| CPC H04L 63/1416 (2013.01) [H04L 63/1466 (2013.01)] | 20 Claims |
|
1. A method comprising:
accessing, by one or more cloud services, structurally deduplicated data indicative of event data, wherein the deduplicated event data is structured in accordance with a data model comprising one or more fields;
determining, based on the structurally deduplicated data, a plurality of deduplicated field groups associated with one or more fields of the data model, wherein the plurality of deduplicated field groups are associated with a network event;
determining, based on one or more references from the deduplicated field groups to a plurality of deduplicated values, one or more values associated with the deduplicated field groups;
determining, based on a ruleset running on the deduplicated field groups and on the one or more values, whether a rule is indicative of a cyberattack;
determining, based on whether the rule is indicative of a cyberattack, to reconstruct a network event or to not reconstruct the network event; and
generating, based on determining to reconstruct the network event, an alert indicative of the network event.
|