Graphical display of events indicating security threats in an information technology system

US 10,382,472 B2
Filed: 06/04/2018
Issued: 08/13/2019
Est. Priority Date: 07/31/2013
Status: Active Grant

First Claim

Patent Images

1. A method comprising:

extracting, by a computer system, one or more values from each event in a plurality of time-stamped, searchable events, wherein the one or more values are extracted from a field present in raw machine data in each event, the machine data having been produced by one or more components of an information technology environment and indicative of activity in the information technology environment;

identifying events, in the plurality of time-stamped, searchable events, for which an extracted value of the field satisfies a security criterion;

defining, by the computer system, the identified events as an event group;

creating, by the computer system, an event group summary for the event group, wherein the event group summary includes an indication of at least the field for which the extracted value satisfies the security criterion; and

causing, by the computer system, display of a plurality of event group summaries, including the event group summary, each event group summary corresponding to a distinct event group, wherein the plurality of event group summaries are indicative of potential security threats in the information technology environment, such that each event group summary as displayed includes an indication of at least one field for which extracted values satisfy a particular security criterion for all events in the corresponding event group.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A disclosed computer-implemented method includes receiving and indexing the raw data. Indexing includes dividing the raw data into time stamped searchable events that include information relating to computer or network security. Store the indexed data in an indexed data store and extract values from a field in the indexed data using a schema. Search the extracted field values for the security information. Determine a group of security events using the security information. Each security event includes a field value specified by a criteria. Present a graphical interface (GI) including a summary of the group of security events, other summaries of security events, and a remove element (associated with the summary). Receive input corresponding to an interaction of the remove element. Interacting with the remove element causes the summary to be removed from the GI. Update the GI to remove the summary from the GI.

Citations

30 Claims

1. A method comprising:
- extracting, by a computer system, one or more values from each event in a plurality of time-stamped, searchable events, wherein the one or more values are extracted from a field present in raw machine data in each event, the machine data having been produced by one or more components of an information technology environment and indicative of activity in the information technology environment;
  
  identifying events, in the plurality of time-stamped, searchable events, for which an extracted value of the field satisfies a security criterion;
  
  defining, by the computer system, the identified events as an event group;
  
  creating, by the computer system, an event group summary for the event group, wherein the event group summary includes an indication of at least the field for which the extracted value satisfies the security criterion; and
  
  causing, by the computer system, display of a plurality of event group summaries, including the event group summary, each event group summary corresponding to a distinct event group, wherein the plurality of event group summaries are indicative of potential security threats in the information technology environment, such that each event group summary as displayed includes an indication of at least one field for which extracted values satisfy a particular security criterion for all events in the corresponding event group.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21, 22, 23, 24, 25, 26, 27, 28)
- - 2. The method as recited in claim 1, wherein at least one event group summary of the plurality of event group summaries includes domain activity information.
  - 3. The method as recited in claim 1, further comprising:
    - changing a visual appearance of a particular event group summary among the plurality of event group summaries to indicate that the particular event group summary is a potential security threat.
  - 4. The method as recited in claim 1, further comprising:
    - causing display of a graphical element that, when activated, causes removal of a selected event group summary from the plurality of event group summaries; and
      
      based on user input via the graphical element, removing the selected event group summary from the plurality of event group summaries, to indicate that the selected event group summary is not a security threat.
  - 5. The method as recited in claim 1, further comprising:
    - causing display of a graphical element that, when activated, causes removal of a selected event group summary from the plurality of event group summaries;
      
      based on user input via the graphical element, removing the selected event group summary from the plurality of event group summaries, to indicate that the selected event group summary is not a security threat;
      
      causing display of a second graphical user interface displaying a second plurality of event group summaries including the selected event group summary, wherein each event group summary in the second plurality of event group summaries was removed from the plurality of event group summaries indicating that each event group summary in the second plurality of event group summaries is not a security threat.
  - 6. The method as recited in claim 1, wherein the machine data is log data;
    - the method further comprising;
      
      organizing the machine data into the plurality of time-stamped, searchable events, wherein an event comprises at least a portion of log data within the machine data.
  - 7. The method as recited in claim 1, wherein each of the one or more security criteria is evaluated using a late binding schema applied to at least a portion of the plurality of time-stamped, searchable events.
  - 8. The method as recited in claim 1, wherein each event of the plurality of time-stamped, searchable events is associated with a time stamp, and wherein the event group summary encompasses events having time stamps within a specified time period.
  - 9. The method as recited in claim 1, wherein the event group summary includes a numerical count of events in the set of events.
  - 10. The method as recited in claim 1, wherein the one or more security criteria include a particular threshold string length for the one or more extracted values.
  - 11. The method as recited in claim 1, wherein the one or more security criteria include a particular threshold string length for a network resource locator.
  - 12. The method as recited in claim 1, wherein the one or more security criteria include a source address associated with a security threat.
  - 13. The method as recited in claim 1, wherein the security criterion relates to at least one of:
    - an HTTP agent string, a network traffic size, a length of a uniform resource locator string, a byte count per request, a domain name, or a source address.
  - 14. The method as recited in claim 1, wherein the plurality of time-stamped, searchable events comprise unstructured data.
  - 15. The method as recited in claim 1, further comprising:
    - receiving an input corresponding to a selection of the summary of the event group summary; and
      
      updating the graphical interface to display information related to at least one event in the event group summary.
  - 16. The method as recited in claim 1, wherein the graphical interface includes a modify element associated with the event group summary, and wherein interaction with the modify element causes the event group summary to be visually modified in the graphical interface.
  - 17. The method as recited in claim 1, further comprising:
    - generating a display that includes an add element and one or more event group summaries that have been removed from the graphical interface, wherein the one or more event group summaries include the event group summary, and wherein a user interaction with the add element causes the event group summary to be added back to the graphical interface; and
      
      in response to a user interaction with the add element, updating the graphical interface to add the event group summary back to the graphical interface.
  - 18. The method of claim 1, wherein the event group summary includes a result of a correlation search.
  - 19. The method of claim 1, wherein the group of events is determined using an agent string that has been extracted from one or more events in the subset group of events.
  - 20. The method of claim 1, wherein the group of events is determined using a particular length of a uniform resource locator string that has been extracted from one or more events in the group of events or a source address that has been extracted from one or more events in the group of events.
  - 21. The method of claim 1, wherein each event in the plurality of time-stamped, searchable events is locatable in a searchable time-series data store using a time stamp of the event.
  - 22. The method of claim 1, further comprising:
    - removing an event from the plurality of time-stamped, searchable events when the event is not recognized as notable.
  - 23. The method as recited in claim 1, wherein each event in the plurality of time-stamped, searchable events includes information relating to security of the information technology environment.
  - 24. The method as recited in claim 1, further comprising:
    - segmenting stored raw machine data into the plurality of time-stamped, searchable events, wherein each event in the plurality of time-stamped, searchable events includes information relating to security of the information technology environment.
  - 25. The method as recited in claim 1, wherein the event group summary includes a count of a number of events in the event group summary.
  - 26. The method as recited in claim 1, further comprising:
    - extracting values for fields in events in the set of events, by applying a late binding schema to at least a portion of the plurality of events.
  - 27. The method as recited in claim 1, further comprising:
    - evaluating whether events in the set of events satisfy the security criterion.
  - 28. The method as recited in claim 1, further comprising:
    - evaluating whether events in the set of events satisfy the security criterion by applying a late binding schema to at least a portion of the plurality of events.

29. A non-transitory machine-readable storage medium storing instructions, execution of which in a computer system on a computing network causes performance of:
- extracting, by a computer system, one or more values from each event in a plurality of time-stamped, searchable events, wherein the one or more values are extracted from a field present in raw machine data in each event, the machine data having been produced by one or more components of an information technology environment and indicative of activity in the information technology environment;
  
  identifying events, in the plurality of time-stamped, searchable events, for which an extracted value of the field satisfies a security criterion;
  
  defining, by the computer system, the identified events as an event group;
  
  creating, by the computer system, an event group summary for the event group, wherein the event group summary includes an indication of at least the field for which the extracted value satisfies the security criterion; and
  
  causing, by the computer system, display of a plurality of event group summaries, including the event group summary, each event group summary corresponding to a distinct event group, wherein the plurality of event group summaries are indicative of potential security threats in the information technology environment, such that each event group summary as displayed includes an indication of at least one field for which extracted values satisfy a particular security criterion for all events in the corresponding event group.

30. An apparatus comprising:
- a value extraction device, implemented at least partially in hardware of one or more devices in a computer network, that when in operation extracts one or more values from each event in a plurality of time-stamped, searchable events, wherein the one or more values are extracted from a field present in raw machine data in each event, the machine data having been produced by one or more components of an information technology environment and indicative of activity in the information technology environment;
  
  an event identifier, implemented at least partially in hardware, that when in operation identifies events in the plurality of time-stamped, searchable events, for which an extracted value of the field satisfies a security criterion;
  
  an event group definer, implemented at least partially in hardware, that when in operation defines the identified events as an event group;
  
  a summary creator, implemented at least partially in hardware, that when in operation creates an event group summary for the event group, wherein the event group summary includes an indication of at least the field for which the extracted value satisfies the security criterion; and
  
  a display generator, implemented at least partially in hardware, that when in operation causes display of a plurality of event group summaries, including the event group summary, each event group summary corresponding to a distinct event group, wherein the plurality of event group summaries are indicative of potential security threats in the information technology environment, such that each event group summary as displayed includes an indication of at least one field for which extracted values satisfy a particular security criterion for all events in the corresponding event group.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Splunk Inc. (Cisco Systems, Inc.)
Original Assignee
Splunk Inc. (Cisco Systems, Inc.)
Inventors
Coates, John, Murphey, Lucas, Hazekamp, David, Hansen, James
Primary Examiner(s)
Brown, Anthony D

Application Number

US15/996,866
Publication Number

US 20180351990A1
Time in Patent Office

435 Days
Field of Search

726 22- 25
US Class Current
CPC Class Codes

G06F 16/285   Clustering or classification

G06F 21/554   involving event detection a...

G06F 2221/034   Test or assess a computer o...

G06F 2221/2151   Time stamp

H04L 63/14   for detecting or protecting...

H04L 63/1408   by monitoring network traff...

H04L 63/1416   Event detection, e.g. attac...

H04L 63/1433   Vulnerability analysis

H04L 63/20   for managing network securi...

Graphical display of events indicating security threats in an information technology system

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

30 Claims

Specification

Solutions

Use Cases

Quick Links

Graphical display of events indicating security threats in an information technology system

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

30 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links