Searchable investigation history for event data store

US 10,515,062 B2
Filed: 05/09/2016
Issued: 12/24/2019
Est. Priority Date: 05/09/2016
Status: Active Grant

First Claim

Patent Images

1. A method comprising:

receiving, by a processing device as part of an investigation, a first query comprising a first field value and a first time period, wherein the first field value comprises an internet protocol (IP) address, a port, or a user identification (ID);

performing, by the processing device, a first search of a data store to identify a first plurality of events having the first time period and at least one field that comprises the first field value;

generating, by the processing device, a first search object comprising the first field value;

generating, by the processing device, a first search event comprising the first field value and a reference to the first search object;

receiving, by the processing device, an indication of one or more search objects that contributed to a resolution of the investigation, the one or more search objects comprising the first search object;

generating, by the processing device, a resolution object, the resolution object comprising a resolution object identifier, resolution information and references to the one or more search objects;

generating, by the processing device, a resolution event associated with the resolution object; and

writing at least one of an event entry for the first search event or an event entry for the resolution event to the data store, wherein the event entry for the first search event is indexed in the data store based on the first field value.

View all claims

3 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A processing device receives a first query comprising a first field value and a first time period. The processing device performs a first search of a data store to identify a first plurality of events having the first time period and at least one field that comprises the first field value. The processing device generates a first search object comprising the first field value. The processing device generates a search event comprising the first field value and a reference to the first search object. An event entry for the first search event is then written to the data store. Future searches may return both the first search event and other events.

12 Citations

View as Search Results

20 Claims

1. A method comprising:
- receiving, by a processing device as part of an investigation, a first query comprising a first field value and a first time period, wherein the first field value comprises an internet protocol (IP) address, a port, or a user identification (ID);
  
  performing, by the processing device, a first search of a data store to identify a first plurality of events having the first time period and at least one field that comprises the first field value;
  
  generating, by the processing device, a first search object comprising the first field value;
  
  generating, by the processing device, a first search event comprising the first field value and a reference to the first search object;
  
  receiving, by the processing device, an indication of one or more search objects that contributed to a resolution of the investigation, the one or more search objects comprising the first search object;
  
  generating, by the processing device, a resolution object, the resolution object comprising a resolution object identifier, resolution information and references to the one or more search objects;
  
  generating, by the processing device, a resolution event associated with the resolution object; and
  
  writing at least one of an event entry for the first search event or an event entry for the resolution event to the data store, wherein the event entry for the first search event is indexed in the data store based on the first field value.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9)
- - 2. The method of claim 1, wherein the first query comprises a plurality of field values, wherein the first field value is one of the plurality of field values, and wherein the first search event comprises a plurality of fields, each of the plurality of fields having one of the plurality of field values, the method further comprising:
    - writing a plurality of event entries for the first search event to the data store, wherein a separate event entry is written to the data store for each field value of the plurality of field values.
  - 3. The method of claim 1, wherein at least one of the first search object or the first search event further comprises a second time period that at least partially overlaps the first time period.
  - 4. The method of claim 3, wherein the second time period is a larger time period than the first time period.
  - 5. The method of claim 3, further comprising:
    - receiving a second query comprising the first field value and a third time period that is within the second time period; and
      
      performing a second search of the data store to identify a second plurality of events having the third time period and at least one field that comprises the first field value, wherein the second plurality of events comprises the first search event.
  - 6. The method of claim 5, wherein the first search object is one of a plurality of search objects associated with an investigation, the method further comprising:
    - receiving a selection of the first search event; and
      
      providing an investigation history for the investigation, wherein the investigation history is arranged as a tree comprising a plurality of nodes, wherein each of the plurality of search objects corresponds to one of the plurality of nodes.
  - 7. The method of claim 6, wherein the first search object comprises a first search object identifier that is used to reference the first search object, the method further comprising:
    - generating a second search object comprising the first field value and a second search object identifier;
      
      generating a second search event comprising the first field value, a reference to the second search object and a fourth time period that at least partially overlaps the third time period;
      
      generating a third search object comprising the first field value, a third search object identifier and a reference to the second search object responsive to receiving the selection of the first search event; and
      
      generating a third search event comprising the first field value, the fourth time period, and a reference to the third search object.
  - 8. The method of claim 6, further comprising:
    - receiving a selection of a particular node of the plurality of nodes; and
      
      performing a third search of the data store using field values from a search object associated with the particular node.
  - 9. The method of claim 1, further comprising:
    - generating one or more resolution events associated with the resolution object, wherein a separate resolution event is generated for each search object that contributed to the resolution of the investigation; and
      
      writing, for each of the one or more resolution events, one or more entries to the data store.

10. A computer readable storage medium comprising instructions that, when executed by a processing device, cause the processing device to perform operations comprising:
- receiving, by the processing device as part of an investigation, a first query comprising a first field value and a first time period, wherein the first field value comprises an internet protocol (IP) address, a port, or a user identification (ID);
  
  performing, by the processing device, a first search of a data store to identify a first plurality of events having the first time period and at least one field that comprises the first field value;
  
  generating, by the processing device, a first search object comprising the first field value;
  
  generating, by the processing device, a first search event comprising the first field value and a reference to the first search object;
  
  receiving, by the processing device, an indication of one or more search objects that contributed to a resolution of the investigation, the one or more search objects comprising the first search object;
  
  generating, by the processing device, a resolution object, the resolution object comprising a resolution object identifier, a resolution information and references to the one or more search objects;
  
  generating, by the processing device, a resolution event associated with the resolution object; and
  
  writing at least one of an event entry for the first search event or an event entry for the resolution event to the data store, wherein the event entry for the first search event is indexed in the data store based on the first field value.
- View Dependent Claims (11, 12, 13, 14, 15)
- - 11. The computer readable storage medium of claim 10, wherein the first query comprises a plurality of field values, wherein the first field value is one of the plurality of field values, and wherein the first search event comprises a plurality of fields, each of the plurality of fields having one of the plurality of field values, the operations further comprising:
    - writing a plurality of event entries for the first search event to the data store, wherein a separate event entry is written to the data store for each field value of the plurality of field values.
  - 12. The computer readable storage medium of claim 11, wherein the first search event further comprises a second time period that at least partially overlaps the first time period, the operations further comprising:
    - receiving a second query comprising the first field value and a third time period that is within the second time period; and
      
      performing a second search of the data store to identify a second plurality of events having the third time period and at least one field that comprises the first field value, wherein the second plurality of events comprises the first search event.
  - 13. The computer readable storage medium of claim 12, wherein the first search object is one of a plurality of search objects associated with an investigation, the operations further comprising:
    - receiving a selection of the first search event; and
      
      providing an investigation history for the investigation, wherein the investigation history is arranged as a tree comprising a plurality of nodes, wherein each of the plurality of search objects corresponds to one of the plurality of nodes.
  - 14. The computer readable storage medium of claim 10, the operations further comprising:
    - generating one or more resolution events associated with the resolution object, wherein a separate resolution event is generated for each search object that contributed to the resolution of the investigation; and
      
      writing, for each of the one or more resolution events, one or more entries to the data store.
  - 15. The computer readable storage medium of claim 14, wherein the first search object is a leaf node of an investigation history that comprises the leaf node, a root node, and one or more intermediate nodes between the leaf node and the root node.

16. A system comprising:
- a data store to store a plurality of events; and
  
  a computing device, operatively coupled to the data store, to;
  
  receive as part of an investigation a first query comprising a plurality of field values and a first time period, wherein the field values comprise an internet protocol (IP) address, a port, or a user identification (ID);
  
  perform a first search of the data store to identify a first subset of the plurality of events having the first time period and the plurality of field values;
  
  generate a first search object comprising the plurality of field values;
  
  generate a first search event comprising a second time period that at least partially overlaps the first time period, a reference to the first search object, and the plurality of field values;
  
  receive an indication of one or more search objects that contributed to a resolution of the investigation, the one or more search objects comprising the first search object;
  
  generate a resolution object, the resolution object comprising a resolution object identifier, resolution information and references to the one or more search objects;
  
  generate a resolution event associated with the resolution object; and
  
  write at least one of a plurality of event entries for the first search event or a plurality of event entries for the resolution event to the data store, wherein a separate event entry is written to the data store for each field value of the plurality of field values.
- View Dependent Claims (17, 18, 19, 20)
- - 17. The system of claim 16, wherein the computing device is further to:
    - receive a second query comprising at least one field value of the plurality of field values and a third time period that is within the second time period; and
      
      perform a second search of the data store to identify a second subset of the plurality of events having the third time period and the at least one field value of the plurality of field values, wherein the second subset of the plurality of events comprises the first search event.
  - 18. The system of claim 16, wherein the first search event is one of a plurality of search events associated with an investigation, and wherein the computing device is further to:
    - receive a selection of the first search event; and
      
      provide an investigation history for the investigation, wherein the investigation history is arranged as a tree comprising a plurality of nodes, wherein each of the plurality of search events corresponds to one of the plurality of nodes.
  - 19. The system of claim 16, wherein the computing device is further to:
    - generate one or more resolution events associated with the resolution object, wherein a separate resolution event is generated for each search object that contributed to the resolution of the investigation; and
      
      write, for each of the one or more resolution events, one or more entries to the data store.
  - 20. The system of claim 16, wherein the first search object is a leaf node of an investigation history that comprises the leaf node, a root node, and one or more intermediate nodes between the leaf node and the root node.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Sumo Logic, Inc.
Original Assignee
Sumo Logic, Inc.
Inventors
Tidwell, Kenny, Frampton, David, O'Connell, Brendan
Primary Examiner(s)
Nguyen, Cam Linh T

Application Number

US15/150,131
Publication Number

US 20170322959A1
Time in Patent Office

1,324 Days
Field of Search

707741
US Class Current
CPC Class Codes

G06F 11/30   Monitoring

G06F 16/2228   Indexing structures

G06F 16/245   Query processing

G06F 16/282   Hierarchical databases, e.g...

G06F 17/40   Data acquisition and loggin...

G06F 21/00   Security arrangements for p...

G06F 21/55   Detecting local intrusion o...

G06F 21/552   involving long-term monitor...

G06F 21/554   involving event detection a...

G06Q 10/10   Office automation; Time man...

H04L 63/1416   Event detection, e.g. attac...

Searchable investigation history for event data store

First Claim

3 Assignments

0 Petitions

Accused Products

Abstract

12 Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Searchable investigation history for event data store

First Claim

3 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

12 Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links