Abstract: Systems and methods for in-memory processing of events are provided. A set of unique elements of a plurality of queries is determined. Each query is executed on a defined schedule and time duration. A plurality of events in an event stream are received. The events are filtered using the set of unique elements. For each query, a query result for each filtered event is determined. For each query, in-memory aggregation of the query result of each filtered event is provided.

Abstract: Example embodiments disclosed herein relate to disabling and initiating nodes based on a security issue. Multiple nodes of a cluster are monitored. It is determined that one of the nodes includes a security issue. The node is disabled. Another node is initiated to replace the disabled node.

Abstract: According to an example, a master node is to divide an event field in events into partitions including ordered contiguous blocks of values for the event field. Each partition may be assigned to a pair of cluster nodes. A partition map is determined from the partitions and may identify for each partition, the block of the event field values for the partition, a primary cluster node, and a failover cluster node for the primary cluster node.

Abstract: According to an example, a confidence factor function may be applied to determine a confidence factor for a condition of a rule to correlate events. The confidence factor may be an approximation of whether an event or a set of events satisfies the condition in the rule. The confidence factor may be compared to a threshold to determine whether the condition is satisfied.

Abstract: Providing a targeted security alert can include collecting participant data from a plurality of participants within a threat exchange community, calculating, using a threat exchange server, a threat relevancy score of a participant among the plurality of participants within the threat exchange community using the collected participant data, and providing, from the threat exchange server to the participant, the targeted security alert based on the calculated threat relevancy score via a communication link within the threat exchange community.

Abstract: A system and method for displaying a number of real-time security events comprises a number of client devices and an administrator device communicatively coupled to the client devices. The administrator device may comprise a preferences module and an event rate adapter module communicatively coupled to the preferences module. The preferences module receives input describing how to display a number of security events on the screen of a graphical user interface the event rate adapter module displays a number of real-time scrolling security events for a relatively longer period of time than other security events.

Abstract: Example embodiments disclosed herein relate to distributed pattern discovery. A local frequent pattern tree or local frequent pattern trees can be merged. The merging can be based on activities or transactions associated with the local frequent pattern tree or trees.

Abstract: Example embodiments disclosed herein relate to determining a reputation of a network address. A long-term reputation of the network address is determined. A short-term reputation of the network address is determined based on the long-term reputation and trend information associated with the long-term reputation.

Abstract: A process includes analyzing events reported by computing devices on a network to recognize patterns of events that occurred on the network and sharing with a community, information concerning the patterns detected. The process may also use consolidated information on the patterns to select one or more of the patterns for analysis that identifies whether the selected patterns result from malicious activity. The consolidated information includes information on the patterns detected on the network and information concerning corresponding patterns of events that occurred elsewhere.

Abstract: Fields are determined for pattern discovery in event data. Cardinality and repetitiveness statistics are determined for fields of event data. A set of the fields are selected based on the cardinality and repetitiveness for the fields. The fields may be included in a pattern discovery profile.

Abstract: Pattern discovery performed on event data may include selecting an initial set of parameters for the pattern discovery. The parameters may specify conditions for identifying a pattern in the event data. A pattern discovery run is executed on the event data based on the initial set of parameters, and a parameter may be adjusted based on the output of the pattern discovery run.

Abstract: Systems, methods, and machine-readable and executable instructions are provided for attack notification. Attack notification can include receiving security-related data from a number of computing devices that are associated with a number of entities through a communication link and analyzing a first portion of the security-related data that is associated with a first entity from the number of entities to determine whether the first entity has experienced an attack. Attack notification can include analyzing a second portion of the security-related data that is associated with a second entity from the number of entities and the first portion of the security-related data that is associated with the first entity to determine whether the second entity is experiencing the attack. Attack notification can include notifying, through the communication link, the second entity that the second entity is experiencing the attack if it is determined that the second entity is experiencing the attack.

Abstract: A drill down manager system may include an introspect module to determine fields for visual components, and a mappings module to map a drill down to a visual component based on the fields and data outputs for the drill down. The system may present the data outputs for the drill down in the visual component mapped to the drill down.

Abstract: Example embodiments disclosed herein relate to determining a reputation of a network address. A long-term reputation of the network address is determined. A short-term reputation of the network address is determined based on the long-term reputation and trend information associated with the long-term reputation.

Abstract: Systems and methods for evaluation of events are provided. A user-specific reference baseline comprising a set of temporally-ordered sequences of events. An event of a sequence of events in a current session is received. A determination is made as to whether the event at least partially matches the reference baseline using an attribute of the event and a temporal position of the event within the sequence of events in the current session.

Abstract: Systems and methods for distributed rule-based correlation of events are provided. A notification of a partial match of a distributed rule by an event of a first subset of events is received. The notification includes a set of properties of the event of the first subset of events. The distributed rule is evaluated using the set of properties of the event of the first subset of events and a set of properties of an event of a second subset of events. A complete match of the rule is determined based on the evaluation, and a correlation event is generated.

Abstract: Systems and methods for merging partially aggregated query results are provided. A partially aggregated query result is determined. Each query of a plurality of queries is executed on a plurality of events at a defined schedule and a time duration. A key and a value of the partially aggregated query result are identified. It is determined whether a function for the partially aggregated query result is identified. If so, a related partially aggregated query result is determined using the key. The partially aggregated query result is merged with the related partially aggregated query result.

Abstract: A network asset information management system (101) may include an asset determination and event prioritization module (105) to generate real-time asset information based on network activity involving an asset (102). A rules module (109) may include a set of rules for monitoring the network activity involving the asset. An information analysis module (110) may evaluate the real-time asset information and the rules to generate a notification (111) related to the asset. The rules may include rules for determining vulnerabilities and risks associated with the asset based on comparison of a level of traffic identified to or from an IP address related to the asset to a predetermined threshold. The notification may include a level of risk associated with the asset.

Abstract: Systems and methods for in-memory processing of events are provided. A set of unique elements of a plurality of queries is determined. Each query is executed on a defined schedule and time duration. A plurality of events in an event stream are received. The events are filtered using the set of unique elements. For each query, a query result for each filtered event is determined. For each query, in-memory aggregation of the query result of each filtered event is provided.

Abstract: A data storage system includes a query manager to identify storage engines to execute a query. A first storage engine may execute a portion of the query on a row-oriented table and a second storage engine may execute a second portion of the query on a column-oriented table.