Abstract: A computer-implemented method of determining whether to configure a detection comprised within a query is disclosed. The method includes analyzing a query to determine clauses within the query that identify logs relevant to the detection comprised within the query. The method further includes determining a statistical distribution for modeling a likely hit rate of the detection. Additionally, the method includes updating the statistical distribution with information associated with an observed hit rate. Also, the method includes determining a hit rate for the detection using the updated statistical distribution and live telemetry data and computing a confidence score for the detection. Responsive to a determination that the confidence score for the detection is above a predetermined threshold, the method includes maintaining the detection online.

Abstract: Embodiments of the present disclosure provide techniques for efficiently and accurately performing propagation of search-head specific configuration customizations across multiple individual configuration files of search heads of a cluster for a consistent user experience. The cluster of search heads may be synchronized such that the search heads operate to receive the configuration or knowledge object customizations from one or more clients from a central or lead search head. To reduce the amount of data that is transferred during propagation, the list of configuration or knowledge object customizations maintained in each search head is filtered from the list of the lead search head until a divergence point is determined. Once determined and communicated to the lead search head, the lead search head sends the configuration and knowledge object customization data that is absent from the internal list of the member search head.

Abstract: Techniques for leveraging the MASQUE protocol to provide remote clients with full application access to private enterprise resources are described herein. One or more network nodes may be configured to execute a MASQUE proxy service to provide a remote client device with full access to an enterprise/private application resource executing on an application node and hosted in an enterprise/application network, behind the MASQUE proxy service. In some examples, the MASQUE proxy service may execute on a single proxy node hosted at an edge of a cloud network or at an edge of an enterprise network. Additionally, or alternatively, a first instance of the MASQUE proxy service may execute on a first proxy node hosted at an edge of a cloud network (e.g., an ingress proxy node) and a second instance of the MASQUE proxy service may execute on a second proxy node hosted at an edge of the enterprise network.

Abstract: Techniques for detecting duplicate data flows. A data packet of a data flow is received by computer hardware the data packet having a first five tuple, an ingress interface and a VLAN tag. Data is sent to a central processing unit. The central processing unit installs policy tiles into a policy tile database of the computer hardware, the policy tiles including the first five tuple, the first ingress interface and the first VLAN tag. A second data packet is received and compared with the policy tiles in the policy tile database. If the second data packet has the same five tuple as the first data packet but has either a different ingress interface or a different VLAN tag, then the second data packet is determined to be a duplicate of the first data flow and is dropped.

Abstract: A software module ingests data into a data intake and query system. At least a portion of the data is cloud data. The software module includes an event type definition that specifies a type of data to be ingested by the software module, a first tag that associates ingested data of the event type with a data model, and a second tag that designates ingested data of the event type as cloud data. The ingested data is stored in a data repository, and subsequently a search query that includes the first tag and the second tag is executed against the data repository, to identify ingested cloud data that satisfies the search query and a first search constraint specified in the data model. A display device is caused to display a visualization based on the identified ingested cloud data that satisfies the search query.

Abstract: The subject technology relates to the management of a shared buffer memory in a network switch. Systems, methods, and machine readable media are provided for receiving a data packet at a first network queue from among a plurality of network queues, determining if a fill level of a queue in a shared buffer of the network switch exceeds a dynamic queue threshold, and in an event that the fill level of the shared buffer exceeds the dynamic queue threshold, determining if a fill level of the first network queue is less than a static queue minimum threshold.

Abstract: An enclave manager of a network enclave obtains a request to retrieve configuration information and state information corresponding to compute devices and network devices comprising a network enclave. The request specifies a set of parameters of the configuration information and the state information usable to generate a response to the request. The enclave manager evaluates the compute devices, the network devices, and network connections among these devices within the network enclave to obtain the configuration information and the state information. Based on the configuration information and the state information, the enclave manager determines whether the network enclave is trustworthy. Based on the parameters of the request, the enclave manager generates a response indicating a summary that is used to identify the trustworthiness of the network enclave.

Abstract: Systems, methods, and computer-readable media for managing storing of data in a data storage system using a client tag. In some examples, a first portion of a data load as part of a transaction and a client identifier that uniquely identifies a client is received from the client at a data storage system. The transaction can be tagged with a client tag including the client identifier and the first portion of the data load can be stored in storage at the data storage system. A first log entry including the client tag is added to a data storage log in response to storing the first portion of the data load in the storage. The first log entry is then written from the data storage log to a persistent storage log in persistent memory which is used to track progress of storing the data load in the storage.

Abstract: A computing device receives an ingest preview request to preview events to be stored by at least one indexer. Responsive to the ingest preview request, the computing device sends a subscription request to the forwarders. The forwarders receive the subscription request and intercept the events that are being sent to at least one of the indexers. The forwarders then clone matching events to the subscription request and responds to the computing device with the matching events. When the computing device receives the matching events, the computing device adds the matching events to a dispatch directory. The user interface is then populated with events in the dispatch directory.

Abstract: Network environment health monitoring is provided by receiving an alert indicating that a first station (STA) is experiencing a connection with a first Access Point (AP) below a quality threshold; identifying a set of APs connected to a shared network with the first AP within one hop of the first AP; aggregating signal metrics for the first STA from the first AP and each AP of the set of APs; identifying a cause for the connection performing below the quality threshold based on the signal metrics as aggregated; and performing a remediation strategy based on the cause as identified.

Abstract: Techniques for using global virtual network instance (VNI) labels in a multi-domain network to route network data with a multi-tenant network overlay are described herein. A routing device provisioned in a network domain of the multi-domain network may register with a service discovery system of the network domain for use of network configuration data to establish routes through the multi-domain network with network nodes. Each network domain of the multi-domain network may include an application programming interface (API) server for processing API requests to make changes to configurations of a network domain. A border gateway protocol (BGP) large community may be utilized to encode global VNI labels, network addresses, local next hop nodes, and/or additional network information and sent to routing devices provisioned in separate network domains. A service chain may be signaled by global VNI labels to route network traffic through various services prior to reaching a destination endpoint.

Abstract: Disclosed herein is a computer-implemented tool that facilitates data analysis by use of machine learning (ML) techniques. The tool cooperates with a data intake and query system and provides a graphical user interface (GUI) that enables a user to train and apply a variety of different ML models on user-selected datasets of stored machine data. The tool can provide active guidance to the user, to help the user choose data analysis paths that are likely to produce useful results and to avoid data analysis paths that are less likely to produce useful results.

Abstract: Optimizing or otherwise improving sounding intervals may be provided. Improving sounding intervals can include generating predicted Channel State information (CSI) of a Station (STA). A Null Data Packet (NDP) Announcement (NDPA) can be sent to the STA, wherein the NDPA instructs the STA to send compressed CSI. A reference signal is then sent to the STA. Finally, the compressed CSI is received from the STA.

Abstract: Predicting network throughput and balancing network loads may be provided. Predicting network throughput and balancing network loads can comprise receiving traffic information from a plurality of Access Points (APs). Based on the traffic information, traffic associated with the plurality of APs can be modeled. Based on the modeled traffic, a gain in AP efficiency for one or more APs of the plurality of APs can be modeled when modifying Station (STA) traffic of a STA. A recommendation can be sent to one or more recipient APs of the plurality of APs, wherein the recommendation indicates the gain in AP efficiency for the one or more APs when modifying the STA traffic.

Abstract: Systems, methods, and computer-readable storage media are provided for provisioning a common subnet across a number of subscribers and their respective virtual networks using dynamically generated network policies that provide isolation between the subscribers. The dynamic generation of the network policies is performed when a host (e.g. client) is detected (via a switch) as the host joins the computing network via virtual networks. This ability to configure a common subnet for all the subscriber virtual networks allows these subscribers to more easily access external shared services coming from a headquarter site while keeping the separation and segmentation of multiple subscriber virtual networks within a single subnet. This allows the Enterprise fabric to be more simple and convenient to deploy without making security compromises.

Abstract: Wireless dynamic file exchange is provided by, in response to a triggering network condition occurring, initiating an exchange of a parameter file including non-layer two content via a 802.11 message, such as a Generic Advertisement Service (GAS) message between an access point (AP) and a station (STA) connected to the AP; and in response to determining that the exchange was unsuccessful, terminating a connection between the AP and the STA. The parameter file may be sent over several messages and update the parameters for a new session or an existing session. Devices that do not conform to the updated parameters may be disassociated from the AP and re-connect to receive and implement the updated parameters.

Abstract: A method provides for receiving network traffic from a host having a host IP address and operating in a data center, and analyzing a malware tracker for IP addresses of hosts having been infected by a malware to yield an analysis. When the analysis indicates that the host IP address has been used to communicate with an external host infected by the malware to yield an indication, the method includes assigning a reputation score, based on the indication, to the host. The method can further include applying a conditional policy associated with using the host based on the reputation score. The reputation score can include a reduced reputation score from a previous reputation score for the host.

Abstract: Techniques for routing service mesh traffic based on whether the traffic is encrypted or unencrypted are described herein. The techniques may include receiving, from a first node of a cloud-based network, traffic that is to be sent to a second node of the cloud-based network and determining whether the traffic is encrypted or unencrypted. If it is determined that the traffic is encrypted, the traffic may be sent to the second node via a service mesh of the cloud-based platform. Alternatively, or additionally, if it is determined that the traffic is unencrypted, the traffic may be sent to the second node via an encrypted tunnel. In some examples, the techniques may be performed at least partially by a program running on the first node of the cloud-based network, such as an extended Berkeley Packet Filter (eBPF) program, and the like.

Abstract: In one embodiment, methods for monitoring devices within a network by a controller are described. The method may include receiving a first request from a first device to authenticate a role of the first device as a grandmaster in a precision time protocol (PTP). Additionally, the method may include granting the first request designating the role of the first device as the grandmaster. The method may further include receiving a second request from a second device to authenticate that a clock announce message is from an authorized grandmaster. Additionally, the method may include determining whether the first device is authorized to send the clock announce message to the second device and, based on the determining, sending a message granting or denying permission for the first device to sync with the second device.

Abstract: According to one or more embodiments of the disclosure, a device in a network identifies a packet sent via the network towards an endpoint as being a control packet for the endpoint. The device extracts one or more control parameter values from the control packet. The device compares the one or more control parameter values to a policy associated with the endpoint. The device initiates a corrective measure, based on a determination that the one or more control parameter values violate the policy associated with the endpoint.