Enterprise network threat detection

• Main Authors: Andrew J Thomas, Mark David Harris, Beata Ladnai, Andrew G.P. Smith, Russell Humphries, Kenneth D Ray
• Format: Patent
• Language: English
• Published: 11.10.2023
• Subjects: CALCULATING; COMPUTER SYSTEMS BASED ON SPECIFIC COMPUTATIONAL MODELS; COMPUTING; COUNTING; DATA PROCESSING SYSTEMS OR METHODS, SPECIALLY ADAPTED FORADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL, SUPERVISORYOR FORECASTING PURPOSES; ELECTRIC COMMUNICATION TECHNIQUE; ELECTRIC DIGITAL DATA PROCESSING; ELECTRICITY; PHYSICS; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE,COMMERCIAL, FINANCIAL, MANAGERIAL, SUPERVISORY OR FORECASTINGPURPOSES, NOT OTHERWISE PROVIDED FOR; TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHICCOMMUNICATION

A method comprising receiving 1212 a filtered event stream from an endpoint at a threat management facility for an enterprise network, the filtered event stream including a subset of types of changes to a subset of computing objects from a plurality of types of changes to a plurality of computing objects monitored by a data recorder on the endpoint, processing 1214 the filtered event stream at the threat management facility to evaluate a security state of the endpoint and, in response to a predetermined change in the security state of the endpoint based on an event in the filtered event stream processed by the threat management facility, transmitting a request 1216 from the threat management facility to the endpoint for additional event data captured by the data recorder. The method may further include storing 1206 an unfiltered event stream on the data recorder at the endpoint, the unfiltered event stream including additional ones of the plurality of types of changes to the plurality of computing objects.