公开(公告)号：US12047407B2

公开(公告)日：2024-07-23

申请号：US18228982

申请日：2023-08-01

Applicant: Splunk Inc.

Inventor： Sourabh Satish ,  Oliver Friedrichs ,  Atif Mahadik ,  Govind Salinas

IPC: H04L9/40 ,  G06F16/28 ,  G06F21/55 ,  H04L47/2425

CPC classification number: H04L63/1441 ,  G06F16/285 ,  G06F21/554 ,  H04L63/0236 ,  H04L63/1416 ,  H04L63/1425 ,  H04L63/1433 ,  H04L63/20 ,  H04L47/2425

Abstract: Systems, methods, and software described herein provide security actions based on the current state of a security threat. In one example, a method of operating an advisement system in a computing environment with a plurality of computing assets includes identifying a security threat within the computing environment. The method further includes, in response to identifying the security threat, obtaining state information for the security threat within the computing environment, and determining a current state for the security threat within the computing environment. The method also provides obtaining enrichment information for the security threat and determining one or more security actions for the security threat based on the enrichment information and the current state for the security threat.

公开(公告)号：US12028222B1

公开(公告)日：2024-07-02

申请号：US17560747

申请日：2021-12-23

Applicant: Splunk Inc.

Inventor： Atif Mahadik ,  Ryan Connor Means ,  Govind Salinas ,  Sourabh Satish

IPC: H04L41/14 ,  H04L41/0631 ,  H04L41/0654 ,  H04L41/22

CPC classification number: H04L41/145 ,  H04L41/0636 ,  H04L41/0645 ,  H04L41/0654 ,  H04L41/22

Abstract: Described herein are improvements for generating courses of action for an information technology (IT) environment. In one example, a method includes identifying a first course of action for responding to an incident type in an information technology environment and generating a simulated incident associated with the incident type. The method further includes initiating performance of the first course of action based on the generation of the simulated incident. The method also includes, upon reaching a particular step of the first course of action that prevents the performance of the first course of action from proceeding, providing a first simulated result that allows the performance of the first course of action to proceed.

公开(公告)号：US11902306B1

公开(公告)日：2024-02-13

申请号：US16863911

申请日：2020-04-30

Applicant: Splunk Inc.

Inventor： Sourabh Satish

IPC: H04L9/40

CPC classification number: H04L63/1425 ,  H04L63/1441 ,  H04L2463/121

Abstract: Techniques are described for enabling an IT and security operations application to detect and remediate advanced persistent threats (APTs). The detection of APTs involves the execution of search queries to search event data that initially was associated with lower-severity activity or that otherwise did not initially rise to the level of actionable event data in the application. The execution of such search queries may thus generally be configured to search non-real-time event data, e.g., event data that outside of a current window of days or a week and instead searches and aggregates event data spanning time periods of many weeks, months, or years. Due the nature of APTs, analyses of historical event data spanning such relatively long periods of time may in the aggregate uncover the types of persistent activity associated with APTs that would otherwise go undetected based only on searches of more current, real-time event data.

公开(公告)号：US11870802B1

公开(公告)日：2024-01-09

申请号：US17710523

申请日：2022-03-31

Applicant: Splunk Inc.

Inventor： Sourabh Satish ,  Oliver Friedrichs ,  Atif Mahadik ,  Govind Salinas

IPC: H04L9/40 ,  G06F21/55 ,  G06F16/28 ,  H04L47/2425

CPC classification number: H04L63/1441 ,  G06F16/285 ,  G06F21/554 ,  H04L63/0236 ,  H04L63/1416 ,  H04L63/1425 ,  H04L63/1433 ,  H04L63/20 ,  H04L47/2425

Abstract: Systems, methods, and software described herein provide security actions based on related security threat communications. In one example, a method of operating an advisement system includes identifying a security threat within the computing environment, wherein the computing environment comprises a plurality of computing assets. The method further provides obtaining descriptor information for the security threat, and retrieving related communication interactions based on the descriptor information. The method also includes generating a response to the security threat based on the related communication interactions.

公开(公告)号：US11863583B2

公开(公告)日：2024-01-02

申请号：US17327098

申请日：2021-05-21

Applicant: Splunk Inc.

Inventor： Oliver Friedrichs ,  Atif Mahadik ,  Govind Salinas ,  Sourabh Satish

IPC: H04L29/06 ,  H04L9/40 ,  H04L9/00 ,  G06F21/55

CPC classification number: H04L63/1441 ,  G06F21/55 ,  H04L9/002 ,  H04L63/029 ,  H04L63/1491

Abstract: Described herein are systems and methods for enhancing an interface for an information technology (IT) environment. In one implementation, an incident service causes display of a first version of a course of action and obtains input indicative of a request for a new action in the course of action. The incident service further determines suggested actions based at least one the input and causes display of the suggested actions. Once displayed, the incident service obtains input indicative of a selection of at least one action from the suggested actions, and causes display input indicative of a selection of at least one action from the suggested actions.

公开(公告)号：US11757925B2

公开(公告)日：2023-09-12

申请号：US17242165

申请日：2021-04-27

Applicant: Splunk Inc.

Inventor： Sourabh Satish ,  Oliver Friedrichs ,  Atif Mahadik ,  Govind Salinas

IPC: H04L9/40 ,  G06F21/55 ,  G06F16/28 ,  H04L47/2425

CPC classification number: H04L63/1441 ,  G06F16/285 ,  G06F21/554 ,  H04L63/0236 ,  H04L63/1416 ,  H04L63/1425 ,  H04L63/1433 ,  H04L63/20 ,  H04L47/2425

Abstract: Systems, methods, and software described herein provide security actions based on the current state of a security threat. In one example, a method of operating an advisement system in a computing environment with a plurality of computing assets includes identifying a security threat within the computing environment. The method further includes, in response to identifying the security threat, obtaining state information for the security threat within the computing environment, and determining a current state for the security threat within the computing environment. The method also provides obtaining enrichment information for the security threat and determining one or more security actions for the security threat based on the enrichment information and the current state for the security threat.

公开(公告)号：US11588678B2

公开(公告)日：2023-02-21

申请号：US17407738

申请日：2021-08-20

Applicant: Splunk Inc.

Inventor： Oliver Friedrichs ,  Atif Mahadik ,  Govind Salinas ,  Sourabh Satish

IPC: H04L41/0631 ,  H04L41/0654 ,  H04L41/14 ,  H04L9/40 ,  H04L41/22 ,  H04L41/5074 ,  G06F21/55 ,  H04L41/08

Abstract: Described herein are systems, methods, and software to enhance the management of responses to incidents. In one example, a method of improving incident response comprises identifying an incident in an information technology (IT) environment associated with a first entity of a plurality of entities, and identifying action implementation information related to the incident. The method further anonymizes the action implementation information for the incident, and determines action suggestions based at least on the anonymized action implementation information.

公开(公告)号：US11586722B2

公开(公告)日：2023-02-21

申请号：US17106001

申请日：2020-11-27

Applicant: Splunk Inc.

Inventor： Govind Salinas ,  Sourabh Satish ,  Robert John Truesdell

IPC: G06F21/45 ,  G06F21/60 ,  H04L9/40 ,  G06F21/44

Abstract: Described herein are improvements for responding to incidents in an information technology (IT) environment. In one example, a method includes, in an incident response system, receiving authentication information for use by a first component for responding to an incident in an information technology (IT) environment. The method further includes encrypting the authentication information and storing the authentication information in the incident response system along with encrypted parameters for operating the first component. In the incident response system, upon determining that the first component requires the authentication information for an interaction, the method provides retrieving the authentication information and providing the authentication information to the first component.

公开(公告)号：US11516069B1

公开(公告)日：2022-11-29

申请号：US17086232

申请日：2020-10-30

Applicant: Splunk Inc.

Inventor： Sourabh Satish ,  Paul Agbabian ,  Anurag Singla

IPC: H04L41/0631 ,  H04L9/40 ,  H04L41/22 ,  H04L41/0604 ,  H04L43/045 ,  H04L43/067

Abstract: Techniques are described for an IT and security operations application to automatically generate aggregate (or “bulk,” “group,” or “composite”) notable events by identifying notable events sharing common characteristics and aggregating the related notable events into a single aggregate notable event entity that can be displayed and operated upon. The IT and security operations application identifies related notable events based on notable events generated by a common correlation search, notable events having common event attributes, based on user-specified relatedness criteria, or other such criteria. Once identified, in some embodiments, the IT and security operations application displays, in notable event lists and other interfaces, a singular aggregate notable event to users representing each of the identified related notable events.

公开(公告)号：US11501184B1

公开(公告)日：2022-11-15

申请号：US16119322

申请日：2018-08-31

Applicant: Splunk Inc.

Inventor： Atif Mahadik ,  Govind Salinas ,  Sourabh Satish

IPC: G06Q10/06 ,  G06F8/34 ,  G06N5/04 ,  G06N5/02

Abstract: Described herein are improvements for generating courses of action for an information technology (IT) environment. In one example, a method includes determining that a decision step occurs between a one step and two or more other steps of a first course of action associated with an incident type in the information technology environment. The method further includes determining possible outputs of the one step that, when used as input to the decision step, cause the first course of action to proceed from the decision step to respective steps of the two or more other steps. The method also includes incorporating logic into the decision step to direct the course of action to respective steps of the two or more other steps based on one or more of the possible outputs.