| CPC G06F 11/3086 (2013.01) [G06F 9/542 (2013.01); G06F 11/3006 (2013.01); G06F 11/3079 (2013.01); G06F 2201/81 (2013.01); G06F 2201/86 (2013.01)] | 22 Claims |
|
1. A method comprising:
generating, by a central computer system comprising one or more processor devices of one or more computing devices, a normal event set data structure, the normal event set data structure comprising information that identifies a plurality of different sets of events that are deemed normal;
sending, by the central computer system, the normal event set data structure to a plurality of different devices on which the sets of events can occur to identify to the different devices sets of events not to be sent to the central computer system;
receiving, by the central computer system from the plurality of different devices, a first plurality of event records, each event record identifying one or more events that have occurred on a device of the plurality of different devices, the first plurality of event records comprising only sets of events not identified in the normal event set data structure;
identifying, by the central computer system from the first plurality of event records, a first group of event records that identify a same first set of a plurality of events that occurred on a first subset of at least two of the different devices;
determining, by the central computer system, that a total number of the event records in the first group of event records exceeds a first threshold criterion; and
in response to determining that the total number of the event records in the first group of event records exceeds the first threshold criterion, sending, to a destination, information about the first set of the plurality of events.
|