| CPC G06F 21/6245 (2013.01) [G06F 16/211 (2019.01); G06F 16/215 (2019.01); G06F 16/24568 (2019.01); G06Q 10/067 (2013.01); H04L 63/1416 (2013.01); H04L 63/1425 (2013.01); H04L 63/1441 (2013.01)] | 20 Claims |
|
1. A computer program product comprising computer executable code embodied in a non-transitory computer readable medium that, when executing on one or more computing devices, performs the steps of:
receiving event data from a sensor on an endpoint, the event data responsive to an event on the endpoint, and the event data identifying the event;
in response to receiving the event data, precomputing, with the endpoint, a relationship between the event in a temporal context of the sensor and transient information including a local collection of causally related events, each of the causally related events causally related with the event and each of the causally related events associated with a source around a time of the event;
generating a mini-graph that characterizes the relationship precomputed between the event and the local collection of causally related events;
creating a modified event record that includes the mini-graph by joining the event data with the mini-graph that characterizes the relationship, precomputed in response to receiving the event data, between the event and the local collection of causally related events;
storing the modified event record in a data recorder on the endpoint;
transmitting the modified event record to a threat management facility; and
receiving data from the threat management facility for managing security for the endpoint based on the modified event record.
|