公开(公告)号：US12074901B1

公开(公告)日：2024-08-27

申请号：US18177620

申请日：2023-03-02

Applicant: Splunk Inc.

Inventor： Sourabh Satish ,  Oliver Friedrichs ,  Atif Mahadik ,  Govind Salinas

IPC: H04L9/40 ,  G06F21/57

CPC classification number: H04L63/1433 ,  H04L63/14 ,  H04L63/1441 ,  H04L63/20 ,  G06F21/577

Abstract: Systems, methods, and software described herein provide for validating security actions before they are implemented in a computing network. In one example, a computing network may include a plurality of computing assets that provide a variety of different operations. During the operations of the network, administration systems may generate and provide security actions to prevent or mitigate the effect of a security threat on the network. However, prior to implementing the security actions within the network, computing assets may exchange security parameters with the administration systems to verify that the security actions are authentic.

公开(公告)号：US11949702B1

公开(公告)日：2024-04-02

申请号：US18052030

申请日：2022-11-02

Applicant: Splunk Inc.

Inventor： Sumit Singh Bagga ,  Francis E. Gerard ,  Robin Jinyang Hu ,  Marios Iliofotou ,  J. Evan Jordan ,  Amarendra Pendala ,  Sourabh Satish

IPC: H04L12/00 ,  H04L9/40 ,  H04L65/61

CPC classification number: H04L63/1425 ,  H04L65/61

Abstract: A method comprises acquiring anomaly data including a plurality of anomalies detected from streaming data, wherein each of the anomalies relates to an entity on or associated with a computer network. The method determines a risk score of each of the anomalies, and adjusts the risk score of an anomaly according to a set of factors. The method further determines, for each of a plurality of sliding time windows of different lengths, an entity score of the entity in relation to the sliding time window, based on an aggregation of risk scores of all anomalies related to the entity that were detected within the sliding time window, where the entity score corresponds to a risk level associated with the entity. An action to prevent the entity from performing an operation can be determined and caused to occur based on the entity score.

公开(公告)号：US11916929B1

公开(公告)日：2024-02-27

申请号：US16657966

申请日：2019-10-18

Applicant: Splunk Inc.

Inventor： Vadan Thimmegowda ,  Sourabh Satish

IPC: H04L9/40

CPC classification number: H04L63/1416

Abstract: An information technology (IT) and security operations application enables the automatic assignment of incident events to analysts based on a variety of characteristics of the incident events to be assigned, the analysts and analyst teams, and other considerations. An IT and security operations application can perform the automatic assignment of incident events based at least in part on data indicating each analyst's knowledge of certain types of incidents, data indicating each analyst's efficiency at responding to certain types of incidents, and the like, where such data is automatically created and maintained by the application. In this manner, incident events can be efficiently assigned to analysts upon their receipt by the system without the need for a security team to constantly perform a cumbersome incident event assignment process based on a limited set of data, thereby improving analyst teams' ability to efficiently ensure the operation and security of IT environments for which the teams are responsible.

公开(公告)号：US11880558B1

公开(公告)日：2024-01-23

申请号：US17750032

申请日：2022-05-20

Applicant: Splunk Inc.

Inventor： Timur Catakli ,  Sourabh Satish

IPC: G06F3/04847 ,  G06F3/0482 ,  G06F16/335 ,  H04L41/22 ,  H04L9/40 ,  H04L67/75 ,  G06F16/25 ,  G06F9/451

CPC classification number: G06F3/04847 ,  G06F3/0482 ,  G06F9/451 ,  G06F16/252 ,  G06F16/337 ,  H04L41/22 ,  H04L63/20 ,  H04L67/75

Abstract: An information technology (IT) and security operations application is described that stores data reflecting customizations that users make to GUIs displaying information about various types of incidents, and further uses such data to generate “popular” interface profiles indicating popular GUI modifications. The analysis of the GUI customizations data is performed using data associated with multiple tenants of the IT and security operations application to develop profiles that may represent a general consensus on a collection and arrangement of interface elements that enable analysts to efficiently respond to certain types of incidents. Users of the IT and security operations application can then optionally apply these popular interface profiles to various GUIs during their use of the application. Among other benefits, the ability to generate and provide popular interface profiles can help analysts and other users more efficiently investigate and respond to a wide variety of incidents within IT environments, thereby improving the operation and security of those environments.

公开(公告)号：US11734008B1

公开(公告)日：2023-08-22

申请号：US17506440

申请日：2021-10-20

Applicant: Splunk Inc.

Inventor： Trenton John Beals ,  Glenn Gallien ,  Govind Salinas ,  Sourabh Satish

IPC: G06F9/30

CPC classification number: G06F9/3017

Abstract: Examples described herein relate to customization of courses of action for responding to incidents in information technology (IT) environments. An incident management service executes incident response monitoring, identification and remediation across an IT environment for one or more entities that may have their own configuration of computing assets (computing environment) within the IT environment. A course of action outlines remediation actions for responding to specific types of incidents within an IT environment. A course of action is customized for implementation within a particular computing environment associated with an entity. Customization of a course of action comprises generation and implementation of sets of instructions that are usable to tailor remedial actions for execution in computing environments of different entities. A set of instructions provides commands/calls that are specific to computing assets associated with an entity, which are usable to execute remedial actions for a specific type of incident.

公开(公告)号：US11647043B2

公开(公告)日：2023-05-09

申请号：US16863557

申请日：2020-04-30

Applicant: Splunk Inc.

Inventor： Sourabh Satish ,  Oliver Friedrichs ,  Atif Mahadik ,  Govind Salinas

IPC: H04L9/40 ,  G06F21/55 ,  G06F16/28 ,  H04L47/2425

CPC classification number: H04L63/1441 ,  G06F16/285 ,  G06F21/554 ,  H04L63/0236 ,  H04L63/1416 ,  H04L63/1425 ,  H04L63/1433 ,  H04L63/20 ,  H04L47/2425

Abstract: Systems, methods, and software described herein provide for identifying and implementing security actions within a computing environment. In one example, a method of operating an advisement system to provide security actions in a computing environment includes identifying communication interactions between a plurality of computing assets and, after identifying the communication interactions, identifying a security incident in a first computing asset. The method further provides identifying at least one related computing asset to the first asset based on the communication interactions, and determining the security actions to be taken in the first computing asset and the related computing asset.

公开(公告)号：US11621883B1

公开(公告)日：2023-04-04

申请号：US17580510

申请日：2022-01-20

Applicant: Splunk Inc.

Inventor： Sourabh Satish

IPC: H04L41/0631 ,  G06F16/34 ,  H04L9/40 ,  H04L41/22 ,  H04L41/14

Abstract: Described herein are systems, methods, and software to enhance the management of responses to incidents in an information technology (IT) environment. In one example, a management system identifies an incident in an IT environment, identifies an initial status for the incident for an analyst of the IT environment, and provides the initial status for display to the analyst. The management system further monitors state information for the incident in the IT environment, identifies a second status of the incident based on the monitored state, and provides the second status for display to the analyst.

公开(公告)号：US11558412B1

公开(公告)日：2023-01-17

申请号：US17216471

申请日：2021-03-29

Applicant: Splunk Inc.

Inventor： Allison Lindsey Drake ,  James Irwin Ebeling ,  Marios Iliofotou ,  Lucas Keith Murphey ,  Mihir Randhir Parikh ,  Amarendra Pendala ,  Krishna Prasanna Sankaran ,  Sourabh Satish

IPC: G06F3/0482 ,  H04L9/40 ,  G06F16/26 ,  G06F16/2457 ,  G06T11/20 ,  G06T11/00 ,  G06F16/248

Abstract: Security related anomalies in the data related to network entities are identified, and a risk score is assigned to each entity based on the anomalies. Visualization data is generated for a color-coded interactive visualization. Generating the visualization data includes assigning each entity to a separate polygon to be displayed concurrently on a display screen; selecting a size of each polygon to indicate one of: a number of security related anomalies associated with the entity, or a risk level assigned to the entity, where the risk level is based on the risk score of the entity, and selecting a color of each polygon to indicate the other one of: the number of security related anomalies associated with the entity, or the risk level assigned to the entity; and causing, the color-coded interactive visualization to be displayed on a display device based on the visualization data.

公开(公告)号：US11552974B1

公开(公告)日：2023-01-10

申请号：US17086146

申请日：2020-10-30

Applicant: Splunk Inc.

Inventor： Sumit Singh Bagga ,  Francis E. Gerard ,  Robin Jinyang Hu ,  Marios Iliofotou ,  J. Evan Jordan ,  Amarendra Pendala ,  Sourabh Satish

IPC: H04L12/00 ,  H04L9/40 ,  H04L65/61

Abstract: A method comprises acquiring anomaly data including a plurality of anomalies detected from streaming data, wherein each of the anomalies relates to an entity on or associated with a computer network. The method determines a risk score of each of the anomalies, and adjusts the risk score of an anomaly according to a set of factors. The method further determines, for each of a plurality of sliding time windows of different lengths, an entity score of the entity in relation to the sliding time window, based on an aggregation of risk scores of all anomalies related to the entity that were detected within the sliding time window, where the entity score corresponds to a risk level associated with the entity. An action to prevent the entity from performing an operation can be determined and caused to occur based on the entity score.

公开(公告)号：US11323472B2

公开(公告)日：2022-05-03

申请号：US17033146

申请日：2020-09-25

Applicant: Splunk Inc.

Inventor： Sourabh Satish ,  Oliver Friedrichs ,  Atif Mahadik ,  Govind Salinas

IPC: H04L29/06 ,  G06F21/55 ,  G06F16/28 ,  H04L47/2425

Abstract: Systems, methods, and software described herein provide security actions based on related security threat communications. In one example, a method of operating an advisement system includes identifying a security threat within the computing environment, wherein the computing environment comprises a plurality of computing assets. The method further provides obtaining descriptor information for the security threat, and retrieving related communication interactions based on the descriptor information. The method also includes generating a response to the security threat based on the related communication interactions.