公开(公告)号：US20240356943A1

公开(公告)日：2024-10-24

申请号：US18231816

申请日：2023-08-09

Applicant: Cisco Technology, Inc.

Inventor： Martin Kopp ,  Cenek Skarda ,  Josef Krupicka ,  David Sislak ,  Michal Svoboda

IPC: H04L9/40

CPC classification number: H04L63/1425 ,  H04L63/1416

Abstract: Techniques described herein for extended detection and response to security anomalies in computing networks can perform automated analysis of anomalies occurring in different telemetry sources in a computer network, in order to synthesize the anomalies into analyst work units that are surfaced for further analysis by security response teams. Anomalies can initially be processed in order to identify and collect extended anomaly data. The extended anomaly data can then be used to group the anomalies according to a multi-stage grouping process which produces analyst work units. The analyst work units can be processed to produce analyst summaries that assist with analysis and response. Furthermore, the analyst work units can be prioritized for further analysis, and analyst interactions with the prioritized analyst work units can be used to influence subsequent anomaly grouping operations.

公开(公告)号：US20240356950A1

公开(公告)日：2024-10-24

申请号：US18455491

申请日：2023-08-24

Applicant: Cisco Technology, Inc.

Inventor： Cenek Skarda ,  David Sislak

IPC: H04L9/40

CPC classification number: H04L63/1425

Abstract: A method may include receiving, by a processor, first monitoring data from a first monitoring component and second monitoring data from a second monitoring component. The method may further include determining, by the processor, that the first monitoring data represents a first activity pattern of a computing entity in a first period. The method may further include determining, by the processor, that the second monitoring data represents a second activity pattern of the computing entity in the first period. The method may further include determining, by the processor, first feedback data based on the first monitoring data. The method may further include determining, by the processor, second feedback data based on the second monitoring data. The method may further include providing, by the processor, the first feedback data to the second monitoring component and the second feedback data to the first monitoring component.

公开(公告)号：US20240356958A1

公开(公告)日：2024-10-24

申请号：US18453960

申请日：2023-08-22

Applicant: Cisco Technology, Inc.

Inventor： Tomas Jirsik ,  Cenek Skarda ,  David Sislak ,  Tomas Kuthan

IPC: H04L9/40

CPC classification number: H04L63/1433 ,  H04L63/1425

Abstract: This disclosure describes techniques for mapping local device identifiers used in monitoring data from different sources to a common global identifier to enable correlation of monitoring events related to the same device. The techniques can be used in the context of an Extended Detection and Response (XDR) system architecture for advanced threat detection and response in a computer system. In some cases, the XDR system ingests security data from various monitoring components like Endpoint Detection and Response (EDR), Intrusion Detection Systems (IDSs), Intrusion Prevention Systems (IPSs), firewall engines, and email security systems.

公开(公告)号：US20240356949A1

公开(公告)日：2024-10-24

申请号：US18454553

申请日：2023-08-23

Applicant: Cisco Technology, Inc.

Inventor： Tomas Jirsik ,  Cenek Skarda ,  David Sislak ,  Jaroslav Hlavac

IPC: H04L9/40 ,  H04L43/067

CPC classification number: H04L63/1425 ,  H04L43/067 ,  H04L63/20

Abstract: This disclosure describes techniques for mapping local device identifiers used in monitoring data from different sources to a common global identifier to enable correlation of monitoring events related to the same device. The techniques can be used in the context of an Extended Detection and Response (XDR) system architecture for advanced threat detection and response in a computer system. In some cases, the XDR system ingests security data from various monitoring components like Endpoint Detection and Response (EDR), Intrusion Detection Systems (IDSs), Intrusion Prevention Systems (IPSs), firewall engines, and email security systems.