Using network locations obtained from multiple threat lists to evaluate network data or machine data
First Claim
1. A computer-implemented method for identifying notable events in a set of events to facilitate identification of computer or network security-related events, the set of events including a plurality of subsets of events, an event in the set of events comprising a portion of raw machine data representing activity involving at least one host in a plurality of hosts distributed across an enterprise'"'"'s network, the method comprising:
- accessing a plurality of threat location lists from third-party sources;
receiving, from a user;
(i) criteria for at least one correlation search for notable events that occur on the enterprise'"'"'s network, and(ii) designation of a set of threat location lists from the accessed plurality of threat location lists;
generating an aggregated threat location list by merging and deduplicating the designated set of threat location lists from the plurality of threat location lists, the aggregated threat list stored in an index;
in response to receiving the criteria for the at least one correlation search, for a subset of events in the set of events;
extracting a network location and values for one or more fields identified in the criteria from at least one event in the subset of events, at analysis time, by using an extraction rule or regular expression that is associated with an identified field and with the subset of events, the extraction rule or regular expression defining how to extract the network location from the portion of raw machine data, anddetermining notable events based on the criteria by determining that;
(i) the extracted network location for the at least one event in the subset of events matches a threat location in the aggregated threat location list stored in the index, and(ii) the extracted values for the one or more identified fields for the at least one event in the subset of events match user-specified values in the criteria;
generating, for each of a plurality of threat locations from the aggregated threat location list, a count of events from the identified notable events that include a network location matching the threat location; and
causing display of a graphical user interface (GUI) including at least one interface element indicating an amount of activity associated with threat locations from the aggregated threat location list, the amount of activity based on the generated count of events, from the determined notable events, for each of the plurality of threat locations from the aggregated threat location list, the amount of activity associated with threat locations used to facilitate operation performance or security associated with at least one component in an IT environment.
1 Assignment
0 Petitions
Accused Products
Abstract
Systems and methods are provided for identifying network addresses and/or IDs of a deduplicated list among network data, machine data, and/or events derived from network data and/or machine data, and for identifying notable events by searching for the presence of network addresses and/or network IDs that are deduplicated across lists received from multiple external sources. One method includes receiving a plurality of lists of network locations, wherein each list is received from over a network, wherein each of the network locations includes a domain name or an IP address, and wherein at least two of the plurality of lists each include a same network location; aggregating the plurality of lists of network locations into a deduplicated list of unique network locations; and searching network data or machine data for a network location included in the deduplicated list of unique network locations.
73 Citations
42 Claims
-
1. A computer-implemented method for identifying notable events in a set of events to facilitate identification of computer or network security-related events, the set of events including a plurality of subsets of events, an event in the set of events comprising a portion of raw machine data representing activity involving at least one host in a plurality of hosts distributed across an enterprise'"'"'s network, the method comprising:
-
accessing a plurality of threat location lists from third-party sources; receiving, from a user; (i) criteria for at least one correlation search for notable events that occur on the enterprise'"'"'s network, and (ii) designation of a set of threat location lists from the accessed plurality of threat location lists; generating an aggregated threat location list by merging and deduplicating the designated set of threat location lists from the plurality of threat location lists, the aggregated threat list stored in an index; in response to receiving the criteria for the at least one correlation search, for a subset of events in the set of events; extracting a network location and values for one or more fields identified in the criteria from at least one event in the subset of events, at analysis time, by using an extraction rule or regular expression that is associated with an identified field and with the subset of events, the extraction rule or regular expression defining how to extract the network location from the portion of raw machine data, and determining notable events based on the criteria by determining that; (i) the extracted network location for the at least one event in the subset of events matches a threat location in the aggregated threat location list stored in the index, and (ii) the extracted values for the one or more identified fields for the at least one event in the subset of events match user-specified values in the criteria; generating, for each of a plurality of threat locations from the aggregated threat location list, a count of events from the identified notable events that include a network location matching the threat location; and causing display of a graphical user interface (GUI) including at least one interface element indicating an amount of activity associated with threat locations from the aggregated threat location list, the amount of activity based on the generated count of events, from the determined notable events, for each of the plurality of threat locations from the aggregated threat location list, the amount of activity associated with threat locations used to facilitate operation performance or security associated with at least one component in an IT environment. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14)
-
-
15. A system for identifying notable events in a set of events to facilitate identification of computer or network security-related events, the set of events including a plurality of subsets of events, an event in the set of events comprising a portion of raw machine data representing activity involving at least one host in a plurality of hosts distributed across an enterprise'"'"'s network, the system comprising:
-
processing resources and memory coupled to the processing resources, the memory storing instructions that, when executed by the processing resources, cause the system to; access a plurality of threat location lists from third-party sources; receive, from a user; (i) criteria for at least one correlation search for notable events that occur on the enterprise'"'"'s network, and (ii) designation of a set of threat location lists from the accessed plurality of threat location lists; generate an aggregated threat location list by merging and deduplicating the designated set of threat location lists from the plurality of threat location lists, the aggregated threat list stored in an index; in response to receiving the criteria for the at least one correlation search, for a subset of events in the set of events; extracting a network location and values for one or more fields identified in the criteria from at least one event in the subset of events, at analysis time, by using an extraction rule or regular expression that is associated with an identified field and with the subset of events, the extraction rule or regular expression defining how to extract the network location from the portion of raw machine data, and determining notable events based on the criteria by determining that; (i) the extracted network location for the at least one event in the subset of events matches a threat location in the aggregated threat location list stored in the index, and (ii) the extracted values for the one or more identified fields for the at least one event in the subset of events match user-specified values in the criteria; and generating, for each of a plurality of threat locations from the aggregated threat location list, a count of events from the identified notable events that include a network location matching the threat location; and causing display of a graphical user interface (GUI) including at least one interface element indicating can amount of activity associated with threat locations from the aggregated threat location list, the amount of activity based on the generated count of events from the determined notable events, for each of the plurality of threat locations from the aggregated threat location list, the amount of activity associated with threat locations used to facilitate operation performance or security associated with at least one component in an IT environment. - View Dependent Claims (16, 17, 18, 19, 20, 21, 22, 23, 24, 25, 26, 27, 28)
-
-
29. A computer readable storage medium, comprising:
-
instructions that, when executed by processing resources, cause the processing resources to; access a plurality of threat location lists from third-party sources; receive, from a user; (i) criteria from at least one correlation search for notable events that occur on the enterprise'"'"'s network, and (ii) designation of a set of threat location lists from the accessed plurality of threat location lists; generate an aggregated threat location list by merging and deduplicating the designated set of threat location lists from the plurality of threat location lists, the aggregated threat list stored in an index; in response to receiving the criteria for the at least one correlation search, for a subset of events in a set of events, wherein the set of events includes a plurality of subsets of events and an event in the set of events comprises a portion of raw machine data representing activity involving at least one host in a plurality of hosts distributed across an enterprise'"'"'s network; extract a network location and values for one or more fields identified in the criteria from at least one event in the subset of events, at analysis time, by using an extraction rule or regular expression that is associated with an identified field and with the subset of events, the extraction rule or regular expression defining how to extract the network location from the portion of raw machine data, and determine notable events based on the criteria by determining that; (i) the extracted network location for the at least one event in the subset of events matches a threat location in the aggregated threat location list stored in the index, and (ii) the extracted values for the one or more identified fields for the at least one event in the subset of events match user-specified values in the criteria; and generating, for each of a plurality of threat locations from the aggregated threat location list, a count of events from the identified notable events that include a network location matching the threat location; and causing display of a graphical user interface (GUI) including at least one interface element indicating can amount of activity associated with threat locations from the aggregated threat location list, the amount of activity based on the generated count of events, from the determined notable events, for each of the plurality of threat locations from the aggregated threat location list, the amount of activity associated with threat locations used to facilitate operation performance or security associated with at least one component in an IT environment. - View Dependent Claims (30, 31, 32, 33, 34, 35, 36, 37, 38, 39, 40, 41, 42)
-
Specification