	US 11,727,143 B2
	Live discovery of enterprise threats based on security query activity
Karl Ackerman, Topsfield, MA (US); Andrew J. Thomas, Oxfordshire (GB); and Kenneth D. Ray, Seattle, WA (US)
Assigned to Sophos Limited, Abingdon (GB)
Filed by Sophos Limited, Abingdon (GB)
Filed on Jun. 9, 2021, as Appl. No. 17/343,670.
Claims priority of provisional application 63/042,219, filed on Jun. 22, 2020.
Prior Publication US 2021/0400070 A1, Dec. 23, 2021
Int. Cl. H04L 29/06 (2006.01); G06F 16/2455 (2019.01); G06F 21/62 (2013.01); G06Q 10/067 (2023.01); G06F 16/21 (2019.01); G06F 16/215 (2019.01); H04L 9/40 (2022.01)

CPC G06F 21/6245 (2013.01) [G06F 16/211 (2019.01); G06F 16/215 (2019.01); G06F 16/24568 (2019.01); G06Q 10/067 (2013.01); H04L 63/1416 (2013.01); H04L 63/1425 (2013.01); H04L 63/1441 (2013.01)]

20 Claims

1. A computer program product comprising computer executable code embodied in a non-transitory computer readable medium that, when executing on one or more computing devices, performs the steps of:

receiving an event stream including security events from an enterprise network at a stream service;

storing the event stream in a data lake;

storing a plurality of queries for execution against the event stream, the plurality of queries configured to investigate security issues within the enterprise network based on the event stream;

monitoring a usage of the plurality of queries at one or more administrative consoles to a threat management facility for the enterprise network;

identifying a usage history based on the usage of the plurality of queries, the usage history including a specific pattern of queries correlated to an identification of a threat; and

initiating a responsive remedial action to the threat by the threat management facility based on the usage history.