公开(公告)号：US11681710B2

公开(公告)日：2023-06-20

申请号：US16231517

申请日：2018-12-23

Applicant: Microsoft Technology Licensing, LLC

Inventor： Moshe Israel ,  Yaakov Garyani ,  Or Cohen

IPC: G06F7/00 ,  G06F16/2457 ,  G06F16/26 ,  G06N20/00 ,  G06F16/2455

CPC classification number: G06F16/2457 ,  G06F16/2455 ,  G06F16/26 ,  G06N20/00

Abstract: Security Information and Event Management tools, log management tools, log analysis tools, and other event data management tools are enhanced. Enhancements harvest entity extraction rules from queries, query results, and other examples involving the extraction of field values from large amounts of data, and help perform entity extraction efficiently. Entity extraction operations locate IP addresses, usernames, and other field values that are embedded in logs or data streams, for example, and populate object properties with extracted values. Previously used extraction rules are applied in new contexts with different users, different data sources, or both. An entity extraction rules database serves as a model that contains rules specifying parsing mechanisms. Parsing mechanisms may include regular expressions, separation character definitions, and may process particular file formats or object notation formats or markup language formats. A recommender suggests extraction rules to users, based on frequency, machine learning classifications, correctness certainty, or other considerations.

公开(公告)号：US10943009B2

公开(公告)日：2021-03-09

申请号：US16190658

申请日：2018-11-14

Applicant: MICROSOFT TECHNOLOGY LICENSING, LLC

Inventor： Dotan Patrich ,  Yaakov Garyani ,  Moshe Israel ,  Yotam Livny

IPC: G06F21/55 ,  G06N20/00 ,  G06N5/04

Abstract: Techniques are provided to dynamically generate response actions that may be used to investigate and respond to a security alert. Different prediction models are initially trained using a corpus of training data. This training data is obtained by identifying previous security alerts and then grouping together alert clusters. An analysis is performed to identify which steps were used to respond to the alerts in each group. These steps are fed into a prediction model to train the model. After multiple models are trained and after a new security alert is received, one model is selected to operate on the new alert, where the model is selected because it is identified as being most compatible with the new alert. When the selected model is applied to the new alert, the model generates a set of recommended steps that may be followed to investigate and/or respond to the new alert.

公开(公告)号：US11888870B2

公开(公告)日：2024-01-30

申请号：US17493060

申请日：2021-10-04

Applicant: Microsoft Technology Licensing, LLC

Inventor： Yaakov Garyani ,  Moshe Israel ,  Hani Hana Neuvirth ,  Ely Abramovitch ,  Amir Keren ,  Timothy William Burrell

IPC: H04L9/40

CPC classification number: H04L63/1416 ,  H04L63/1441

Abstract: Embodiments detect cyberattack campaigns against multiple cloud tenants by analyzing activity data to find sharing anomalies. Data that appears benign in a single tenant's activities may indicate an attack when the same or similar data is also found for additional tenants. Attack detection may depend on activity time frames, on how similar certain activities of different tenants are to one another, on how unusual it is for different tenants to share an activity, and on other factors. Sharing anomaly analysis may utilize hypergeometric probabilities or other statistical measures. Detection avoidance attempts using entity randomization are revealed and thwarted. Authorized vendors may be recognized, mooting anomalousness. Although data from multiple tenants is analyzed together for sharing anomalies while monitoring for attacks, tenant confidentiality and privacy are respected through technical and legal mechanisms. Mitigation is performed in response to an attack indication.

公开(公告)号：US20200151326A1

公开(公告)日：2020-05-14

申请号：US16190658

申请日：2018-11-14

Applicant: MICROSOFT TECHNOLOGY LICENSING, LLC

Inventor： Dotan Patrich ,  Yaakov Garyani ,  Moshe Israel ,  Yotam Livny

IPC: G06F21/55 ,  G06N99/00 ,  G06N5/04

Abstract: Techniques are provided to dynamically generate response actions that may be used to investigate and respond to a security alert. Different prediction models are initially trained using a corpus of training data. This training data is obtained by identifying previous security alerts and then grouping together alert clusters. An analysis is performed to identify which steps were used to respond to the alerts in each group. These steps are fed into a prediction model to train the model. After multiple models are trained and after a new security alert is received, one model is selected to operate on the new alert, where the model is selected because it is identified as being most compatible with the new alert. When the selected model is applied to the new alert, the model generates a set of recommended steps that may be followed to investigate and/or respond to the new alert.