Search

US-12621324-B1 - Using user feedback for alert generation in an anomaly detection framework

US12621324B1US 12621324 B1US12621324 B1US 12621324B1US-12621324-B1

Abstract

Methods, systems, and products for leveraging user feedback for alert generation in an anomaly detection framework, including: receiving, from a user, user feedback for an alert of a cloud deployment; and initiating, based on the user feedback, a workflow for modifying one or more parameters for generating the alert.

Inventors

  • Úlfar Erlingsson
  • Jay Parikh
  • Yijou Chen

Assignees

  • Lacework, Inc.

Dates

Publication Date
20260505
Application Date
20230525

Claims (18)

  1. 1 . A method of using user feedback for alert generation in an anomaly detection framework, the method comprising: receiving, via a user interface, from a user, user feedback for an alert of a cloud deployment; prompting one or more other users for additional user feedback for the alert in response to receiving an amount of user feedback for the alert that is less than a first threshold amount; prompting one or more other users for additional user feedback for the alert in response to receiving an amount of user feedback for the alert that satisfies a second threshold amount, wherein the second threshold amount is distinct from and less than the first threshold amount; and initiating, based on the user feedback, a workflow for modifying one or more parameters for generating the alert when the user feedback for the alert meets the first threshold amount.
  2. 2 . The method of claim 1 , wherein: the cloud deployment is associated with a particular customer and other cloud deployments are associated with other customers, and wherein: receiving the user feedback for the alert of the cloud deployment comprises receiving other user feedback for a plurality of instances of the alert in the other cloud deployments; and initiating the workflow is further based on the other user feedback.
  3. 3 . The method of claim 1 , wherein initiating the workflow comprises initiating a manual review of the alert.
  4. 4 . The method of claim 1 , wherein initiating the workflow comprises automatically modifying the one or more parameters for generating the alert.
  5. 5 . The method of claim 1 , further comprising updating a reputation score for the user based on the user feedback.
  6. 6 . The method of claim 5 , wherein initiating the workflow is further based on the reputation score for the user.
  7. 7 . The method of claim 1 , further comprising providing access to one or more policies from a particular customer corresponding to the user to one or more other customers.
  8. 8 . The method of claim 7 , wherein providing the access to the one or more policies is based on at least one of: policy feedback associated with the one or more policies or a reputation score for one or more users of the particular customer.
  9. 9 . The method of claim 1 , further comprising providing, to the user, a comparison of the user feedback to other feedback for other instances of the alert from one or more other customers.
  10. 10 . A computer program product for using user feedback for alert generation in an anomaly detection framework, the computer program product disposed on a non-transitory computer readable medium, the computer program product including computer program instructions configurable to carry out the steps of: receiving, via a user interface, from a user, user feedback for an alert of a cloud deployment; prompting one or more other users for additional user feedback for the alert in response to receiving an amount of user feedback for the alert that is less than a first threshold amount; prompting one or more other users for additional user feedback for the alert in response to receiving an amount of user feedback for the alert that satisfies a second threshold amount, wherein the second threshold amount is distinct from and less than the first threshold amount; and initiating, based on the user feedback, a workflow for modifying one or more parameters for generating the alert when the user feedback for the alert meets the first threshold amount.
  11. 11 . The computer program product of claim 10 , wherein: the cloud deployment is associated with a particular customer and other cloud deployments are associated with other customers, and wherein: receiving the user feedback for the alert of the cloud deployment comprises receiving other user feedback for a plurality of instances of the alert in the other cloud deployments; and initiating the workflow is further based on the other user feedback.
  12. 12 . The computer program product of claim 10 , wherein initiating the workflow comprises initiating a manual review of the alert.
  13. 13 . The computer program product of claim 10 , wherein initiating the workflow comprises automatically modifying the one or more parameters for generating the alert.
  14. 14 . The computer program product of claim 10 , wherein the steps further comprise updating a reputation score for the user based on the user feedback.
  15. 15 . The computer program product of claim 14 , wherein initiating the workflow is further based on the reputation score for the user.
  16. 16 . The computer program product of claim 10 , wherein the steps further comprise providing access to one or more policies from a particular customer corresponding to the user to one or more other customers.
  17. 17 . The computer program product of claim 16 , wherein providing the access to the one or more policies is based on at least one of: policy feedback associated with the one or more policies or a reputation score for one or more users of the particular customer.
  18. 18 . The computer program product of claim 10 , wherein the steps further comprise generating a polygraph.

Description

BRIEF DESCRIPTION OF THE DRAWINGS The accompanying drawings illustrate various embodiments and are a part of the specification. The illustrated embodiments are merely examples and do not limit the scope of the disclosure. Throughout the drawings, identical or similar reference numbers designate identical or similar elements. FIG. 1A shows an illustrative configuration in which a data platform is configured to perform various operations with respect to a cloud environment that includes a plurality of compute assets. FIG. 1B shows an illustrative implementation of the configuration of FIG. 1A. FIG. 1C illustrates an example computing device. FIG. 1D illustrates an example of an environment in which activities that occur within datacenters are modeled. FIG. 2A illustrates an example of a process, used by an agent, to collect and report information about a client. FIG. 2B illustrates a 5-tuple of data collected by an agent, physically and logically. FIG. 2C illustrates a portion of a polygraph. FIG. 2D illustrates a portion of a polygraph. FIG. 2E illustrates an example of a communication polygraph. FIG. 2F illustrates an example of a polygraph. FIG. 2G illustrates an example of a polygraph as rendered in an interface. FIG. 2H illustrates an example of a portion of a polygraph as rendered in an interface. FIG. 2I illustrates an example of a portion of a polygraph as rendered in an interface. FIG. 2J illustrates an example of a portion of a polygraph as rendered in an interface. FIG. 2K illustrates an example of a portion of a polygraph as rendered in an interface. FIG. 2L illustrates an example of an insider behavior graph as rendered in an interface. FIG. 2M illustrates an example of a privilege change graph as rendered in an interface. FIG. 2N illustrates an example of a user login graph as rendered in an interface. FIG. 2O illustrates an example of a machine server graph as rendered in an interface. FIG. 3A illustrates an example of a process for detecting anomalies in a network environment. FIG. 3B depicts a set of example processes communicating with other processes. FIG. 3C depicts a set of example processes communicating with other processes. FIG. 3D depicts a set of example processes communicating with other processes. FIG. 3E depicts two pairs of clusters. FIG. 3F is a representation of a user logging into a first machine, then into a second machine from the first machine, and then making an external connection. FIG. 3G is an alternate representation of actions occurring in FIG. 3F. FIG. 3H illustrates an example of a process for performing extended user tracking. FIG. 3I is a representation of a user logging into a first machine, then into a second machine from the first machine, and then making an external connection. FIG. 3J illustrates an example of a process for performing extended user tracking. FIG. 3K illustrates example records. FIG. 3L illustrates example output from performing an ssh connection match. FIG. 3M illustrates example records. FIG. 3N illustrates example records. FIG. 3O illustrates example records. FIG. 3P illustrates example records. FIG. 3Q illustrates an adjacency relationship between two login sessions. FIG. 3R illustrates example records. FIG. 3S illustrates an example of a process for detecting anomalies. FIG. 4A illustrates a representation of an embodiment of an insider behavior graph. FIG. 4B illustrates an embodiment of a portion of an insider behavior graph. FIG. 4C illustrates an embodiment of a portion of an insider behavior graph. FIG. 4D illustrates an embodiment of a portion of an insider behavior graph. FIG. 4E illustrates a representation of an embodiment of a user login graph. FIG. 4F illustrates an example of a privilege change graph. FIG. 4G illustrates an example of a privilege change graph. FIG. 4H illustrates an example of a user interacting with a portion of an interface. FIG. 4I illustrates an example of a dossier for an event. FIG. 4J illustrates an example of a dossier for a domain. FIG. 4K depicts an example of an Entity Join graph by FilterKey and FilterKey Group (implicit join). FIG. 4L illustrates an example process for dynamically generating and executing a query. FIG. 5 sets forth a flowchart illustrating an example method of improving developer efficiency and application quality in accordance with some embodiments. FIG. 6 sets forth a flowchart illustrating an additional example method of improving developer efficiency and application quality in accordance with some embodiments. FIG. 7 sets forth a flowchart illustrating an additional example method of improving developer efficiency and application quality in accordance with some embodiments. FIG. 8 sets forth a flowchart illustrating an additional example method of improving developer efficiency and application quality in accordance with some embodiments. FIG. 9 sets forth a flowchart illustrating an example method of learning from similar cloud deployments in accordance with some embodiments o