Abstract: Methods and systems for providing configurable feature level controls for data. The data can be associated with data visualization and analysis in a distributed search engine environment. An example method comprises providing a user interface for enabling a selection of a type of access to grant for each feature of a plurality of features, the selection being on a feature-by-feature basis and the selection being assigned to selected roles; and in response to the selection of the type of access, automatically controlling the type of access to each of the features including determining whether a user has any role to which a particular feature has been assigned; and based on the determining, for users having any of the selected roles, permitting the type of access selected for the particular feature assigned to the selected roles. The types of access may comprise read-only, full, no access, or differing levels of access.

Abstract: Methods and systems for shard splitting are provided. Exemplary methods include: marking a source index as read only, the source index comprising a source shard, the source shard comprising a source reference; creating a target index, the target index comprising target shards, each target shard of the target shards comprising a target reference of target references; copying the source reference, the copying producing the target references; hashing identifiers in the source reference, each identifier being associated with a document of a plurality of documents of the source shard, the hashing assigning each document of the plurality of documents to a target shard of the target shards, the plurality of documents being stored in a file associated with the source reference; hard linking the file into the target references; marking the target index as read-write; and deleting the source index.

Abstract: Provided are systems and methods for enriching documents for indexing. An example method can include receiving a plurality of documents and generating a plurality of enriched documents. The generation of the plurality of enriched documents can include determining, based on a document of the plurality of documents, reference data, determining, based on the reference data and an enrichment policy, additional data, and adding the additional data to the document. Prior to the generation of the plurality of enriched documents, the method may index the reference data of plurality of documents to obtain a source index and generate, based on the enrichment policy and the source index, an enrichment index. The determination of the additional data may include reading the additional data from the enrichment index.

Abstract: Data shipper agent management and configuration systems and methods are disclosed herein. In some embodiments, an example method includes enrolling data shipper agents which are installed on edge nodes, receiving selections of one or more tags for the data shipper agents, each of the one or more tags representing one or more services assigned to the data shipper agents, configurations of the services being modifiable through the one or more GUIs using a configuration application programming interface (API), providing the one or more GUIs, receiving configurations for at least one of the modules of one of the data shipper agents through one of the one or more GUIs, and automatically reconfiguring the configurations to other ones of the data shipper agents automatically.

Abstract: A system and method for detecting fraudulent activity in the execution of transactions is disclosed. The system comprises a monitoring device for reviewing data relating to execution of transactions, a transaction profile and an alert module. The transaction profile includes a plurality of historic data items relating to typical transactions, which can be compared with current execution of transactions to generate an alert by the alert module if unusual activity is determined.

Abstract: Methods and systems for autodiscovery with dynamic configuration are provided. Exemplary methods include: generating a configuration template for a provider, the configuration template including one or more conditions; monitoring for launch of a new event from a provider; based on the monitoring, detecting the new event; determining, for the detected new event, occurrence of at least one condition of the configuration template; and in response to the determining, automatically launching a configuration associated with the new event. New events may be emitted to a common bus by various providers. The provider may be a container-based provider, container orchestration platform, port-based provider, process-based provider, file search provider, or the like. For container providers, an automatically launched configuration can be automatically stopped once the container exits.

Abstract: Asynchronous search of electronic assets via a distributed search engine is disclosed herein. An example method includes receiving a request from a user, the request including a query and a query time parameter, the query time parameter defining a time that the user will wait for results to be completed synchronously, determining that the query is incomplete and that the time has been exceeded, issuing the query a unique query identifier, and asynchronously adding results to an index based on the unique query identifier.

Abstract: Systems and methods for providing for visualization and analysis of geospatial data are described. An example method includes receiving input data comprising at least geospatial data; automatically generating a first map comprising a plurality of layers, each comprising part of the input data; providing a graphical user interface (GUI) for receiving selection(s) from a user of one or more layers of the first map for display; automatically generating a second map based on the selection(s); and causing display of the second map on a client device. Input data may originate from several data sources and include documents from a search and analytics engine. The map's visual properties are configurable based on user input via the GUI or a configuration. The example method combines server-side clustering and client-side symbolization to seamlessly create maps showing data of arbitrary size. The example method provides real-time full-text searching of map data of any size.

Abstract: Real time detection of cyber threats using behavioral analytics is disclosed. An example method includes obtaining, in real time, attributes for an entity within a population of entities, the attributes being indicative of entity behavior; building an entity probability model using the attributes and associated values collected over a period of time; and establishing a control portion of the entity probability model associated with a portion of the period of time. The example method includes comparing any of the entity attribute values and the entity probability model for other portions of the period of time to the control portion to identify one or more anomalous differences, and executing a remediation action based thereon. Some embodiments include determining a set comprising the anomalous differences and additional anomalous differences for the entity or the entity's peer group, and calculating the set's overall probability to determine if the entity is malicious.

Abstract: Methods and systems for enabling organization and control of dashboards, visualizations, and other saved data objects into spaces. An exemplary method includes, based on at least one role of a user, controlling the user's access to a default space and to other spaces of a plurality of spaces, such that the only spaces that the user can access are the default space and the one or more other spaces. Each space can contain a number of saved objects such as dashboards, visualizations, or other objects. The method can provide a graphical user interface for enabling the user to select, as a current space, the default space or one of the other spaces; and in response to the selection, automatically saving new objects generated by the user into the current space; wherein each of the spaces is configured to provide access to certain data objects only or access to certain applications only.

Abstract: Methods and systems for providing distributed tracing for application performance monitoring utilizing a distributed search engine in a microservices architecture. An example method comprises providing a user interface (UI) including a distributed trace indicating in real time the services invoked to serve an incoming HTTP request, the UI further including, in a single view, associated execution times for the services shown as a timeline waterfall. The distributed trace automatically propagates a trace ID to link services end-to-end in real time until a response to the request is served. The single view also provides graphs of response time information and the distribution of response times for the services. In response to selection of a particular element of the distribution, the UI provides respective timing details. The graphs and data shown on the single view can be filtered based on metadata input into a search field of the single view.

Abstract: Service-to-service role mapping systems and methods are disclosed herein. An example role mapping service is positioned between a directory service and a search engine service, the directory service managing user information and permissions for users, the role mapping service mapping one or more search engine service roles to a user based on the user information and permissions received from the directory service.

Abstract: Methods and systems for starting a node without a default password are provided. Exemplary methods include: creating a node responsive to indicia received from a user; checking for an existing keystore in the node; when no existing keystore is in the node: generating a seed password for a predefined user of the node; non-persistently providing the seed password to the user; creating an encrypted keystore in the node; and storing the seed password in the encrypted keystore; and allowing access to the node using the built-in user and seed password.

Abstract: Systems and methods for processing structured queries as search queries are provided herein. An example system includes a structured query language (SQL) parser that parses a SQL structured query into a tree structure; an analyzer module that generates a logical plan from the tree structure; a planner module that generates an optimized logical plan from the logical plan; and an execution module that: generates a physical plan from the optimized logical plan, the physical plan comprising a search query that can be executed by a search engine; and returns results of the search query to a client.

Abstract: Methods and systems for index lifecycle management are provided. Exemplary methods include: receiving an ILM policy; determining a first condition and a first action for a first phase using the ILM policy; performing the first action for the first phase when the first condition is met; transition from the first phase to a second phase; determining a second condition and a second action for the second phase using the ILM policy; performing the second action for the second phase when the second condition is met; transition from the second phase to a third phase; determining a third condition and a third action for the third phase using the ILM policy; performing the third action for the third phase when the third condition is met; transition from the third phase to a fourth phase; and deleting the index during the third phase.

Abstract: Node clustering configuration is disclosed herein. An example method includes determining nodes of a cluster, each of the nodes having a unique identifier and a cluster identifier for the cluster, determining a voting configuration for the cluster, the voting configuration defining a quorum of master-eligible nodes of the nodes, the voting configuration being adaptable so as to maintain an optimal level of fault tolerance for the cluster, and electing one of the master-eligible nodes as a master node.

Abstract: Self-replicating management services for distributed computing architectures are provided herein. An example system method includes providing one or more nodes providing services; maintaining a quorum of a plurality of management servers by: providing at least a distributed coordination service for the one or more nodes on each of the plurality of management servers, the distributed coordination service being a datastore; managing, via a director, requests for data on the distributed coordination service from the one or more nodes; and promoting at least one of the one or more nodes to being one of the plurality of management servers, wherein promoting comprises replicating the distributed coordination service thereon.

Abstract: A system and method for the detection of irregularities, such as fraud or malware, running on a device, is disclosed. An example method includes receiving new ones of data items indicative of the device's current operation; determining whether the new ones of data items deviate from the device's typical operation by comparing the new ones of data items to a profile relating to the typical operation of the device, wherein the deviating includes either using an infrequently used one of incoming ports and outgoing ports or continually accessing a new website. The example method can further include based on the determining: updating the device baseline profile to create an updated device baseline profile with the new ones of data items if the new ones of data items do not deviate from the typical operation of the device; and generating an alert if the new ones of data items do deviate from the typical operation of the device.

Abstract: Methods and systems for a document-level attribute-based access control service are provided. The document-level attribute-based access control service may be positioned between a directory service and a search engine service. The directory service can manage information and permissions for users. The document-level attribute-based access control service can map security attributes to the user based on the information and permissions. Based on the mapping, it can be determined whether to permit the user making a query to the search engine service to access documents based on the query. Information and permissions attributes can be injected into queries dynamically via a template. Attributes may be combined with role query templates to create document-level attribute-based access control on top of role-based access control. The present technology can enable enforcement of security policies requiring all of a combination of attributes to be satisfied before permitting certain access.

Abstract: Provided are methods and systems for invalidating user security tokens. An example method may include providing, by one or more nodes in a cluster, a list of revoked security tokens. The method may include receiving, by the one or more nodes, an indication of invalidating a user security token associated with a user device. The indication may include a request from the user to invalidate the user security token. The method may further include, in response to the receiving, adding, by the one or more nodes, the user security token to the list of revoked security tokens. The user security token can be added to the list of revoked security tokens prior to the expiration time of the user security token. The method may further include replicating, by the one or more nodes, the list of revoked security tokens between further nodes of the cluster.