Tracking computer devices in extended detection and response systems
US-2024356958-A1 · Oct 24, 2024 · US
Asynchronous data processing in extended detection and response systems
US12531892B2 · US · B2
| Field | Value |
|---|---|
| Publication number | US-12531892-B2 |
| Application number | US-202318454553-A |
| Country | US |
| Kind code | B2 |
| Filing date | Aug 23, 2023 |
| Priority date | Apr 24, 2023 |
| Publication date | Jan 20, 2026 |
| Grant date | Jan 20, 2026 |
How to read this patent
A practical reading order for non-experts. Skip the full description unless you need deep technical detail.
- Title
What the patent document calls the invention.
- Abstract
A short plain-language summary of the technical disclosure.
- Assignees and inventors
Who owns or filed the patent and who is credited as inventor.
- Key dates
Filing, priority, publication, and grant dates set the timeline.
- First independent claim
The legal scope of protection — read this for what is actually claimed.
- CPC / IPC classifications
Technology tags used to group this patent with similar filings.
- Citations and related patents
Prior art links and similar publications in this corpus.
Abstract
Official abstract text for this publication.
This disclosure describes techniques for mapping local device identifiers used in monitoring data from different sources to a common global identifier to enable correlation of monitoring events related to the same device. The techniques can be used in the context of an Extended Detection and Response (XDR) system architecture for advanced threat detection and response in a computer system. In some cases, the XDR system ingests security data from various monitoring components like Endpoint Detection and Response (EDR), Intrusion Detection Systems (IDSs), Intrusion Prevention Systems (IPSs), firewall engines, and email security systems.
First claim
Opening claim text (preview).
What is claimed is: 1 . A method comprising: receiving, from a first computing entity, a request to obtain a first device identifier for a computing device identified by a second device identifier, wherein the request comprises a first indication of the second device identifier and a second indication of a first time, and wherein the first device identifier is a common device identifier across a plurality of monitoring components interacting with an Extended Detection and Response (XDR) system; receiving, from a second computing entity associated with a first monitoring component of the plurality of monitoring components, first monitoring data associated with the computing device, wherein the first monitoring data is recorded before the first time but is received within a threshold period of the first time, and wherein threshold period is determined based on a wait period and a smoothing window size, and further wherein the first monitoring data comprises a third indication of a third device identifier for the computing device; determining, at a second time after the threshold period, a monitoring data batch based on the first monitoring data and the smoothing window size; determining the first device identifier based on the monitoring data batch, wherein determining the first device identifier comprises: determining a correlation between the second device identifier and the third device identifier, and mapping the correlation to the first device identifier; and providing the first device identifier to the first computing entity. 2 . The method of claim 1 , further comprising: receiving second monitoring data associated with the computing device, wherein the second monitoring data is recorded before the first monitoring data but received after the first monitoring data and within the threshold period; and determining the monitoring data batch to represent that the second monitoring data is recorded before the first monitoring data. 3 . The method of claim 1 , wherein the smoothing window size represents a number of timesteps after the first time whose respective monitoring data should be included in the monitoring data batch. 4 . The method of claim 1 , further comprising: based on receiving the request, providing a retry indication to the first computing entity, wherein the retry indication comprises the second time. 5 . The method of claim 1 , wherein the first computing entity is a monitoring component and providing the first device identifier comprises: providing feedback data representing one or more device identifiers determined for the computing device based on the monitoring data batch. 6 . The method of claim 1 , wherein the first computing entity is configured to determine a security prediction associated with the computing device based on the first monitoring data. 7 . The method of claim 1 , wherein the first computing entity is configured to perform a responsive operation in relation to the computing device based on the first monitoring data. 8 . The method of claim 1 , wherein determining the monitoring data batch comprises: determining a batch size representing a constraint on a first number of timesteps associated with the monitoring data batch; determining a second number of timesteps associated with the threshold period; determining a third number of timesteps based on a deviation between the first number and the second number; and determining the monitoring data batch to comprise a first window associated with the third number and a second window associated with the second number, wherein the first window is associated with a period before the first time and the second window is associated with a period during and after the first time. 9 . The method of claim 1 , wherein: the first time is associated with generation of the request, the second time is associated with generation of the monitoring data batch, and a deviation between the first time and the second time is determined based on the threshold period. 10 . A system comprising: one or more processors; and one or more computer-readable media storing computer-executable instructions that, when executed by the one or more processors, cause the one or more processors to perform operations comprising: receiving, from a first computing entity, a request to obtain a first device identifier for a computing device identified by a second device identifier, wherein the request comprises a first indication of the second device identifier and a second indication of a first time, and wherein the first device identifier is a common device identifier across a plurality of monitoring components interacting with an Extended Detection and Response (XDR) system; receiving, from a second computing entity associated with a first monitoring component of the plurality of monitoring components, first monitoring data associated with the computing device, wherein the first monitoring data is recorded before the first time but is received within a threshold period of the first time, and wherein threshold period is determined based on a wait period and a smoothing window size, and further wherein the first monitoring data comprises a third indication of a third device identifier for the computing device; determining, at a second time after the threshold period, a monitoring data batch based on the first monitoring data and the smoothing window size; determining the first device identifier based on the monitoring data batch, wherein determining the first device identifier comprises: determining a correlation between the second device identifier and the third device identifier, and mapping the correlation to the first device identifier; and providing the first device identifier to the first computing entity. 11 . The system of claim 10 , the operations further comprising: receiving second monitoring data associated with the computing device, wherein the second monitoring data is recorded before the first monitoring data but received after the first monitoring data and within the threshold period; and determining the monitoring data batch to represent that the second monitoring data is recorded before the first monitoring data. 12 . The system of claim 10 , wherein the smoothing window size represents a number of timesteps after the first time whose respective monitoring data should be included in the monitoring data batch. 13 . The system of claim 10 , the operations further comprising: based on receiving the request, providing a retry indication to the first computing entity, wherein the retry indication comprises the second time. 14 . The system of claim 10 , wherein the first computing entity is a monitoring component and providing the first device identifier comprises: providing feedback data representing one or more device identifiers determined for the computing device based on the monitoring data batch. 15 . The system of claim 10 , wherein the first computing entity is configured to determine a security prediction associated with the computing device based on the first monitoring data. 16 . The system of claim 10 , wherein the first computing entity is configured to perform a responsive operation in relation to the computing device based on the first monitoring data. 17 . One or more non-transitory computer-readable media storing computer-executable instructions that, when executed by one or more processors, cause the one or more processors to perform operations comprising: receiving, from a first computing entity, a request to obtain a first devi
Assignees
Inventors
Classifications
for managing network security; network security policies in general (filtering policies H04L63/0227) · CPC title
using time frame reporting · CPC title
Traffic logging, e.g. anomaly detection · CPC title
- H04L63/1433Primary
Vulnerability analysis · CPC title
Patent family
Related publications grouped by family.
External sources
Frequently asked questions
Answers are generated from the same data shown on this page.
- What does patent US12531892B2 cover?
- This disclosure describes techniques for mapping local device identifiers used in monitoring data from different sources to a common global identifier to enable correlation of monitoring events related to the same device. The techniques can be used in the context of an Extended Detection and Response (XDR) system architecture for advanced threat detection and response in a computer system. In s…
- Who is the assignee on this patent?
- Cisco Tech Inc
- What technology area does this patent fall under?
- Primary CPC classification H04L63/1433. Mapped technology areas include Electricity.
- When was this patent published?
- Publication date Tue Jan 20 2026 00:00:00 GMT+0000 (Coordinated Universal Time) (B2). Legal status and post-grant events are not shown on this page.
- What related patents are in patentsdb?
- We list 7 related publications on this page (citations in our corpus or others sharing the same primary CPC).