Managing ephemeral event streams generated from captured network data
First Claim
1. A method for facilitating processing of network data, the method comprising:
- causing display of a graphical user interface (GUI) including interface elements related to generating configuration information for a remote capture agent, the configuration information including information used by the remote capture agent to generate at least one event stream comprising timestamped event data derived from network packets monitored by the remote capture agent;
receiving, via the GUI, input defining an ephemeral event stream comprising timestamped event data to be generated by the remote capture agent, the input including;
a search query to be executed against timestamped event data included in the at least one event stream generated by the remote capture agent, wherein timestamped event data satisfying the search query indicates a potential security incident in a computing environment,an identifier of a protocol used by network packets from which timestamped event data of the ephemeral event stream is to be generated, andan indication of an amount of time the remote capture agent is to generate the ephemeral event stream;
generating configuration information including settings used by the remote capture agent to generate the ephemeral event stream comprising additional timestamped event data automatically generated in response to detection of a trigger condition, wherein the trigger condition is detected when execution of the search query identifies timestamped event data satisfying the search query; and
transmitting, via a network, the configuration information to the remote capture agent, wherein the configuration information is used to configure the generation of the at least one event stream comprising timestamped event data at the remote capture agent during runtime of the remote capture agent.
1 Assignment
0 Petitions
Accused Products
Abstract
The disclosed embodiments provide a system that facilitates the processing of network data. During operation, the system causes for display, on a computer system, a graphical user interface (GUI) for obtaining configuration information for configuring the generation of time-series event data from network packets captured by one or more remote capture agents. Next, the system causes for display, in the GUI, a first set of user-interface elements for managing one or more ephemeral event streams that contain temporarily generated time-series event data from the network packets, wherein managing the one or more ephemeral event streams comprises modifying an end time for terminating the capture of time-series event data in an ephemeral event stream. The system then updates the configuration information based on input received through the first set of user-interface elements.
303 Citations
27 Claims
-
1. A method for facilitating processing of network data, the method comprising:
-
causing display of a graphical user interface (GUI) including interface elements related to generating configuration information for a remote capture agent, the configuration information including information used by the remote capture agent to generate at least one event stream comprising timestamped event data derived from network packets monitored by the remote capture agent; receiving, via the GUI, input defining an ephemeral event stream comprising timestamped event data to be generated by the remote capture agent, the input including; a search query to be executed against timestamped event data included in the at least one event stream generated by the remote capture agent, wherein timestamped event data satisfying the search query indicates a potential security incident in a computing environment, an identifier of a protocol used by network packets from which timestamped event data of the ephemeral event stream is to be generated, and an indication of an amount of time the remote capture agent is to generate the ephemeral event stream; generating configuration information including settings used by the remote capture agent to generate the ephemeral event stream comprising additional timestamped event data automatically generated in response to detection of a trigger condition, wherein the trigger condition is detected when execution of the search query identifies timestamped event data satisfying the search query; and transmitting, via a network, the configuration information to the remote capture agent, wherein the configuration information is used to configure the generation of the at least one event stream comprising timestamped event data at the remote capture agent during runtime of the remote capture agent. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15)
-
-
16. An apparatus, comprising:
-
one or more processors; and memory storing instructions that, when executed by the one or more processors, cause the apparatus to; cause display of a graphical user interface (GUI) including interface elements related to generating configuration information for a remote capture agent, the configuration information including information used by the remote capture agent to generate at least one event stream comprising timestamped event data derived from network packets monitored by the remote capture agent; receive, via the GUI, input defining an ephemeral event stream comprising timestamped event data to be generated by the remote capture agent, the input including; a search query to be executed against timestamped event data included in the at least one event stream generated by the remote capture agent, wherein timestamped event data satisfying the search query indicates a potential security incident in a computing environment, an identifier of a protocol used by network packets from which timestamped event data of the ephemeral event stream is to be generated, and an indication of an amount of time the remote capture agent is to generate the ephemeral event stream; generate configuration information including settings used by the remote capture agent to generate the ephemeral event stream comprising additional timestamped event data automatically generated in response to detection of a trigger condition, wherein the trigger condition is detected when execution of the search query identifies timestamped event data satisfying the search query; and transmit, via a network, the configuration information to the remote capture agent, wherein the configuration information is used to configure the generation of the at least one event stream comprising timestamped event data at the remote capture agent during runtime of the remote capture agent. - View Dependent Claims (17, 18, 19, 20, 21)
-
-
22. A non-transitory computer-readable storage medium storing instructions that when executed by a computer cause the computer to perform operations for facilitating processing of network data, the operations comprising:
-
causing display of a graphical user interface (GUI) including interface elements related to generating configuration information for a remote capture agent, the configuration information including information used by the remote capture agent to generate at least one event stream comprising timestamped event data derived from network packets monitored by the remote capture agent; receiving, via the GUI, input defining an ephemeral event stream comprising timestamped event data to be generated by the remote capture agent, the input including; a search query to be executed against timestamped event data included in the at least one event stream generated by the remote capture agent, wherein timestamped event data satisfying the search query indicates a potential security incident in a computing environment, an identifier of a protocol used by network packets from which timestamped event data of the ephemeral event stream is to be generated, and an indication of an amount of time the remote capture agent is to generate the ephemeral event stream; generating configuration information including settings used by the remote capture agent to generate the ephemeral event stream comprising additional timestamped event data automatically generated in response to detection of a trigger condition, wherein the trigger condition is detected when execution of the search query identifies timestamped event data satisfying the search query; and transmitting, via a network, the configuration information to the remote capture agent, wherein the configuration information is used to configure the generation of the at least one event stream comprising timestamped event data at the remote capture agent during runtime of the remote capture agent. - View Dependent Claims (23, 24, 25, 26, 27)
-
Specification