CPC G06Q 10/0635 (2013.01) [G06F 9/542 (2013.01); G06F 11/079 (2013.01); G06F 16/955 (2019.01); G06F 17/18 (2013.01); G06F 18/214 (2023.01); G06F 18/2178 (2023.01); G06F 18/23213 (2023.01); G06F 18/24143 (2023.01); G06F 21/554 (2013.01); G06F 21/56 (2013.01); G06F 21/562 (2013.01); G06F 21/565 (2013.01); G06N 5/01 (2023.01); G06N 5/022 (2013.01); G06N 5/04 (2013.01); G06N 5/046 (2013.01); G06N 7/00 (2013.01); G06N 20/00 (2019.01); G06N 20/20 (2019.01); G06Q 10/06395 (2013.01); G06V 20/52 (2022.01); H04L 63/0227 (2013.01); H04L 63/0263 (2013.01); H04L 63/1408 (2013.01); H04L 63/1416 (2013.01); H04L 63/1425 (2013.01); H04L 63/1433 (2013.01); H04L 63/1441 (2013.01); H04L 63/20 (2013.01); G06Q 30/0185 (2013.01); G06Q 30/0283 (2013.01)] | 20 Claims |
1. An endpoint coupled in a communicating relationship with an enterprise network, the endpoint comprising:
a data recorder configured to store an event stream of data indicating events on the endpoint including a plurality of types of changes to a plurality of computing objects on the endpoint;
a filter configured to locally process the event stream into a filtered event stream including a subset of the plurality of types of changes to the plurality of computing objects; and
a local security agent configured to:
transmit the filtered event stream to a threat management facility;
respond to a filter adjustment from the threat management facility by adjusting the filter to modify the subset of the plurality of types of changes included in the filtered event stream; and
respond to a query from the threat management facility by retrieving data stored in the data recorder over a time window before the query and excluded from the filtered event stream.
|