公开(公告)号：US20170178025A1

公开(公告)日：2017-06-22

申请号：US14978963

申请日：2015-12-22

Applicant: SAP SE

Inventor： Susan Marie Thomas ,  Hartwig Seifert ,  Harish Mehta ,  Thomas Kunz ,  Omar Alexander Al-Hujaj ,  Eugen Pritzkau ,  Lukas Carullo ,  Rita Merkel ,  Marco Rodeck

IPC: G06N99/00 ,  G06F21/55 ,  G06N5/02 ,  G06F17/30

CPC classification number: G06N20/00 ,  G06F16/2465 ,  G06F21/552 ,  G06N5/022 ,  G06N5/025 ,  H04L63/1408 ,  H04L63/1425

Abstract: A log file including a plurality of log entries is accessed. Each log entry of the plurality of log entries is analyzed to identify components of each log entry. The components of the particular log entry indicate an event. The event is associated with roles. Each role is associated with one or more attributes. Semantic meaning of the event associated with the particular log entry is determined. A mapping is performed by applying contextual information from one or more semantic meaning models stored in a knowledgebase to the identified components of each log entry to derive semantic meaning for the particular log entry. The derived semantic meaning is modeled for the particular log entry. The modeled semantic meaning is recorded in the knowledgebase as a new semantic meaning model for future use.

公开(公告)号：US11128651B2

公开(公告)日：2021-09-21

申请号：US16734986

申请日：2020-01-06

Applicant: SAP SE

Inventor： Eugen Pritzkau ,  Joscha Philipp Bohn ,  Daniel Kartmann ,  Wei-Guo Peng ,  Hristina Dinkova ,  Lin Luo ,  Thomas Kunz ,  Marco Rodeck ,  Hartwig Seifert ,  Harish Mehta ,  Nan Zhang ,  Rita Merkel ,  Florian Chrosziel

IPC: H04L29/06 ,  G06F3/0482 ,  G06F21/55 ,  G06F16/33

Abstract: Search results are received from an initiated free text search of log data from one or more logs, where the free text is performed using search terms entered into a free text search graphical user interface. A set of at least one search result is selected from the search results containing an event desired to be identified in a completed enterprise threat detection (ETD) pattern. A forensic lab application is rendered to complete an ETD pattern. An event filter is added for an event type based on normalized log data to a path. A relative ETD pattern time range is set and an ETD pattern is completed based on the added event filter.

公开(公告)号：US20190190927A1

公开(公告)日：2019-06-20

申请号：US15847450

申请日：2017-12-19

Applicant: SAP SE

Inventor： Wei-Guo Peng ,  Lin Luo ,  Eugen Pritzkau ,  Hartwig Seifert ,  Harish Mehta ,  Nan Zhang ,  Thorsten Menke ,  Jona Hassforther ,  Rita Merkel ,  Florian Chrosziel ,  Kathrin Nos ,  Marco Rodeck ,  Thomas Kunz

IPC: H04L29/06 ,  H04L12/24

Abstract: A filter is selected from one or more filters defined for an ETD Network Graph. Events are fetched from the selected log files based on the selected filter and entities identified based on the fetched Events. Relationships are determined between the identified entities, and the determined relationships and identified entities are displayed in the ETD Network Graph. An identified entity is selected to filter data in an ETD Event Series Chart. An Event is selected in the ETD Event Series Chart to display Event Attributes in an Event Attribute Dialog. An Event Attribute is selected in the Event Attribute Dialog to filter Events in the ETD Event Series Chart.

公开(公告)号：US20190005423A1

公开(公告)日：2019-01-03

申请号：US15639863

申请日：2017-06-30

Applicant: SAP SE

Inventor： Eugen Pritzkau ,  Wei-Guo Peng ,  Thomas Kunz ,  Hartwig Seifert ,  Lin Luo ,  Marco Rodeck ,  Rita Merkel ,  Hristina Dinkova ,  Florian Chrosziel ,  Nan Zhang ,  Harish Mehta

IPC: G06Q10/06 ,  G06N5/02

Abstract: An information technology computing landscape is divided up into hierarchically-dependent components. Relevant risk factors are identified for each component and the identified relevant risk factors are separated for each component into static and dynamic risk factor groups. The weight of each risk factor is determined in the static and dynamic risk factor groups for each component. Static and dynamic security risks are calculated for each component.

公开(公告)号：US20180091536A1

公开(公告)日：2018-03-29

申请号：US15274693

申请日：2016-09-23

Applicant: SAP SE

Inventor： Florian Chrosziel ,  Thomas Kunz ,  Kathrin Nos ,  Marco Rodeck

IPC: H04L29/06

CPC classification number: H04L63/1425 ,  G06F21/552 ,  H04L63/1416 ,  H04L63/1433

Abstract: A log entry is received at a streaming component of an enterprise threat detection (ETD) system from a real-time push application programming interface (API) associated with a backend computing system. The received log entry is parsed using a runtime parser associated with the streaming component into mapped data in an ETD format compatible with the ETD system. The mapped data is transferred to an ETD streaming project and enriched. The streaming component writes the enriched data into a database associated with the ETD system.

公开(公告)号：US20180091535A1

公开(公告)日：2018-03-29

申请号：US15274569

申请日：2016-09-23

Applicant: SAP SE

Inventor： Florian Chrosziel ,  Jona Hassforther ,  Thomas Kunz ,  Harish Mehta ,  Rita Merkel ,  Kathrin Nos ,  Wei-Guo Peng ,  Eugen Pritzkau ,  Marco Rodeck ,  Hartwig Seifert ,  Nan Zhang ,  Thorsten Menke ,  Hristina Dinkova ,  Lin Luo

IPC: H04L29/06 ,  G06F17/30

CPC classification number: H04L63/1425 ,  G06F11/30 ,  G06F11/302 ,  G06F11/3051 ,  G06F11/323 ,  G06F16/128 ,  G06F16/248 ,  G06F21/00 ,  G06F2201/865 ,  G06Q10/0635

Abstract: An enterprise threat detection (ETD) forensic workspace is established according to a particular timeframe and permitting defining a selection of data types from available log data for an evaluation of events associated with one or more entities. A chart is defined illustrating a graphical distribution of a particular data type in the forensic workspace. A snapshot associated with the chart is generated, the snapshot saving a copy of all data necessary to re-create the chart into an associated snapshot object. The snapshot is associated with a snapshot page for containing the snapshot and the snapshot page is saved within the ETD forensic workspace.

公开(公告)号：US20180027010A1

公开(公告)日：2018-01-25

申请号：US15216201

申请日：2016-07-21

Applicant: SAP SE

Inventor： Eugen Pritzkau ,  Kathrin Nos ,  Marco Rodeck ,  Florian Chrosziel ,  Jona Hassforther ,  Rita Merkel ,  Thorsten Menke ,  Thomas Kunz ,  Hartwig Seifert ,  Harish Mehta ,  Wei-Guo Peng ,  Lin Luo ,  Nan Zhang ,  Hristina Dinkova

IPC: H04L29/06 ,  H04L29/08 ,  H04L12/26

CPC classification number: H04L63/1433 ,  H04L43/106 ,  H04L63/1408 ,  H04L67/02

Abstract: A computer-implemented method generates a trigger registration for a selected triggering type. The generated trigger registration is stored in a triggering persistency. A received event from an event persistency is analyzed and data associated with the analyzed event is compared with the triggering persistency. Based on the comparison and using a pattern execution framework, an enterprise threat detection (ETD) pattern is processed to perform actions responsive to the received event.

公开(公告)号：US20170180403A1

公开(公告)日：2017-06-22

申请号：US14978984

申请日：2015-12-22

Applicant: SAP SE

Inventor： Harish Mehta ,  Hartwig Seifert ,  Thomas Kunz ,  Anne Jacobi ,  Marco Rodeck ,  Florian Kraemer ,  Björn Brencher ,  Nan Zhang

IPC: H04L29/06

CPC classification number: H04L63/1425 ,  H04L63/1416

Abstract: A transfer of master data is executed in a backend computing system. The master data includes user data and system data. The transfer of master data includes receiving user data associated with a particular user identifier in the backend computing system, transferring the received user data to an event stream processor, receiving system data associated with a particular log providing computing system in the backend computing system, transferring the received user data to the event stream processor, and executing a transfer of log data associated with logs of computing systems connected to the backend computing system.

公开(公告)号：US20170178026A1

公开(公告)日：2017-06-22

申请号：US14978995

申请日：2015-12-22

Applicant: SAP SE

Inventor： Susan Marie Thomas ,  Rita Merkel ,  Lukas Carullo ,  Viktor Bersch ,  Harish Mehta ,  Hartwig Seifert ,  Thomas Kunz ,  Florian Chrosziel ,  Omar Alexander Al-Hujaj ,  Marco Rodeck

IPC: G06N99/00 ,  G06F21/55 ,  G06N5/04 ,  G06F17/30

CPC classification number: G06N20/00 ,  G06F16/2465 ,  G06F21/552 ,  G06N5/025 ,  G06N5/046

Abstract: A sample log file including a plurality of log entries for log learning is accessed, using a log interpretation controller, prior to runtime as part of a log learning process. Each of the plurality of log entries is analyzed. A log entry type is assigned to each of the plurality of log entries. A log type and semantic event are assigned to each log entry type. Generation of runtime rules is triggered for analyzing unknown log entries. The runtime rules include characteristics of particular log entry types that allow unique identification of the particular log entry type for a particular unknown log entry. The generated runtime rules are loaded into a runtime parser.