Graphical display of events indicating security threats in an information technology system
First Claim
1. A method comprising:
- extracting, by a computer system, one or more values from each event in a plurality of time-stamped, searchable events, wherein the one or more values are extracted from a field present in raw machine data in each event, the machine data having been produced by one or more components of an information technology environment and indicative of activity in the information technology environment;
identifying events, in the plurality of time-stamped, searchable events, for which an extracted value of the field satisfies a security criterion;
defining, by the computer system, the identified events as an event group;
creating, by the computer system, an event group summary for the event group, wherein the event group summary includes an indication of at least the field for which the extracted value satisfies the security criterion; and
causing, by the computer system, display of a plurality of event group summaries, including the event group summary, each event group summary corresponding to a distinct event group, wherein the plurality of event group summaries are indicative of potential security threats in the information technology environment, such that each event group summary as displayed includes an indication of at least one field for which extracted values satisfy a particular security criterion for all events in the corresponding event group.
1 Assignment
0 Petitions
Accused Products
Abstract
A disclosed computer-implemented method includes receiving and indexing the raw data. Indexing includes dividing the raw data into time stamped searchable events that include information relating to computer or network security. Store the indexed data in an indexed data store and extract values from a field in the indexed data using a schema. Search the extracted field values for the security information. Determine a group of security events using the security information. Each security event includes a field value specified by a criteria. Present a graphical interface (GI) including a summary of the group of security events, other summaries of security events, and a remove element (associated with the summary). Receive input corresponding to an interaction of the remove element. Interacting with the remove element causes the summary to be removed from the GI. Update the GI to remove the summary from the GI.
-
Citations
30 Claims
-
1. A method comprising:
-
extracting, by a computer system, one or more values from each event in a plurality of time-stamped, searchable events, wherein the one or more values are extracted from a field present in raw machine data in each event, the machine data having been produced by one or more components of an information technology environment and indicative of activity in the information technology environment; identifying events, in the plurality of time-stamped, searchable events, for which an extracted value of the field satisfies a security criterion; defining, by the computer system, the identified events as an event group; creating, by the computer system, an event group summary for the event group, wherein the event group summary includes an indication of at least the field for which the extracted value satisfies the security criterion; and causing, by the computer system, display of a plurality of event group summaries, including the event group summary, each event group summary corresponding to a distinct event group, wherein the plurality of event group summaries are indicative of potential security threats in the information technology environment, such that each event group summary as displayed includes an indication of at least one field for which extracted values satisfy a particular security criterion for all events in the corresponding event group. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21, 22, 23, 24, 25, 26, 27, 28)
-
-
29. A non-transitory machine-readable storage medium storing instructions, execution of which in a computer system on a computing network causes performance of:
-
extracting, by a computer system, one or more values from each event in a plurality of time-stamped, searchable events, wherein the one or more values are extracted from a field present in raw machine data in each event, the machine data having been produced by one or more components of an information technology environment and indicative of activity in the information technology environment; identifying events, in the plurality of time-stamped, searchable events, for which an extracted value of the field satisfies a security criterion; defining, by the computer system, the identified events as an event group; creating, by the computer system, an event group summary for the event group, wherein the event group summary includes an indication of at least the field for which the extracted value satisfies the security criterion; and causing, by the computer system, display of a plurality of event group summaries, including the event group summary, each event group summary corresponding to a distinct event group, wherein the plurality of event group summaries are indicative of potential security threats in the information technology environment, such that each event group summary as displayed includes an indication of at least one field for which extracted values satisfy a particular security criterion for all events in the corresponding event group.
-
-
30. An apparatus comprising:
-
a value extraction device, implemented at least partially in hardware of one or more devices in a computer network, that when in operation extracts one or more values from each event in a plurality of time-stamped, searchable events, wherein the one or more values are extracted from a field present in raw machine data in each event, the machine data having been produced by one or more components of an information technology environment and indicative of activity in the information technology environment; an event identifier, implemented at least partially in hardware, that when in operation identifies events in the plurality of time-stamped, searchable events, for which an extracted value of the field satisfies a security criterion; an event group definer, implemented at least partially in hardware, that when in operation defines the identified events as an event group; a summary creator, implemented at least partially in hardware, that when in operation creates an event group summary for the event group, wherein the event group summary includes an indication of at least the field for which the extracted value satisfies the security criterion; and a display generator, implemented at least partially in hardware, that when in operation causes display of a plurality of event group summaries, including the event group summary, each event group summary corresponding to a distinct event group, wherein the plurality of event group summaries are indicative of potential security threats in the information technology environment, such that each event group summary as displayed includes an indication of at least one field for which extracted values satisfy a particular security criterion for all events in the corresponding event group.
-
Specification