions pour les communications secrètes ou protégéesProtocoles réseaux de sécurité comprenant des moyens pour vérifier l'identité ou l'autorisation d'un utilisateur du système
51.
Managing event group definitions in service monitoring systems
Network connected devices are controlled via the transmission of action messages to prevent or correct conditions that impair the operation of the networked information technology (IT) assets. The service monitoring system (SMS) monitoring the IT environment groups together related notable events that are received during system operation. Automatic processes dynamically determine grouping operations that automatically correlate the events without requiring, for example, a set of declarative grouping rules. Event grouping may be performed on a by-service basis to facilitate the complex processing of predicting undesirable system conditions that may be prevented or reduced by transmission of the action messages to the appropriate assets. Event grouping operations may be directed with control information maintained via user interface.
H04L 43/045 - Traitement des données de surveillance capturées, p. ex. pour la génération de fichiers journaux pour la visualisation graphique des données de surveillance
G06F 11/00 - Détection d'erreursCorrection d'erreursContrôle de fonctionnement
G06F 16/2458 - Types spéciaux de requêtes, p. ex. requêtes statistiques, requêtes floues ou requêtes distribuées
G06F 16/951 - IndexationTechniques d’exploration du Web
H04L 41/147 - Analyse ou conception de réseau pour prédire le comportement du réseau
H04L 41/22 - Dispositions pour la maintenance, l’administration ou la gestion des réseaux de commutation de données, p. ex. des réseaux de commutation de paquets comprenant des interfaces utilisateur graphiques spécialement adaptées [GUI]
H04L 41/50 - Gestion des services réseau, p. ex. en assurant une bonne réalisation du service conformément aux accords
H04L 41/5009 - Détermination des paramètres de rendement du niveau de service ou violations des contrats de niveau de service, p. ex. violations du temps de réponse convenu ou du temps moyen entre l’échec [MTBF]
H04L 69/329 - Protocoles de communication intra-couche entre entités paires ou définitions d'unité de données de protocole [PDU] dans la couche application [couche OSI 7]
Queries may be resolved against large quantities of collected data (such as traces) by dividing collected data into multiple time intervals and incrementally assigning multiple workers the query and the collected data over the multiple time intervals. For each time interval, these workers may conditionally update one or more summary data structures within the worker based on the query and the portion of collected data assigned to the worker. The summary data structures for each time interval may then be incrementally returned and merged with results from earlier time intervals to create a final merged query result.
Techniques are described for providing a threat analysis platform capable of automating actions performed to analyze security-related threats affecting IT environments. Users or applications can submit objects (e.g., URLs, files, etc.) for analysis by the threat analysis platform. Once submitted, the threat analysis platform routes the objects to dedicated engines that can perform static and dynamic analysis processes to determine a likelihood that an object is associated with malicious activity such as phishing attacks, malware, or other types of security threats. The automated actions performed by the threat analysis platform can include, for example, navigating to submitted URLs and recording activity related to accessing the corresponding resource, analyzing files and documents by extracting text and metadata, extracting and emulating execution of embedded macro source code, performing optical character recognition (OCR) and other types of image analysis, submitting objects to third-party security services for analysis, among many other possible actions.
G06F 21/56 - Détection ou gestion de programmes malveillants, p. ex. dispositions anti-virus
G06F 21/53 - Contrôle des utilisateurs, des programmes ou des dispositifs de préservation de l’intégrité des plates-formes, p. ex. des processeurs, des micrologiciels ou des systèmes d’exploitation au stade de l’exécution du programme, p. ex. intégrité de la pile, débordement de tampon ou prévention d'effacement involontaire de données par exécution dans un environnement restreint, p. ex. "boîte à sable" ou machine virtuelle sécurisée
54.
Display screen or portion thereof with a graphical user interface for a visualization of data management
Various implementations or examples set forth a method for scanning a three-dimensional (3D) environment. The method includes generating a 3D representation of the 3D environment that includes one or more 3D meshes. The method also includes determining at least a portion of the 3D environment that falls within a current frame captured by the image sensor. The method further includes generating one or more additional 3D meshes representing the at least a portion of the 3D environment and combining the one or more additional 3D meshes with the one or more 3D meshes into an update to the 3D representation of the 3D environment.
A computerized method is disclosed that includes operations of detecting user input to a first webpage rendered within a web browser, the user input corresponds to closure of the first webpage, providing an indication of the user input corresponding to the closure of the first webpage to a web browser extension operating in accordance with the web browser, the indication includes an identifier, performing, by the web browser extension operating in accordance with the web browser, a search for the identifier within a URL of each webpage currently opened by the web browser in order to determine that a second webpage is associated with the first webpage based on inclusion of the identifier in a URL of the second webpage, and initiating, by the web browser extension, closure of the second webpage associated with the first webpage following the user input corresponding to closure of the first webpage.
G06F 3/0484 - Techniques d’interaction fondées sur les interfaces utilisateur graphiques [GUI] pour la commande de fonctions ou d’opérations spécifiques, p. ex. sélection ou transformation d’un objet, d’une image ou d’un élément de texte affiché, détermination d’une valeur de paramètre ou sélection d’une plage de valeurs
G06F 16/248 - Présentation des résultats de requêtes
G06F 16/951 - IndexationTechniques d’exploration du Web
G06F 16/9535 - Adaptation de la recherche basée sur les profils des utilisateurs et la personnalisation
G06F 16/954 - Navigation, p. ex. en utilisant la navigation par catégories
G06F 16/958 - Organisation ou gestion de contenu de sites Web, p. ex. publication, conservation de pages ou liens automatiques
H04L 67/02 - Protocoles basés sur la technologie du Web, p. ex. protocole de transfert hypertexte [HTTP]
H04L 67/1095 - Réplication ou mise en miroir des données, p. ex. l’ordonnancement ou le transport pour la synchronisation des données entre les nœuds du réseau
58.
Exploratory data analysis system for automated generation of search queries using machine learning techniques to identify certain log fields and correlation thereof
Implementations of this disclosure provide a search assistant engine that integrates with a data intake and query system and provides an intuitive user interface to assist a user in searching and evaluating indexed event data. Additionally, the search assistant engine provides logic to intelligently provide data to the user through the user interface such as determining fields of events likely to be of interest based on determining a mutual information score for each field and determining groups of related fields based on determining a mutual information score for each field grouping. Some implementations utilize machine learning techniques in certain analyses such as when clustering events and determining an event templates for each cluster. Additionally, the search assistant engine may import terms or characters from user interaction into predetermined search query templates to generate tailored search query for the user.
A device that includes an extended reality application is employed by a user to access an extended reality environment. A selection of a first subset of dashboard panels included in a plurality of dashboard panels is received via an input device associated with the extended reality environment. Each dashboard panel included in the plurality of dashboard panels includes a visual representation of data. The first subset of dashboard panels is displayed in a foreground area of a workspace of the XR environment. A second subset of dashboard panels included in the plurality of dashboard panels is displayed in a background area of the workspace of the XR environment.
G06F 3/04815 - Interaction s’effectuant dans un environnement basé sur des métaphores ou des objets avec un affichage tridimensionnel, p. ex. modification du point de vue de l’utilisateur par rapport à l’environnement ou l’objet
G06F 3/0482 - Interaction avec des listes d’éléments sélectionnables, p. ex. des menus
G06F 3/04842 - Sélection des objets affichés ou des éléments de texte affichés
G06F 9/451 - Dispositions d’exécution pour interfaces utilisateur
60.
Collaboration spaces in extended reality conference sessions
Extended reality (XR) software application programs establish remote collaboration sessions in which a host device and one or more remote devices can interact. When initiating a remote collaboration session, an XR application in a host device determines a collaboration area. The collaboration area corresponds to a portion of a real-world environment that is shared by the host device with the one or more remote devices. In some embodiments, the collaboration area can be determined automatically and/or based on user input. The XR application causes sensors associated with the host device to scan the collaboration area. Then, the XR application transmits, to the one or more remote devices, a three-dimensional representation of the collaboration area for rendering in one or more remote XR environments.
G06T 17/20 - Description filaire, p. ex. polygonalisation ou tessellation
G06V 10/44 - Extraction de caractéristiques locales par analyse des parties du motif, p. ex. par détection d’arêtes, de contours, de boucles, d’angles, de barres ou d’intersectionsAnalyse de connectivité, p. ex. de composantes connectées
H04L 65/1069 - Établissement ou terminaison d'une session
H04L 65/403 - Dispositions pour la communication multipartite, p. ex. pour les conférences
Techniques are described for providing a threat analysis platform capable of automating actions performed to analyze security-related threats affecting IT environments. Users or applications can submit objects (e.g., URLs, files, etc.) for analysis by the threat analysis platform. Once submitted, the threat analysis platform routes the objects to dedicated engines that can perform static and dynamic analysis processes to determine a likelihood that an object is associated with malicious activity such as phishing attacks, malware, or other types of security threats. The automated actions performed by the threat analysis platform can include, for example, navigating to submitted URLs and recording activity related to accessing the corresponding resource, analyzing files and documents by extracting text and metadata, extracting and emulating execution of embedded macro source code, performing optical character recognition (OCR) and other types of image analysis, submitting objects to third-party security services for analysis, among many other possible actions.
A data intake and query system receives raw machine via an internet protocol (IP) such as the hypertext transfer protocol (HTTP). The system has configurable global settings for the received raw machine data that determine properties such as the metadata that is associated with raw machine data. Each event is associated with a token, which is also configurable and provides settings such as metadata settings for the raw machine data. The raw machine data is stored as events based on the metadata. Electronic devices that generate raw machine data may transmit the raw machine data to the data intake and query system within HTTP messages. The HTTP messages may also include settings such as metadata for the raw machine data. The raw machine data is stored as events based on the global metadata settings, token metadata settings, and HTTP message metadata settings.
Various implementations set forth a computer-implemented method for scanning a three-dimensional (3D) environment. The method includes generating, in a first time interval, a first extended reality (XR) stream based on a first set of meshes representing a 3D environment, transmitting, to a remote device, the first XR stream for rendering a 3D representation of a first portion of the 3D environment in a remote XR environment, determining that the 3D environment has changed based on a second set of meshes representing the 3D environment and generated subsequent to the first time interval, generating a second XR stream based on the second set of meshes, and transmitting, to the remote device, the second XR stream for rendering a 3D representation of at least a portion of the changed 3D environment in the remote XR environment.
Systems and methods are described for processing ingested data, detecting anomalies in the ingested data, and providing explanations of a possible cause of the detected anomalies as the data is being ingested. For example, a token or field in the ingested data may have an anomalous value. Tokens or fields from another portion of the ingested data can be extracted and analyzed to determine whether there is any correlation between the values of the extracted tokens or fields and the anomalous token or field having an anomalous value. If a correlation is detected, this information can be surfaced to a user.
G06F 17/18 - Opérations mathématiques complexes pour l'évaluation de données statistiques
G06F 18/21 - Conception ou mise en place de systèmes ou de techniquesExtraction de caractéristiques dans l'espace des caractéristiquesSéparation aveugle de sources
G06F 18/214 - Génération de motifs d'entraînementProcédés de Bootstrapping, p. ex. ”bagging” ou ”boosting”
A method of persisting and querying Real User Monitoring (RUM) data comprises grouping together spans associated with a user-interaction with a webpage or application that are ingested during a given time duration. The method also comprises generating one or more data sets each associated with an analysis modality using the grouped spans, wherein each analysis modality extracts a different level of detail from the spans. Further, the method comprises selecting, based on a first user query, a first analysis modality for generating a response to the first user query and accessing a data set that is associated with the first analysis modality. The method also comprises generating the response to the first user query using the data set associated with the first analysis modality, wherein the first user query requests information pertaining to a performance of the application in response to the user-interaction.
A computing device can receive a query that identifies a set of data to be processed and determine that a portion of the set of data resides in an external data system. The query system can request data identifiers associated with data objects of the set of data from the external data system and communicate the data identifiers to a data queue. The computing device can instruct one or more search nodes to retrieve the identifiers from the data queue. The search nodes can use the data identifiers to retrieve data objects from the external data system and process the data objects according to instructions received from the computing device. The search nodes can provide results of the processing to the computing device.
A computerized method is disclosed for grouping alerts through machine learning. The method including receiving an alert to be assigned to any of a plurality of existing issues or to a newly created issue, wherein an issue is a grouping of alerts, determining a temporal distance between the alert and each of the existing issues, determining either of (i) a numerical distance between the alert and each of the existing issues for a particular numerical field, or (ii) a categorical distance between the alert and each of the existing issues for a particular categorical field, determining an overall distance between the alert and each of the existing issues, and assigning the alert to either (i) an existing issue having a shortest overall distance to the alert that satisfies one or more time constraints, or (ii) the newly created issue.
G06F 16/2458 - Types spéciaux de requêtes, p. ex. requêtes statistiques, requêtes floues ou requêtes distribuées
G06F 18/21 - Conception ou mise en place de systèmes ou de techniquesExtraction de caractéristiques dans l'espace des caractéristiquesSéparation aveugle de sources
69.
Submesh-based updates in an extended reality environment
Various implementations set forth a computer-implemented method for scanning a three-dimensional (3D) environment. The method includes generating, in a first time interval, a first extended reality (XR) stream based on a first set of meshes representing a 3D environment, transmitting, to a remote device, the first XR stream for rendering a 3D representation of a first portion of the 3D environment in a remote XR environment, determining that the 3D environment has changed based on a second set of meshes representing the 3D environment and generated subsequent to the first time interval, generating a second XR stream based on the second set of meshes, and transmitting, to the remote device, the second XR stream for rendering a 3D representation of at least a portion of the changed 3D environment in the remote XR environment.
A computerized method is disclosed that includes operations of obtaining historical network traffic and preparing a training set of data by: applying security rules to the historical network traffic data to obtain a first filtered subset of network transmissions representing a first set of beaconing candidates that is labeled to form a first set of labeled results, applying a clustering logic to the historical network traffic data to obtain a second filtered subset of network transmissions representing a second set of beaconing candidates that is labeled to form a second set of labeled results, applying a machine learning model to the historical network traffic data to label the historical network traffic forming a third set of labeled results, wherein the first, second and third sets of labeled results are augmented to form an augmented labeled training set, and training a machine learning model using the augmented labeled training set.
A computerized method is disclosed for grouping alerts and providing remediation recommendation. The method includes receiving the alert to be assigned to an existing open issue or a newly created issue, wherein an issue is a grouping of one or more alerts, assigning the alert to either a first existing open issue or the newly created issue by determining a weighted sum of the distance between the feature vectors of the alert and each existing open issue, determining a weighted sum of the distance between the feature vectors of the alert and each closed issue, and generating a user interface that illustrates an assignment of the alert and at least one of (i) a closed issue having a shortest distance to the alert or (ii) recommended remediation efforts associated with the closed issue having the shortest distance to the alert.
The present invention is related to a method for providing dynamic indexer discovery. The method comprises receiving, from an index manager, a status indication associated with a plurality of indexers, wherein each of the plurality of indexers indexes events of raw machine-generated data received from a plurality of data collectors. The method further comprises determining a weight associated with each of the plurality of indexers and selecting an indexer from the plurality of indexers. Subsequently, the method comprises allocating data to the indexer in accordance with a respective weight assigned to the indexer and transmitting the allocated data to the indexer.
Information retrieved from monitoring agents currently installed on instrumented entities within a system is analyzed to discover additional entities within the system that are connected to the instrumented entities. Each of these discovered entities is analyzed to determine whether a monitoring agent is able to be installed within the entity; if installation is possible, such installation is automatically performed (or a guided manual installation is implemented utilizing an interface). After a monitoring agent is installed within a discovered entity, information is retrieved from that monitoring agent and is used to discover additional entities within the system that are connected to that discovered entity. In this way, an iterative discovery of all entities within a system may be performed.
A computer system displays a graphical user interface (GUI) that includes data visualizations corresponding to data having timestamps within a time interval. A first type of input signal is mapped to a second type of input signal. The first type of input signal is associated with an input device communicatively coupled to the computer system. The second type of input signal is configured to operate a graphical user control of the GUI. Before mapping, the first type of input signal is configured to perform a function that is different from operation of the graphical user control. After receiving an input signal of the first type, an input signal of the second type is applied to the graphical user control based on the mapping. The time interval is adjusted, and the data visualizations are updated automatically to correspond to updated data having timestamps within the adjusted time interval.
A graphical user interface (GUI) includes multiple data visualizations and an adjustable graphical user control. The data underlying the data visualizations are timestamped, and the graphical user control enables a user to select a time interval. When a time interval is selected or modified via the graphical user control, the multiple data visualizations update automatically in real time to reflect data that correspond to the currently selected time interval.
G06F 16/26 - Exploration de données visuellesNavigation dans des données structurées
G06F 3/0487 - Techniques d’interaction fondées sur les interfaces utilisateur graphiques [GUI] utilisant des caractéristiques spécifiques fournies par le périphérique d’entrée, p. ex. des fonctions commandées par la rotation d’une souris à deux capteurs, ou par la nature du périphérique d’entrée, p. ex. des gestes en fonction de la pression exercée enregistrée par une tablette numérique
G06F 16/2458 - Types spéciaux de requêtes, p. ex. requêtes statistiques, requêtes floues ou requêtes distribuées
76.
Unhandled data protection for programmatic input/output routing to datasets with user-defined partitions
Systems and methods are described for implementing programmatic input/output (I/O) routing to datasets with user-defined partitions while providing unhandled data protection. As disclosed herein, a user may define a dataset as including one or more partitions, each partition including criteria for storing data objects written to the partitioned dataset in the individual partitions. Data objects written to the dataset can then be evaluated according to the criteria, and routed to an appropriate partition. To provide unhandled data protection, a dataset definition can include a default partition to which data objects are routed when the data object fails to satisfy the criteria of any of the set of user-defined partitions identified in the specification. Processing I/O operations according to a user-defined partitioning schema can enable data objects to be arranged according to any partitioning schema without tethering the partitioning to a particular underlying storage system.
Systems, methods, and software described herein provide for validating security actions before they are implemented in a computing network. In one example, a computing network may include a plurality of computing assets that provide a variety of different operations. During the operations of the network, administration systems may generate and provide security actions to prevent or mitigate the effect of a security threat on the network. However, prior to implementing the security actions within the network, computing assets may exchange security parameters with the administration systems to verify that the security actions are authentic.
G06F 21/57 - Certification ou préservation de plates-formes informatiques fiables, p. ex. démarrages ou arrêts sécurisés, suivis de version, contrôles de logiciel système, mises à jour sécurisées ou évaluation de vulnérabilité
A data intake and query system can generate local data enrichment objects and receive federated data enrichment objects from another data intake and query system. In response to receiving a query, the data intake and query system can determine whether the query is subquery of a federated query. If the query is a subquery, the data intake and query system can use the federated data enrichment objects to execute the query.
A computerized method is disclosed for retraining machine learning models based on user feedback. The method includes receiving user feedback indicating a change is to be made to an assignment of one or more alerts, wherein the one or more alerts were assigned by a machine learning model implementing a distance metric, wherein an issue is a grouping of at least one alert, constructing a convex optimization procedure to minimize an adjustment of weights of the distance metric, retraining the machine learning model by adjusting the weights of the distance metric in accordance with the convex optimization procedure, and evaluating one or more subsequently received alert using the retrained machine learning model. Changes to be made to the assignment include any of merging of two issues, splitting of two issues based on time or an alert field, or reassignment of an alert from a first issue to a second issue.
Systems and methods are described for display of metric data and log data in a graphical user interface. Metric data can be ingested from a first data source via a first ingestion path and log data can be ingested from a second data source via a second ingestion path. The first data source and the second data source may be distinct, disparate data sources and the first ingestion path and the second ingestion path may be distinct, disparate ingestion paths. The metric data can be displayed in a first area of the graphical user interface and the log data can be displayed in a second area of the graphical user interface. Input can be received identifying a selection of a portion of the metric data for display and the log data can be filtered based on the selection to identify a portion of the log data for display.
A client device that includes a camera and an extended reality client application program is employed by a user in a physical space, such as an industrial or campus environment. The user aims the camera within the mobile device at a real-world asset, such as a computer system, classroom, or vehicle. The client device acquires a digital image via the camera and detects textual and/or pictorial content included in the acquired image that corresponds to one or more anchors. The client device queries a data intake and query system for asset content associated with the detected anchors. Upon receiving the asset content from the data intake and query system, the client device generates visualizations of the asset content and presents the visualizations via a display device.
G06V 20/20 - ScènesÉléments spécifiques à la scène dans les scènes de réalité augmentée
G06F 16/955 - Recherche dans le Web utilisant des identifiants d’information, p. ex. des localisateurs uniformisés de ressources [uniform resource locators - URL]
Techniques are described for providing a threat analysis platform capable of automating actions performed to analyze security-related threats affecting IT environments. Users or applications can submit objects (e.g., URLs, files, etc.) for analysis by the threat analysis platform. Once submitted, the threat analysis platform routes the objects to dedicated engines that can perform static and dynamic analysis processes to determine a likelihood that an object is associated with malicious activity such as phishing attacks, malware, or other types of security threats. The automated actions performed by the threat analysis platform can include, for example, navigating to submitted URLs and recording activity related to accessing the corresponding resource, analyzing files and documents by extracting text and metadata, extracting and emulating execution of embedded macro source code, performing optical character recognition (OCR) and other types of image analysis, submitting objects to third-party security services for analysis, among many other possible actions.
G06F 21/56 - Détection ou gestion de programmes malveillants, p. ex. dispositions anti-virus
G06F 21/57 - Certification ou préservation de plates-formes informatiques fiables, p. ex. démarrages ou arrêts sécurisés, suivis de version, contrôles de logiciel système, mises à jour sécurisées ou évaluation de vulnérabilité
A computerized method is disclosed that includes operations of training a machine learning model using a labeled training set of data, wherein the machine learning model is configured to classify domain name server (DNS) records, obtaining DNS record data including at least a first DNS Txt record, applying the trained machine learning model to the first DNS Txt record to classify the first DNS Txt record and responsive to the classification of the first DNS Txt record, generating a flag for a system administrator. The trained machine learning model may classify the first DNS Txt record using logistic regression. In some instances, applying the trained machine learning model to the first DNS Txt record includes performing a tokenizing operation on the first DNS Txt record to generate a tokenized first DNS Txt record.
Medication security and healthcare privacy analytics systems are described that enable users to search for and process stored healthcare environment data. The medication security and healthcare privacy analytics systems receive and correlate data from a plurality of data sources, including medication dispensing systems, healthcare employee records, and patient records. The medication security and healthcare privacy analytics systems generate a plurality of feature vectors from processed healthcare environment data. The visualizations are created using datasets generated by clustering algorithms and can indicate those feature vectors from the plurality of feature vectors whose data indicate anomalous interactions with various systems (e.g., indicative of unexpected or non-customary events).
G16H 40/00 - TIC spécialement adaptées à la gestion ou à l’administration de ressources ou d’établissements de santéTIC spécialement adaptées à la gestion ou au fonctionnement d’équipement ou de dispositifs médicaux
G06F 3/0482 - Interaction avec des listes d’éléments sélectionnables, p. ex. des menus
G06F 3/04842 - Sélection des objets affichés ou des éléments de texte affichés
G16H 20/13 - TIC spécialement adaptées aux thérapies ou aux plans d’amélioration de la santé, p. ex. pour manier les prescriptions, orienter la thérapie ou surveiller l’observance par les patients concernant des médicaments ou des médications, p. ex. pour s’assurer de l’administration correcte aux patients delivrés par des distributeurs
85.
System and method for data ingestion, anomaly detection and notification
A computerized method is disclosed for automated handling of data ingestion anomalies. The method features training a data model based on a first volume of data associated with a first time period. Thereafter, using the data model, a predictive analysis is conducted on a second volume of data associated with a second time period subsequent to the first time period to produce a predicted data ingestion volume. After, a correlative analysis between the predicted data ingestion volume and an actual data ingestion volume during the second time period is conducted to produce a prediction error. A notification is generated based on the prediction error.
Techniques are described for automatically identifying and configuring IT and security application connectors relevant to users' IT environment by obtaining and analyzing data reflecting activity within an IT environment. The identification of types of assets within an IT environment may be based on analyzing a “source type” field included in events associated with the IT environment, where the source type field included in each event provides an indication of a type of device or service to which the event relates. The values stored in the source type field of events associated with a user's IT environment might indicate, for example, the presence of various types of computing devices, software applications, network devices, and so forth. Based on the identification of types of assets present in an IT environment, an IT and security operations application automatically configures corresponding connectors for those types of assets.
Various embodiments of the present application set forth a computer-implemented method that includes receiving a device identifier associated with a sensor device, wherein the device identifier is receivable from a location proximal to the sensor device, assigning the device identifier to a first application executing in a first network, wherein data from the sensor device is transmitted to the first application, and transmitting, to a server, an indication of the assignment of the device identifier to the first application, wherein the server stores the assignment in conjunction with a security configuration associated with the sensor device.
H04L 12/28 - Réseaux de données à commutation caractérisés par la configuration des liaisons, p. ex. réseaux locaux [LAN Local Area Networks] ou réseaux étendus [WAN Wide Area Networks]
G01M 99/00 - Matière non prévue dans les autres groupes de la présente sous-classe
G06F 16/9035 - Filtrage basé sur des données supplémentaires, p. ex. sur des profils d'utilisateurs ou de groupes
H04L 67/12 - Protocoles spécialement adaptés aux environnements propriétaires ou de mise en réseau pour un usage spécial, p. ex. les réseaux médicaux, les réseaux de capteurs, les réseaux dans les véhicules ou les réseaux de mesure à distance
88.
Intelligent search-time determination and usage of fields extracted at index-time
A computer-implemented method of determining indexed fields at query time comprises mapping data from a first source type to indexed fields in batch form using a wildcard specifier. The method also comprises receiving a query to execute on a data set comprising data from the first source type and data from a second source type. Further, the method comprises transforming the query to execute on the data from the first source type separately from the data from the second source type. Additionally, the method comprises executing the query to operate on the data from the first source type using information associated with the indexed fields and to separately operate on the data from the second source type.
Data intake and query system (DIQS) instances supporting applications including lower-tier, focused, work group oriented applications may be tailored to meet the specific needs of the users. Rather than offer pre-configured options, the DIQS-based application offers the user the ability to customize data collection before deploying the collectors for specified host entities within an IT environment. Once the user selects the metrics and/or log sources for data collection at a custom interface, the lower-tier DIQS generates custom script operable to establish collection of the source data having the selected metrics and events associated with selected log sources from the specified host entities. The user can display and analyze the collected data.
A performance monitoring system (PMS 102) displays a list of example URLs that matched a URL grouping rule used to group URLs. For a rule configured for a customer of the PMS, the example matched URLs are selected by the PMS from a candidate set of URLs identified from data associated with that customer. The PMS receives information identifying a Uniform Resource Locator (URL) grouping rule displayed in a graphical user interface (GUI). The PMS identified a list of candidate URLs occurring in the stored data. The PMS then identifies, from the list of candidate URLs, a set of matched URLs, the set of matched URLs including one or more URLs from the list of candidate URLs that matched the URL grouping rule. The PMS then causes at least one URL from the set of matched URLs to be displayed on the GUI.
G06F 15/173 - Communication entre processeurs utilisant un réseau d'interconnexion, p. ex. matriciel, de réarrangement, pyramidal, en étoile ou ramifié
G06F 11/34 - Enregistrement ou évaluation statistique de l'activité du calculateur, p. ex. des interruptions ou des opérations d'entrée–sortie
G06F 16/955 - Recherche dans le Web utilisant des identifiants d’information, p. ex. des localisateurs uniformisés de ressources [uniform resource locators - URL]
G06F 16/958 - Organisation ou gestion de contenu de sites Web, p. ex. publication, conservation de pages ou liens automatiques
91.
Generating suggested courses of actions for incidents based on previous incident handling
The technology presented herein improves incident handling in an IT environment. In a particular example, a method provides identifying a first incident in the IT environment. From incident handling information that indicates how a plurality of previous incidents were handled by one or more users, the method provides identifying first information of the incident handling information corresponding to one or more first previous incidents of the plurality of previous incidents that are similar to the first incident. The method further provides determining a suggested course of action from the first information and presenting the suggested course of action to a user of the information technology environment.
H04L 41/0631 - Gestion des fautes, des événements, des alarmes ou des notifications en utilisant l’analyse des causes profondesGestion des fautes, des événements, des alarmes ou des notifications en utilisant l’analyse de la corrélation entre les notifications, les alarmes ou les événements en fonction de critères de décision, p. ex. la hiérarchie ou l’analyse temporelle ou arborescente
92.
Dynamically changing input data streams processed by data stream language programs
An instrumentation analysis system processes data streams by executing instructions specified using a data stream language program. The data stream language allows users to specify a search condition using a find block for identifying the set of data streams processed by the data stream language program. The set of identified data streams may change dynamically. The data stream language allows users to group data streams into sets of data streams based on distinct values of one or more metadata attributes associated with the input data streams. The data stream language allows users to specify a threshold block for determining whether data values of input data streams are outside boundaries specified using low/high thresholds. The elements of the set of data streams input to the threshold block can dynamically change. The low/high threshold values can be specified as data streams and can dynamically change.
A data intake and query system processes and stores events, which are associated with token identifiers for tokens corresponding to data sources for the messages that the events are generated from. Thus, the data intake and query system can receive a request to provide analyses and visualizations regarding stored events associated with a particular component associated with a plurality of events, such as a data source for the messages from which the plurality of events are generated from. These requests and the resulting visualizations can be customized based on selected tokens and selected components.
Described herein are improvements for generating courses of action for an information technology (IT) environment. In one example, a method includes identifying a first course of action for responding to an incident type in an information technology environment and generating a simulated incident associated with the incident type. The method further includes initiating performance of the first course of action based on the generation of the simulated incident. The method also includes, upon reaching a particular step of the first course of action that prevents the performance of the first course of action from proceeding, providing a first simulated result that allows the performance of the first course of action to proceed.
H04L 41/0631 - Gestion des fautes, des événements, des alarmes ou des notifications en utilisant l’analyse des causes profondesGestion des fautes, des événements, des alarmes ou des notifications en utilisant l’analyse de la corrélation entre les notifications, les alarmes ou les événements en fonction de critères de décision, p. ex. la hiérarchie ou l’analyse temporelle ou arborescente
H04L 41/0654 - Gestion des fautes, des événements, des alarmes ou des notifications en utilisant la reprise sur incident de réseau
H04L 41/22 - Dispositions pour la maintenance, l’administration ou la gestion des réseaux de commutation de données, p. ex. des réseaux de commutation de paquets comprenant des interfaces utilisateur graphiques spécialement adaptées [GUI]
95.
Content pack management in service monitoring system
An example method of content pack management by a service monitoring system includes: receiving a plurality of object identifiers, each object identifier referencing a corresponding object installed in an instance of a service monitoring system; performing a partial backup of the instance of a service monitoring system, wherein the partial backup comprises a plurality of objects referenced by the plurality of object identifiers; converting the partial backup into a plurality of object definitions in a predefined format; and packaging the plurality of object definitions into a content pack.
H04L 43/045 - Traitement des données de surveillance capturées, p. ex. pour la génération de fichiers journaux pour la visualisation graphique des données de surveillance
H04L 43/00 - Dispositions pour la surveillance ou le test de réseaux de commutation de données
H04L 43/08 - Surveillance ou test en fonction de métriques spécifiques, p. ex. la qualité du service [QoS], la consommation d’énergie ou les paramètres environnementaux
96.
Reassigning a processing node from downloading to searching a data group
A data intake and query system can manage the search of large amounts of data using one or more processing nodes. When a new processing node is added or becomes available, the node coordinator can reassign duties from one or more processing nodes to the new processing node. The node coordinator can initially assign the new processing node one or more groups of data for backup purposes. At a later time, the node coordinator can reassign the new processing node to the one or more groups of data for searching purposes.
Various embodiments set forth a computer-implemented method of displaying content of a visualization environment, comprising receiving, by a display controller coupled to a display device included in a plurality of display devices, a configuration that includes a display mode and identifies a dashboard to be displayed, determining a position of the display device relative to positions of other display devices, retrieving a set of values associated with the dashboard, where the set of values is provided by a remote data source based on a query executed on raw machine data associated with the dashboard, determining, based on the position, at least a portion of the dashboard to display in the display device, and causing, by the display controller, the display device to display at least a portion of the set of values within at least the portion of the dashboard.
G09G 3/30 - Dispositions ou circuits de commande présentant un intérêt uniquement pour l'affichage utilisant des moyens de visualisation autres que les tubes à rayons cathodiques pour la présentation d'un ensemble de plusieurs caractères, p. ex. d'une page, en composant l'ensemble par combinaison d'éléments individuels disposés en matrice utilisant des sources lumineuses commandées utilisant des panneaux électroluminescents
G06F 3/14 - Sortie numérique vers un dispositif de visualisation
G06F 16/9038 - Présentation des résultats des requêtes
G09G 3/36 - Dispositions ou circuits de commande présentant un intérêt uniquement pour l'affichage utilisant des moyens de visualisation autres que les tubes à rayons cathodiques pour la présentation d'un ensemble de plusieurs caractères, p. ex. d'une page, en composant l'ensemble par combinaison d'éléments individuels disposés en matrice en commandant la lumière provenant d'une source indépendante utilisant des cristaux liquides
An example method of entity lifecycle management in a service monitoring system includes: receiving, by a software application of a service monitoring system, a policy definition specifying an entity lifecycle management policy, wherein the entity lifecycle management policy defines management rules for a plurality of entities in a network environment, wherein each entity of the plurality of entities is represented by one of: a device, an application, a service, or a user account; identifying, by applying the entity lifecycle management policy, one or more candidate entities for retirement; identifying, as retired entities, at least a subset of the one or more candidate entities; and excluding the retired entities from a plurality of active entities, thus preventing the retired entities from interacting with other components of the service monitoring system; and determining a value of a key performance indicator (KPI) reflecting an aspect of performance of the service, wherein the KPI is defined by a search query that derives the value of the KPI from machine data associated with one or more entities of the plurality of active entities.
H04L 41/0893 - Affectation de groupes logiques aux éléments de réseau
G06F 11/34 - Enregistrement ou évaluation statistique de l'activité du calculateur, p. ex. des interruptions ou des opérations d'entrée–sortie
H04L 41/0604 - Gestion des fautes, des événements, des alarmes ou des notifications en utilisant du filtrage, p. ex. la réduction de l’information en utilisant la priorité, les types d’éléments, la position ou le temps
H04L 41/0894 - Gestion de la configuration du réseau basée sur des règles
H04L 41/22 - Dispositions pour la maintenance, l’administration ou la gestion des réseaux de commutation de données, p. ex. des réseaux de commutation de paquets comprenant des interfaces utilisateur graphiques spécialement adaptées [GUI]
H04L 41/5009 - Détermination des paramètres de rendement du niveau de service ou violations des contrats de niveau de service, p. ex. violations du temps de réponse convenu ou du temps moyen entre l’échec [MTBF]
H04L 43/065 - Génération de rapports liés aux appareils du réseau
H04L 43/0805 - Surveillance ou test en fonction de métriques spécifiques, p. ex. la qualité du service [QoS], la consommation d’énergie ou les paramètres environnementaux en vérifiant la disponibilité
99.
Generating machine learning-based outlier detection models using timestamped event data
Techniques are described for providing a machine learning (ML) data analytics application including guided ML workflows that facilitate the end-to-end training and use of various types of ML models, where such guided workflows may also be referred to as ML “experiments.” One such model is an outlier detection model to assist in the monitoring of computer network traffic and computer performance. For example, the ML data analytics application may generate an outlier detection model using user-identified data from a data source and parameter information. The generates outlier detection model can include distribution functions of distribution types selected from a plurality of distribution types by a distribution fitting algorithm.
Systems and methods are described for unified processing of indexed and streaming data. A system enables users to query indexed data or specify processing pipelines to be applied to streaming data. In some instances, a user may specify a query intended to be run against indexed data, but may specify criteria that includes not-yet-indexed data (e.g., a future time frame). The system may convert the query into a data processing pipeline applied to not-yet-indexed data, thus increasing the efficiency of the system. Similarly, in some instances, a user may specify a data processing pipeline to be applied to a data stream, but specify criteria including data items outside the data stream. For example, a user may wish to apply the pipeline retroactively, to data items that have already exited the data stream. The system can convert the pipeline into a query against indexed data to satisfy the users processing requirements.
G06F 16/30 - Recherche d’informationsStructures de bases de données à cet effetStructures de systèmes de fichiers à cet effet de données textuelles non structurées
G05B 13/00 - Systèmes de commande adaptatifs, c.-à-d. systèmes se réglant eux-mêmes automatiquement pour obtenir un rendement optimal suivant un critère prédéterminé
G06F 16/14 - Détails de la recherche de fichiers basée sur les métadonnées des fichiers
G06F 16/178 - Techniques de synchronisation des fichiers dans les systèmes de fichiers
