US 12,079,757 B2
Endpoint with remotely programmable data recorder
Beata Ladnai, Altrincham (GB); Mark D. Harris, Oxon (GB); Andrew G. P. Smith, Oxford (GB); Kenneth D. Ray, Seattle, WA (US); Andrew J. Thomas, Oxfordshire (GB); and Russell Humphries, Surrey (GB)
Assigned to Sophos Limited, Abingdon (GB)
Filed by Sophos Limited, Abingdon (GB)
Filed on Aug. 14, 2023, as Appl. No. 18/449,315.
Application 18/449,315 is a continuation of application No. 17/705,640, filed on Mar. 28, 2022, granted, now 11,727,333.
Application 17/705,640 is a continuation of application No. 16/129,113, filed on Sep. 12, 2018, granted, now 11,297,073, issued on Apr. 5, 2022.
Claims priority of provisional application 62/726,174, filed on Aug. 31, 2018.
Prior Publication US 2024/0037477 A1, Feb. 1, 2024
Int. Cl. H04L 9/40 (2022.01); G06F 9/54 (2006.01); G06F 11/07 (2006.01); G06F 16/955 (2019.01); G06F 17/18 (2006.01); G06F 18/21 (2023.01); G06F 18/214 (2023.01); G06F 18/23213 (2023.01); G06F 18/2413 (2023.01); G06F 21/55 (2013.01); G06F 21/56 (2013.01); G06N 5/01 (2023.01); G06N 5/022 (2023.01); G06N 5/04 (2023.01); G06N 5/046 (2023.01); G06N 7/00 (2023.01); G06N 20/00 (2019.01); G06N 20/20 (2019.01); G06Q 10/0635 (2023.01); G06Q 10/0639 (2023.01); G06V 20/52 (2022.01); G06Q 30/018 (2023.01); G06Q 30/0283 (2023.01)
CPC G06Q 10/0635 (2013.01) [G06F 9/542 (2013.01); G06F 11/079 (2013.01); G06F 16/955 (2019.01); G06F 17/18 (2013.01); G06F 18/214 (2023.01); G06F 18/2178 (2023.01); G06F 18/23213 (2023.01); G06F 18/24143 (2023.01); G06F 21/554 (2013.01); G06F 21/56 (2013.01); G06F 21/562 (2013.01); G06F 21/565 (2013.01); G06N 5/01 (2023.01); G06N 5/022 (2013.01); G06N 5/04 (2013.01); G06N 5/046 (2013.01); G06N 7/00 (2013.01); G06N 20/00 (2019.01); G06N 20/20 (2019.01); G06Q 10/06395 (2013.01); G06V 20/52 (2022.01); H04L 63/0227 (2013.01); H04L 63/0263 (2013.01); H04L 63/1408 (2013.01); H04L 63/1416 (2013.01); H04L 63/1425 (2013.01); H04L 63/1433 (2013.01); H04L 63/1441 (2013.01); H04L 63/20 (2013.01); G06Q 30/0185 (2013.01); G06Q 30/0283 (2013.01)] 19 Claims
OG exemplary drawing
 
1. A computer program product comprising a non-transitory computer readable medium embodying computer executable code that, when executing on one or more computing devices, causes the one or more computing devices to perform steps of:
storing in a data recorder an event stream of data indicating events on an endpoint including a plurality of types of changes to a plurality of computing objects on the endpoint;
processing the event stream with a filter into a filtered event stream including a subset of the plurality of types of changes to the plurality of computing objects;
transmitting the filtered event stream over an enterprise network to a threat management facility;
responding to a local change in security posture detected on the endpoint by adjusting the filter to modify the subset of the plurality of types of changes included in the filtered event stream;
receiving a query from the threat management facility for additional event data from the event stream stored in the data recorder in response to the change in security posture; and
responding to the query from the threat management facility by retrieving data stored in the data recorder over a time window before the query and excluded from the filtered event stream.