Abstract: Event-triggered forensics capture technologies balance security incident data availability against data processing and storage costs. A forensic correlation engine receives basic status data of a monitored computing system. A forensic computing system detects a trigger event in the basic status data, and starts capturing extended status data per a corresponding capture specification. Captured data is submitted to a forensic analysis tool. Different trigger events may cause different data captures. A query specifying which data to capture from a live stream or from virtual machines may operate as a capture trigger start event. Extended status data capture activity may be stopped by a change in the basic status data being received, by a timeout, or by forensic analysis that finds no vulnerability or threat based on captured data. Data transfers and storage may be restricted to comply with privacy regulations or policies.

Abstract: Performing anomaly lookup on data sources that include an entity related to an alert. One or more entities related to an alert and a date when the alert occurred are received. The alert may indicate that an anomaly in data collected from a various data sources may be present in at least one of the data sources. The various data sources are searched for the one or more entities around the alert date to determine which of the data sources include the one or more entities. For those data sources including the one or more entities, an anomaly lookup procedure is performed on the data sources during a first time window to determine an initial set of suspicious anomalies.

Abstract: Disclosed herein is a system for generating and displaying information useful to help a security analyst understand a scale and a root cause of a potential security issue associated with a resource. The resource can include a server, a storage device, a user device (e.g., a personal computer, a tablet computer, a smartphone, etc.), a virtual machine, networking equipment, etc. The resource may be one that is under control of an entity operating a security operations center. Additionally or alternatively, the resource may be one that is configured to be monitored by the security operations center. The information provides the security analyst with a broader context of the potential security issue based on relationships between the potential security issues and other security issues. Consequently, the information enables the security analyst to implement more efficient and effective actions to handle the potential security issue.

Abstract: Disclosed herein is a system for generating and displaying information useful to help a security analyst understand a scale and a root cause of a potential security issue associated with a resource. The resource can include a server, a storage device, a user device (e.g., a personal computer, a tablet computer, a smartphone, etc.), a virtual machine, networking equipment, etc. The resource may be one that is under control of an entity operating a security operations center. Additionally or alternatively, the resource may be one that is configured to be monitored by the security operations center. The information provides the security analyst with a broader context of the potential security issue based on relationships between the potential security issues and other security issues. Consequently, the information enables the security analyst to implement more efficient and effective actions to handle the potential security issue.

Abstract: Performing anomaly lookup on data sources that include an entity related to an alert. One or more entities related to an alert and a date when the alert occurred are received. The alert may indicate that an anomaly in data collected from a various data sources may be present in at least one of the data sources. The various data sources are searched for the one or more entities around the alert date to determine which of the data sources include the one or more entities. For those data sources including the one or more entities, an anomaly lookup procedure is performed on the data sources during a first time window to determine an initial set of suspicious anomalies.

Abstract: Pushing an event that is identified within a data stream to a remote computer system. Event characteristic(s) that are to be searched for within the data stream are determined (e.g., in response to a query). The event(s) in the data stream is evaluated to determine if it includes the event characteristic mentioned above. If an event is determined to include the event characteristic, then the event may be pushed to the remote computer system. In this manner, the event may be responded to at the remote computer system. This process enables the events to be pushed in a very fast manner. Furthermore, the process of evaluating the events may happen without storing the events, which process further increases the speed of pushing the events.

Abstract: Pushing an event that is identified within a data stream to a remote computer system. Event characteristic(s) that are to be searched for within the data stream are determined (e.g., in response to a query). The event(s) in the data stream is evaluated to determine if it includes the event characteristic mentioned above. If an event is determined to include the event characteristic, then the event may be pushed to the remote computer system. In this manner, the event may be responded to at the remote computer system. This process enables the events to be pushed in a very fast manner. Furthermore, the process of evaluating the events may happen without storing the events, which process further increases the speed of pushing the events.

Abstract: The present invention extends to methods, systems, and computer program products for configuring assurances within distributed messaging systems. A defined set of message log and cursor components are configurably activatable and deactivatable to compose a variety of different capture assurances, transfer assurances, and delivery assurances within a distributed messaging system. A composition of a capture assurance, a transfer assurance, and a delivery assurance can provide an end-to-end assurance for a messaging system. End-to-end assurances can include one of best effort, at-most-once, at-least-once, and exactly once and can include one of: durable or non-durable. Using a defined set of activatable and deactivatable message log and cursor components facilities more efficient transitions between desired assurances. In some embodiments, a composition of a capture assurance, a transfer assurance, and a delivery assurance provides durable exactly-once message delivery.

Abstract: The present invention extends to methods, systems, and computer program products for durable exactly once message delivery at scale. A message capture system uses a synchronous capture channel and transactions to provide durable exactly once message capture. Messages are sent from the message capture system to a message delivery system over a network using an at least once transfer protocol. The message delivery system implements a durable at most once messaging behavior, the combination of which results in durable exactly once transfer of messages from the message capture system to the message delivery system. The message delivery system uses a synchronous delivery channel and transactions to provide durable exactly once message delivery. Cursors maintaining message consumer state are collocated with message consumers, freeing up message log resources to process increased volumes of messages, such as, for example, in a queued or pub/sub environment.

Abstract: The present invention extends to methods, systems, and computer program products for distributed aggregation on an overlay network. Embodiments of the invention utilize tiers of nodes that are cascaded in a layered system. Each tier reduces the size of data by orders of magnitude through pre-aggregation. Thus, high volume streams of messages can be reduced to lower volume streams at large scales, such as, for example, the Internet. No central coordination is used; thus there is no central point of failure or bottleneck. When a node fails, other nodes in the same tier as the failing node automatically take over the responsibilities of the failed node.

Abstract: The present invention extends to methods, systems, and computer program products for maintaining message state at a message log. Messages are accumulated at a message log in accordance with a message retention policy. Any of a variety of message capture assurances can be used when capturing a message from a message producer within a message log. A message becomes visible to message consumers after the outcome of writing the message is known (either failure or success). Messages are requested using (e.g., monotonically increasing) sequence numbers. Messages are also dropped from the message log in accordance with the message retention policy.

Abstract: The present invention extends to methods, systems, and computer program products for maintaining message state at a cursor. A message consumer requests messages from a cursor. The cursor can maintain state information for the message consumers separately from a message log that stores messages. Any of a variety of message delivery assurances can be used when delivering a message to a message consumer.

Abstract: The present invention extends to methods, systems, and computer program products for distributed aggregation on an overlay network. Embodiments of the invention utilize tiers of nodes that are cascaded in a layered system. Each tier reduces the size of data by orders of magnitude through pre-aggregation. Thus, high volume streams of messages can be reduced to lower volume streams at large scales, such as, for example, the Internet. No central coordination is used; thus there is no central point of failure or bottleneck. When a node fails, other nodes in the same tier as the failing node automatically take over the responsibilities of the failed node.

Abstract: A computer-implemented method is provided for defining interesting portions of a workflow of a business or other type of process. Using a tracking profile editor, a portion of a given workflow is selected and associated with a named process part. Items of payload data to be used in reports are selected from a message schema associated with the given workflow. A profile is generated based on the given workflow and the selected items of payload data. A tracking profile compiler receives the created tracking profile and generates a star schema, a flattened view and OLAP cube based on the tracking profile. An interceptor extracts monitored workflow events and stores event information to a tracking stream, based on the tracking profile. A tracking service extracts information pertaining to the monitored events from the tracking stream and stores the information in the queryable database. The OLAP cube and the flattened view are updated based on the information written to the queryable database.

Abstract: The present invention extends to methods, systems, and computer program products for configuring assurances within distributed messaging systems. A defined set of message log and cursor components are configurably activatable and deactivatable to compose a variety of different capture assurances, transfer assurances, and delivery assurances within a distributed messaging system. A composition of a capture assurance, a transfer assurance, and a delivery assurance can provide an end-to-end assurance for a messaging system. End-to-end assurances can include one of best effort, at-most-once, at-least-once, and exactly once and can include one of: durable or non-durable. Using a defined set of activatable and deactivatable message log and cursor components facilities more efficient transitions between desired assurances. In some embodiments, a composition of a capture assurance, a transfer assurance, and a delivery assurance provides durable exactly-once message delivery.

Abstract: The present invention extends to methods, systems, and computer program products for durable exactly once message delivery at scale. A message capture system uses a synchronous capture channel and transactions to provide durable exactly once message capture. Messages are sent from the message capture system to a message delivery system over a network using an at least once transfer protocol. The message delivery system implements a durable at most once messaging behavior, the combination of which results in durable exactly once transfer of messages from the message capture system to the message delivery system. The message delivery system uses a synchronous delivery channel and transactions to provide durable exactly once message delivery. Cursors maintaining message consumer state are collocated with message consumers, freeing up message log resources to process increased volumes of messages, such as, for example, in a queued or pub/sub environment.

Abstract: The present invention extends to methods, systems, and computer program products for maintaining message state at a message log. Messages are accumulated at a message log in accordance with a message retention policy. Any of a variety of message capture assurances can be used when capturing a message from a message producer within a message log. A message becomes visible to message consumers after the outcome of writing the message is known (either failure or success). Messages are requested using (e.g., monotonically increasing) sequence numbers. Messages are also dropped from the message log in accordance with the message retention policy.

Abstract: The present invention extends to methods, systems, and computer program products for maintaining message state at a cursor. A message consumer requests messages from a cursor. The cursor can maintain state information for the message consumers separately from a message log that stores messages. Any of a variety of message delivery assurances can be used when delivering a message to a message consumer.

Abstract: A computer-implemented method is provided for defining interesting portions of a workflow of a business or other type of process. Using a tracking profile editor, a portion of a given workflow is selected and associated with a named process part. Items of payload data to be used in reports are selected from a message schema associated with the given workflow. A profile is generated based on the given workflow and the selected items of payload data. A tracking profile compiler receives the created tracking profile and generates a star schema, a flattened view and OLAP cube based on the tracking profile. An interceptor extracts monitored workflow events and stores event information to a tracking stream, based on the tracking profile. A tracking service extracts information pertaining to the monitored events from the tracking stream and stores the information in the queryable database. The OLAP cube and the flattened view are updated based on the information written to the queryable database.

Abstract: A computer-implemented method is provided for defining interesting portions of a workflow of a business or other type of process. Using a tracking profile editor, a portion of a given workflow is selected and associated with a named process part. Items of payload data to be used in reports are selected from a message schema associated with the given workflow. A profile is generated based on the given workflow and the selected items of payload data. A tracking profile compiler receives the created tracking profile and generates a star schema, a flattened view and OLAP cube based on the tracking profile. An interceptor extracts monitored workflow events and stores event information to a tracking stream, based on the tracking profile. A tracking service extracts information pertaining to the monitored events from the tracking stream and stores the information in the queryable database. The OLAP cube and the flattened view are updated based on the information written to the queryable database.