公开(公告)号：US12039046B1

公开(公告)日：2024-07-16

申请号：US18311799

申请日：2023-05-03

Applicant: Splunk Inc.

Inventor： Sourabh Satish ,  Trenton John Beals ,  Glenn Gallien ,  Govind Salinas

IPC: G06F21/55 ,  G06F9/451 ,  G06F11/07 ,  G06F11/34 ,  H04L9/40 ,  H04L41/0631

CPC classification number: G06F21/554 ,  G06F9/453 ,  G06F11/0793 ,  G06F11/3438 ,  H04L41/0631 ,  H04L63/1416 ,  H04L63/1425 ,  H04L63/1441

Abstract: The technology presented herein improves incident handling in an IT environment. In a particular example, a method provides identifying a first incident in the IT environment. From incident handling information that indicates how a plurality of previous incidents were handled by one or more users, the method provides identifying first information of the incident handling information corresponding to one or more first previous incidents of the plurality of previous incidents that are similar to the first incident. The method further provides determining a suggested course of action from the first information and presenting the suggested course of action to a user of the information technology environment.

公开(公告)号：US11995571B1

公开(公告)日：2024-05-28

申请号：US17961533

申请日：2022-10-06

Applicant: Splunk Inc.

Inventor： Atif Mahadik ,  Govind Salinas ,  Sourabh Satish

IPC: G06Q10/0631 ,  G06F8/34 ,  G06N5/02 ,  G06N5/04

CPC classification number: G06N5/04 ,  G06N5/02 ,  G06Q10/06316 ,  G06F8/34

Abstract: Described herein are improvements for generating courses of action for an information technology (IT) environment. In one example, a method includes determining that a decision step occurs between a one step and two or more other steps of a first course of action associated with an incident type in the information technology environment. The method further includes determining possible outputs of the one step that, when used as input to the decision step, cause the first course of action to proceed from the decision step to respective steps of the two or more other steps. The method also includes incorporating logic into the decision step to direct the course of action to respective steps of the two or more other steps based on one or more of the possible outputs.

公开(公告)号：US11895126B1

公开(公告)日：2024-02-06

申请号：US16657964

申请日：2019-10-18

Applicant: Splunk Inc.

Inventor： Sourabh Satish ,  Robert John Truesdell

IPC: H04L29/06 ,  H04L9/40 ,  G06F9/451

CPC classification number: H04L63/1416 ,  G06F9/451 ,  H04L63/0281 ,  H04L63/1441

Abstract: An information technology (IT) and security operations application is described that enables cross-tenant analyses of data to derive insights that can be used to provide actionable information across the application including, for example, action recommendations, threat confidence scores, and other incident data enrichments. The generation and presentation of such information to users of an IT and security operations application can enable analyst teams to more efficiently and accurately respond to various types of incidents in IT environments, thereby improving the overall operation and security of the IT environments. Furthermore, because of the shared use of an IT and security operations application concurrently by any number of separate tenants, such cross-tenant analyses can be performed in near real-time and on an ongoing basis to deliver relevant insights.

公开(公告)号：US20240031397A1

公开(公告)日：2024-01-25

申请号：US18231715

申请日：2023-08-08

Applicant: Splunk Inc.

Inventor： Sourabh Satish ,  Oliver Friedrichs ,  Atif Mahadik ,  Govind Salinas

IPC: H04L9/40 ,  G06F21/55 ,  G06F16/28

CPC classification number: H04L63/1441 ,  H04L63/20 ,  H04L63/1416 ,  G06F21/554 ,  G06F16/285 ,  H04L63/1433 ,  H04L63/0236 ,  H04L63/1425 ,  H04L47/2425

Abstract: Systems, methods, and software described herein provide enhancements for implementing security actions in a computing environment. In one example, a method of operating an advisement system to provide actions in a computing environment includes identifying a security incident in the computing environment, identifying a criticality rating for the asset, and obtaining enrichment information for the security incident from one or more internal or external sources. The method also provides identifying a severity rating for the security incident based on the enrichment information, and determining one or more security actions based on the enrichment information. The method further includes identifying effects of the one or more security actions on operations of the computing environment based on the criticality rating and the severity rating, and identifying a subset of the one or more security actions to respond to the security incident based on the effects.

公开(公告)号：US11805144B1

公开(公告)日：2023-10-31

申请号：US18061364

申请日：2022-12-02

Applicant: Splunk Inc.

Inventor： Allison Lindsey Drake ,  James Irwin Ebeling ,  Marios Iliofotou ,  Lucas Keith Murphey ,  Mihir Randhir Parikh ,  Amarendra Pendala ,  Krishna Prasanna Sankaran ,  Sourabh Satish

IPC: G06F3/0482 ,  H04L9/40 ,  G06T11/20 ,  G06F16/26 ,  G06F16/2457 ,  G06T11/00 ,  G06F16/248

CPC classification number: H04L63/1425 ,  G06F16/248 ,  G06F16/24578 ,  G06F16/26 ,  G06T11/001 ,  G06T11/206 ,  H04L63/1433 ,  G06F3/0482 ,  G06T2200/24

Abstract: Security related anomalies in the data related to network entities are identified, and a risk score is assigned to each entity based on the anomalies. Visualization data is generated for a color-coded interactive visualization. Generating the visualization data includes assigning each entity to a separate polygon to be displayed concurrently on a display screen; selecting a size of each polygon to indicate one of: a number of security related anomalies associated with the entity, or a risk level assigned to the entity, where the risk level is based on the risk score of the entity, and selecting a color of each polygon to indicate the other one of: the number of security related anomalies associated with the entity, or the risk level assigned to the entity; and causing, the color-coded interactive visualization to be displayed on a display device based on the visualization data.

公开(公告)号：US11677780B2

公开(公告)日：2023-06-13

申请号：US17104537

申请日：2020-11-25

Applicant: Splunk Inc.

Inventor： Sourabh Satish ,  Oliver Friedrichs ,  Atif Mahadik ,  Govind Salinas

IPC: H04L9/40 ,  G06F21/55 ,  G06F16/28 ,  H04L47/2425

CPC classification number: H04L63/1441 ,  G06F16/285 ,  G06F21/554 ,  H04L63/0236 ,  H04L63/1416 ,  H04L63/1425 ,  H04L63/1433 ,  H04L63/20 ,  H04L47/2425

Abstract: Systems, methods, and software described herein provide for responding to security threats in a computing environment based on the classification of computing assets in the environment. In one example, a method of operating an advisement computing system includes identifying a security threat for an asset in the computing environment, and identifying a classification for the asset in relation to other assets within the computing environment. The method further provides determining a rule set for the security threat based on the classification for the asset and initiating a response to the security threat based on the rule set.

公开(公告)号：US11658998B2

公开(公告)日：2023-05-23

申请号：US17306703

申请日：2021-05-03

Applicant: Splunk Inc.

Inventor： Sourabh Satish ,  Oliver Friedrichs ,  Atif Mahadik ,  Govind Salinas

IPC: H04L9/40 ,  G06F21/55 ,  G06F16/28 ,  H04L47/2425

CPC classification number: H04L63/1441 ,  G06F16/285 ,  G06F21/554 ,  H04L63/0236 ,  H04L63/1416 ,  H04L63/1425 ,  H04L63/1433 ,  H04L63/20 ,  H04L47/2425

Abstract: Systems, methods, and software described herein enhances how security actions are implemented within a computing environment. In one example, a method of implementing security actions for a computing environment comprising a plurality of computing assets includes identifying a security action in a command language for the computing environment. The method further provides identifying one or more computing assets related to the security action, and obtaining hardware and software characteristics for the one or more computing assets. The method also includes translating the security action in the command language to one or more action procedures based on the hardware and software characteristics, and initiating implementation of the one or more action procedures in the one or more computing assets.

公开(公告)号：US11652849B2

公开(公告)日：2023-05-16

申请号：US17125675

申请日：2020-12-17

Applicant: Splunk Inc.

Inventor： Sourabh Satish ,  Oliver Friedrichs ,  Atif Mahadik ,  Govind Salinas ,  Ryan Russell

IPC: H04L9/40 ,  G06F21/00 ,  G06F21/57

CPC classification number: H04L63/20 ,  G06F21/00 ,  G06F21/577

Abstract: Systems, methods, and software described herein provide for identifying recommended feature sets for new security applications. In one example, a method of providing recommended feature sets for a new security application includes identifying a request for the new security application, and determining a classification for the new security application. The method further provides identifying related applications to the new security application based on the classification, and identifying a feature set for the new security application based on features provided in the related applications.

公开(公告)号：US11593477B1

公开(公告)日：2023-02-28

申请号：US16779465

申请日：2020-01-31

Applicant: Splunk Inc.

Inventor： Vadan Thimmegowda ,  Sourabh Satish ,  Tejas Wanjari

IPC: G06F21/55 ,  G06F21/57 ,  G06F16/245 ,  G06F9/48 ,  G06F16/25 ,  G06F21/71

Abstract: Techniques are described that enable an IT and security operations application to prioritize the processing of selected events for a defined period of time. Data is obtained reflecting activity within an IT environment, wherein the data includes a plurality of events each representing an occurrence of activity within the IT environment. A severity level is assigned to each event of the plurality of events, where the events are processed by the IT and security operations application in an order that is based at least in part on the severity level assigned to each event. Input is received identifying at least one event of the plurality of events for expedited processing to obtain a set of expedited events, and the identified events are processed by the IT and security operations application before processing events that are not in the set of expedited events.

公开(公告)号：US11416561B1

公开(公告)日：2022-08-16

申请号：US16429044

申请日：2019-06-02

Applicant: Splunk Inc.

Inventor： Sourabh Satish ,  David Wayman ,  Kavita Varadarajan

IPC: G06F16/906 ,  H04L9/40 ,  G06F16/907 ,  G06F16/9038 ,  G06F16/11 ,  G06F3/0482

Abstract: Techniques are described for enabling analysts and other users of an IT operations platform to identify certain data objects managed by the platform (for example, events, files, notes, actions results, etc.) as “evidence” when such data objects are believed to be of particular significance to an investigation or other matter. For example, an event generated based on data ingested from an anti-virus service and representing a security-related incident might include artifacts indicating an asset identifier, a hash value of a suspected malicious file, a file path on the infected endpoint, and so forth. An analyst can use various interfaces and interface elements of an IT operations platform to indicate which of such events and/or artifacts, if any, represent evidence in the context of the investigation that the analyst is conducting. In response, the IT operations platform can perform various automated actions.