公开(公告)号：US20240356943A1

公开(公告)日：2024-10-24

申请号：US18231816

申请日：2023-08-09

Applicant: Cisco Technology, Inc.

Inventor： Martin Kopp ,  Cenek Skarda ,  Josef Krupicka ,  David Sislak ,  Michal Svoboda

IPC: H04L9/40

CPC classification number: H04L63/1425 ,  H04L63/1416

Abstract: Techniques described herein for extended detection and response to security anomalies in computing networks can perform automated analysis of anomalies occurring in different telemetry sources in a computer network, in order to synthesize the anomalies into analyst work units that are surfaced for further analysis by security response teams. Anomalies can initially be processed in order to identify and collect extended anomaly data. The extended anomaly data can then be used to group the anomalies according to a multi-stage grouping process which produces analyst work units. The analyst work units can be processed to produce analyst summaries that assist with analysis and response. Furthermore, the analyst work units can be prioritized for further analysis, and analyst interactions with the prioritized analyst work units can be used to influence subsequent anomaly grouping operations.

公开(公告)号：US20240354399A1

公开(公告)日：2024-10-24

申请号：US18454688

申请日：2023-08-23

Applicant: Cisco Technology, Inc.

Inventor： Cenek Skarda ,  Josef Krupicka ,  Michal Svoboda

IPC: G06F21/55

CPC classification number: G06F21/552

Abstract: A method may include receiving monitoring data including a first monitoring event, a second monitoring event, and a third monitoring event associated with a computing system. The method may further include may determining, by a first predictive model, that the first and the second monitoring events are security-related while the third monitoring event is not security-related, a first feature set for the first monitoring event, and a second feature set for the second monitoring event. The method may further include determining, by a second predictive model, that the first and second feature sets relate to a first threat, and a third feature set that is associated with the first threat. The method may further include determining whether to perform an incident response action based on the third feature set.