	US 11,750,663 B2
	Threat identification-based collection of forensic data from endpoint devices
Brian Luger, Issaquah, WA (US)
Assigned to Splunk Inc., San Francisco, CA (US)
Filed by Splunk Inc., San Francisco, CA (US)
Filed on Jul. 9, 2021, as Appl. No. 17/371,977.
Application 17/371,977 is a continuation of application No. 16/520,114, filed on Jul. 23, 2019, granted, now 11,095,690.
Application 16/520,114 is a continuation of application No. 15/276,761, filed on Sep. 26, 2016, granted, now 10,419,494, issued on Sep. 17, 2019.
Prior Publication US 2021/0400088 A1, Dec. 23, 2021
This patent is subject to a terminal disclaimer.
Int. Cl. H04L 9/40 (2022.01)

CPC H04L 63/302 (2013.01) [H04L 63/145 (2013.01); H04L 63/1408 (2013.01); H04L 63/308 (2013.01)]

20 Claims

1. A computer-implemented method, comprising:

executing a query, the query including an association specifying types of forensic data to collect from one or more endpoint devices in an information technology (IT) environment when execution of the query identifies an occurrence of a security threat at an endpoint device of the one or more endpoint devices;

identifying, based on the executing of the query, an occurrence of the security threat at the endpoint device;

based on the identifying of the occurrence of the security threat at the endpoint device, collecting, from the endpoint device, forensic data corresponding to the types of forensic data specified by the association; and

storing the forensic data in a data store.