Abstract: An information technology computing landscape is divided up into hierarchically-dependent components. Relevant risk factors are identified for each component and the identified relevant risk factors are separated for each component into static and dynamic risk factor groups. The weight of each risk factor is determined in the static and dynamic risk factor groups for each component. Static and dynamic security risks are calculated for each component.

Abstract: Search results are received from an initiated free text search of log data from one or more logs, where the free text is performed using search terms entered into a free text search graphical user interface. A set of at least one search result is selected from the search results containing an event desired to be identified in a completed enterprise threat detection (ETD) pattern. A forensic lab application is rendered to complete an ETD pattern. An event filter is added for an event type based on normalized log data to a path. A relative ETD pattern time range is set and an ETD pattern is completed based on the added event filter.

Abstract: Published enterprise threat detection (ETD) security notes are accessed in a computer data store. Applicability of the published ETD security notes are determined for an information technology computing (IT) landscape. A determination is made that a particular applicable ETD security note has not yet been implemented in the IT computing landscape. Aggregated impact of compromise (IoC) and state of compromise (SoC) values associated with the published ETD security note are analyzed and a computing system patching action is performed based on the aggregated IoC and SoC values.

Abstract: A transfer of master data is executed in a backend computing system. The master data includes user data and system data. The transfer of master data includes receiving user data associated with a particular user identifier in the backend computing system, transferring the received user data to an event stream processor, receiving system data associated with a particular log providing computing system in the backend computing system, transferring the received user data to the event stream processor, and executing a transfer of log data associated with logs of computing systems connected to the backend computing system.

Abstract: An enterprise threat detection (ETD) forensic workspace is established according to a particular timeframe and permitting defining a selection of data types from available log data for an evaluation of events associated with one or more entities. A chart is defined illustrating a graphical distribution of a particular data type in the forensic workspace. A snapshot associated with the chart is generated, the snapshot saving a copy of all data necessary to re-create the chart into an associated snapshot object. The snapshot is associated with a snapshot page for containing the snapshot and the snapshot page is saved within the ETD forensic workspace.

Abstract: A path associated with a set of selected log data is defined. An indication is received on a graphical user interface (GUI) to generate a bubblegram associated with the path, wherein the bubblegram comprises one or more bubbles, each bubble representing a particular dimension associated with the selected path. The one or more bubbles are rendered on the GUI according to a performed ranking of the one or more bubbles. A bubble is selected to generate a filter for the path based on the dimension associated with the bubble. A subsequent bubblegram is rendered based on a narrowed set of the selected log data.

Abstract: Subnet information and location information is received from a database by a smart data streaming engine (SDS). A particular subnet of the subnet information is associated with a particular location of the location information by a globally unique location ID value. Log event data received in the SDS is normalized as normalized log event data. The normalized log event data is enriched with subnet and location information as enriched log event data and written into a log event persistence in the database. A subnet ID value retrieved from an enriched log event of the enriched log event data is used by an enterprise threat detection (ETD) system to determine a location associated with the enriched log event using a location ID value associated with the subnet ID.

Abstract: A selection of data types is defined from available log data for an evaluation of events associated with an entity. One or more evaluations are defined that are associated with the entity. Reference data is generated from the selection of data types based on the one or more defined evaluations. The one or more evaluations are grouped into a pattern. A visualization is initiated for display in a graphical user interface of a normalized score for the entity for each evaluation associated with the pattern against a determined anomaly threshold.

Abstract: A computer-implemented method generates a trigger registration for a selected triggering type. The generated trigger registration is stored in a triggering persistency. A received event from an event persistency is analyzed and data associated with the analyzed event is compared with the triggering persistency. Based on the comparison and using a pattern execution framework, an enterprise threat detection (ETD) pattern is processed to perform actions responsive to the received event.

Abstract: A transfer of master data is executed in a backend computing system. The master data includes user data and system data. The transfer of master data includes receiving user data associated with a particular user identifier in the backend computing system, transferring the received user data to an event stream processor, receiving system data associated with a particular log providing computing system in the backend computing system, transferring the received user data to the event stream processor, and executing a transfer of log data associated with logs of computing systems connected to the backend computing system.

Abstract: A log file including a plurality of log entries is accessed. Each log entry of the plurality of log entries is analyzed to identify components of each log entry. The components of the particular log entry indicate an event. The event is associated with roles. Each role is associated with one or more attributes. Semantic meaning of the event associated with the particular log entry is determined. A mapping is performed by applying contextual information from one or more semantic meaning models stored in a knowledgebase to the identified components of each log entry to derive semantic meaning for the particular log entry. The derived semantic meaning is modeled for the particular log entry. The modeled semantic meaning is recorded in the knowledgebase as a new semantic meaning model for future use.

Abstract: A sample log file including a plurality of log entries for log learning is accessed, using a log interpretation controller, prior to runtime as part of a log learning process. Each of the plurality of log entries is analyzed. A log entry type is assigned to each of the plurality of log entries. A log type and semantic event are assigned to each log entry type. Generation of runtime rules is triggered for analyzing unknown log entries. The runtime rules include characteristics of particular log entry types that allow unique identification of the particular log entry type for a particular unknown log entry. The generated runtime rules are loaded into a runtime parser.

Abstract: Techniques for mapping of messages includes receiving, from a first web service, a message comprising one or more operations in a first format; identifying a mapping interface that is based on the first web service, the mapping interface comprising one or more mappings for each of the operations of the message; identifying a second web service that is associated with the identified mapping interface; mapping the message to the second web service such that the one or more operations are in a second format associated with the second web service; and assigning a logical port connection to the second web service.

Abstract: A system and a method of maintaining extensible markup language (XML) document includes splitting an XML document into fragments according to rules stored in a configuration file, binding each of the fragments to an object in a content management system, and providing a reference between the XML document and the fragments.

Abstract: Methods, systems, and apparatus, including computer programs encoded on a computer storage medium, for facilitating communication between enterprise software applications. Some enterprise software systems communicate using a message protocol designed for use with an exchange system. Those systems require the exchange system to communicate using that message protocol. To communicate with systems using that message protocol, a local system can build a message formatted in accordance with the message protocol, even without an exchange system. The local system stores configuration data and uses the configuration data to build the message.

Abstract: Methods, systems, and apparatus, including computer programs encoded on a computer storage medium, for facilitating communication between enterprise software applications. Some enterprise software systems communicate using a message protocol designed for use with an exchange system. Those systems require the exchange system to communicate using that message protocol. To communicate with systems using that message protocol, a local system can build a message formatted in accordance with the message protocol, even without an exchange system. The local system stores configuration data and uses the configuration data to build the message.

Abstract: Methods, systems, and apparatus, including computer programs encoded on a computer storage medium, for using point-to-point communication in a communication framework to unify programming models. In a general aspect, a method for unifying programing models in connectivity framework can include receiving a message in a first protocol at a first computing system in the distributed computing environment. The message is associated with a connection request received from a second computing system in the distributed computing environment. In a communication framework of the first computing system, the first protocol is transformed into a second protocol of the message using a point-to-point communication of the communication framework. The message can then be output in the second protocol.

Abstract: Techniques for mapping of messages includes receiving, from a first web service, a message comprising one or more operations in a first format; identifying a mapping interface that is based on the first web service, the mapping interface comprising one or more mappings for each of the operations of the message; identifying a second web service that is associated with the identified mapping interface; mapping the message to the second web service such that the one or more operations are in a second format associated with the second web service; and assigning a logical port connection to the second web service.

Abstract: Methods and apparatus, including computer program products, are provided for messaging. In one aspect, there is provided a computer-implemented method. The method may include initiating a call from a first application to a second application. The method may determine whether the first application is local to the second application. A call may be made as a local call from the first application to the second application, when it is determined that the first and second applications are on the same computer. A call may be made as a remote call from the first application to the second application, when it is determined that the first and second applications are on separate computers. Related apparatus, systems, methods, and articles are also described.

Abstract: Methods and apparatus, including computer program products, for the identification of data elements. A user input is received, comprising a data element and a context in which the data element is being used. The user input is sent to a terminology database. A list of entries is received, each entry having a first unique identifier (UID) and a second UID. The first represents a concept associated with the data element, and the second represents a specific description of the concept associated with the data element. A user input is received selecting an entry. The UIDs corresponding to the selected entry are directly associated with the data set. In some implementations, directly associating the UIDs with the data set comprises generating markup code comprising the UIDs. The invention lays the groundwork for a more efficient solution for the features/requirements related to versioning, updating, and translation in the realm of hypertexts.