Managing ephemeral event streams generated from captured network data

US 10,523,521 B2
Filed: 01/30/2015
Issued: 12/31/2019
Est. Priority Date: 04/15/2014
Status: Active Grant

First Claim

Patent Images

1. A method for facilitating processing of network data, the method comprising:

causing display of a graphical user interface (GUI) including interface elements related to generating configuration information for a remote capture agent, the configuration information including information used by the remote capture agent to generate at least one event stream comprising timestamped event data derived from network packets monitored by the remote capture agent;

receiving, via the GUI, input defining an ephemeral event stream comprising timestamped event data to be generated by the remote capture agent, the input including;

a search query to be executed against timestamped event data included in the at least one event stream generated by the remote capture agent, wherein timestamped event data satisfying the search query indicates a potential security incident in a computing environment,an identifier of a protocol used by network packets from which timestamped event data of the ephemeral event stream is to be generated, andan indication of an amount of time the remote capture agent is to generate the ephemeral event stream;

generating configuration information including settings used by the remote capture agent to generate the ephemeral event stream comprising additional timestamped event data automatically generated in response to detection of a trigger condition, wherein the trigger condition is detected when execution of the search query identifies timestamped event data satisfying the search query; and

transmitting, via a network, the configuration information to the remote capture agent, wherein the configuration information is used to configure the generation of the at least one event stream comprising timestamped event data at the remote capture agent during runtime of the remote capture agent.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

The disclosed embodiments provide a system that facilitates the processing of network data. During operation, the system causes for display, on a computer system, a graphical user interface (GUI) for obtaining configuration information for configuring the generation of time-series event data from network packets captured by one or more remote capture agents. Next, the system causes for display, in the GUI, a first set of user-interface elements for managing one or more ephemeral event streams that contain temporarily generated time-series event data from the network packets, wherein managing the one or more ephemeral event streams comprises modifying an end time for terminating the capture of time-series event data in an ephemeral event stream. The system then updates the configuration information based on input received through the first set of user-interface elements.

303 Citations

27 Claims

1. A method for facilitating processing of network data, the method comprising:
- causing display of a graphical user interface (GUI) including interface elements related to generating configuration information for a remote capture agent, the configuration information including information used by the remote capture agent to generate at least one event stream comprising timestamped event data derived from network packets monitored by the remote capture agent;
  
  receiving, via the GUI, input defining an ephemeral event stream comprising timestamped event data to be generated by the remote capture agent, the input including;
  
  a search query to be executed against timestamped event data included in the at least one event stream generated by the remote capture agent, wherein timestamped event data satisfying the search query indicates a potential security incident in a computing environment,an identifier of a protocol used by network packets from which timestamped event data of the ephemeral event stream is to be generated, andan indication of an amount of time the remote capture agent is to generate the ephemeral event stream;
  
  generating configuration information including settings used by the remote capture agent to generate the ephemeral event stream comprising additional timestamped event data automatically generated in response to detection of a trigger condition, wherein the trigger condition is detected when execution of the search query identifies timestamped event data satisfying the search query; and
  
  transmitting, via a network, the configuration information to the remote capture agent, wherein the configuration information is used to configure the generation of the at least one event stream comprising timestamped event data at the remote capture agent during runtime of the remote capture agent.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15)
- - 2. The method of claim 1, further comprising:
    - receiving, via the GUI, input defining a second ephemeral event stream to be generated by the remote capture agent; and
      
      updating the configuration information based on input received defining the second ephemeral event stream.
  - 3. The method of claim 1, wherein the input defining the ephemeral event stream further comprises at least one of:
    - a name for the ephemeral event stream;
      
      a description for the ephemeral event stream; and
      
      an identifier of an existing event stream from which to clone the ephemeral event stream.
  - 4. The method of claim 1, further comprising:
    - causing display, in the GUI, event stream information for one or more defined ephemeral event streams,wherein the event stream information for each defined ephemeral event stream comprises at least one of;
      
      a name of the defined ephemeral event stream;
      
      a number of event stream instances based on the defined ephemeral event stream;
      
      an application;
      
      a start time;
      
      an end time;
      
      a time remaining; and
      
      a status.
  - 5. The method of claim 1, further comprising:
    - causing display, in the GUI, a mechanism for applying an action associated with managing one or more defined ephemeral event streams to a set of selected ephemeral event streams.
  - 6. The method of claim 1, further comprising:
    - obtaining a subset of one or more defined ephemeral event streams associated with a grouping of the one or more defined ephemeral event streams by an event stream attribute; and
      
      causing display, in the GUI, event stream information for the subset of the one or more defined ephemeral event streams.
  - 7. The method of claim 1, further comprising:
    - obtaining a subset of one or more defined ephemeral event streams associated with a grouping of the one or more defined ephemeral event streams by an event stream attribute, wherein the event stream attribute is selected from;
      
      a category of an event stream;
      
      a protocol used by the network packets;
      
      an application used to create the event stream; and
      
      an event stream lifecycle of the event stream; and
      
      causing display, in the GUI, event stream information for the subset of the one or more defined ephemeral event streams.
  - 8. The method of claim 1, further comprising receiving input, via the GUI, to:
    - disable the ephemeral event stream;
      
      ordelete the ephemeral event stream.
  - 9. The method of claim 1, further comprising:
    - causing display, in the GUI, of event stream information including information related to one or more defined ephemeral event streams; and
      
      sorting the event stream information by an event stream attribute associated with the one or more defined ephemeral event streams.
  - 10. The method of claim 1, further comprising:
    - causing display, in the GUI, of event stream information including information related to one or more defined ephemeral event streams; and
      
      sorting the event stream information by an event stream attribute associated with the one or more defined ephemeral event streams,wherein the event stream attribute is at least one of;
      
      a name;
      
      a number of streams;
      
      an application;
      
      a start time;
      
      an end time;
      
      a time remaining; and
      
      a status.
  - 11. The method of claim 1, further comprising:
    - receiving, via the GUI, input modifying an end time for terminating the generation of the timestamped event data;
      
      wherein modifying an end time for terminating the generation of the timestamped event data comprises at least one of;
      
      extending the end time; and
      
      reducing the end time.
  - 12. The method of claim 1, further comprising:
    - causing display, in the GUI, an interface element used to perform a search of one or more ephemeral event streams.
  - 13. The method of claim 1, wherein timestamped events in the ephemeral event stream are searchable using a late-binding schema.
  - 14. The method of claim 1, further comprising:
    - causing display, in the GUI, event stream information for one or more defined ephemeral event streams; and
      
      causing display, in the GUI, an interface element used to navigate between the event stream information and creation information for one or more creators of the one or more defined ephemeral event streams.
  - 15. The method of claim 1, further comprising:
    - causing display, in the GUI, event stream information for the ephemeral event stream; and
      
      causing display, in the GUI, a mechanism for navigating between the event stream information and creation information for one or more creators of the ephemeral event stream,wherein the one or more creators of the ephemeral event stream comprise at least one of;
      
      an application for monitoring network traffic captured by the remote capture agent; and
      
      a capture trigger for generating additional timestamped event data from the network packets on the remote capture agent based on a security risk.

16. An apparatus, comprising:
- one or more processors; and
  
  memory storing instructions that, when executed by the one or more processors, cause the apparatus to;
  
  cause display of a graphical user interface (GUI) including interface elements related to generating configuration information for a remote capture agent, the configuration information including information used by the remote capture agent to generate at least one event stream comprising timestamped event data derived from network packets monitored by the remote capture agent;
  
  receive, via the GUI, input defining an ephemeral event stream comprising timestamped event data to be generated by the remote capture agent, the input including;
  
  a search query to be executed against timestamped event data included in the at least one event stream generated by the remote capture agent, wherein timestamped event data satisfying the search query indicates a potential security incident in a computing environment,an identifier of a protocol used by network packets from which timestamped event data of the ephemeral event stream is to be generated, andan indication of an amount of time the remote capture agent is to generate the ephemeral event stream;
  
  generate configuration information including settings used by the remote capture agent to generate the ephemeral event stream comprising additional timestamped event data automatically generated in response to detection of a trigger condition, wherein the trigger condition is detected when execution of the search query identifies timestamped event data satisfying the search query; and
  
  transmit, via a network, the configuration information to the remote capture agent, wherein the configuration information is used to configure the generation of the at least one event stream comprising timestamped event data at the remote capture agent during runtime of the remote capture agent.
- View Dependent Claims (17, 18, 19, 20, 21)
- - 17. The apparatus of claim 16, wherein the memory further stores instructions that, when executed by the one or more processors, cause the apparatus to:
    - receive, via the GUI, input defining a second ephemeral event stream to be generated by the remote capture agent; and
      
      update the configuration information based on input received defining the second ephemeral event stream.
  - 18. The apparatus of claim 16,wherein the input defining the ephemeral event stream further comprises at least one of:
    - a name for the ephemeral event stream;
      
      a description for the ephemeral event stream; and
      
      an identifier of an existing event stream from which to clone the ephemeral event stream.
  - 19. The apparatus of claim 16, wherein the memory further stores instructions that, when executed by the one or more processors, cause the apparatus to:
    - cause display, in the GUI, event stream information for one or more defined ephemeral event streams,wherein the event stream information for each defined ephemeral event stream comprises at least one of;
      
      a name of the defined ephemeral event stream;
      
      a number of event stream instances based on the defined ephemeral event stream;
      
      an application;
      
      a start time;
      
      an end time;
      
      a time remaining; and
      
      a status.
  - 20. The apparatus of claim 16, wherein the memory further stores instructions that, when executed by the one or more processors, cause the apparatus to:
    - cause display, in the GUI, a mechanism for applying an action associated with managing one or more defined ephemeral event streams to a set of selected ephemeral event streams.
  - 21. The apparatus of claim 16, further comprising receiving input, via the GUI, to:
    - disable the ephemeral event stream;
      
      ordelete the ephemeral event stream.

22. A non-transitory computer-readable storage medium storing instructions that when executed by a computer cause the computer to perform operations for facilitating processing of network data, the operations comprising:
- causing display of a graphical user interface (GUI) including interface elements related to generating configuration information for a remote capture agent, the configuration information including information used by the remote capture agent to generate at least one event stream comprising timestamped event data derived from network packets monitored by the remote capture agent;
  
  receiving, via the GUI, input defining an ephemeral event stream comprising timestamped event data to be generated by the remote capture agent, the input including;
  
  a search query to be executed against timestamped event data included in the at least one event stream generated by the remote capture agent, wherein timestamped event data satisfying the search query indicates a potential security incident in a computing environment,an identifier of a protocol used by network packets from which timestamped event data of the ephemeral event stream is to be generated, andan indication of an amount of time the remote capture agent is to generate the ephemeral event stream;
  
  generating configuration information including settings used by the remote capture agent to generate the ephemeral event stream comprising additional timestamped event data automatically generated in response to detection of a trigger condition, wherein the trigger condition is detected when execution of the search query identifies timestamped event data satisfying the search query; and
  
  transmitting, via a network, the configuration information to the remote capture agent, wherein the configuration information is used to configure the generation of the at least one event stream comprising timestamped event data at the remote capture agent during runtime of the remote capture agent.
- View Dependent Claims (23, 24, 25, 26, 27)
- - 23. The non-transitory computer-readable storage medium of claim 22, the operations further comprising:
    - receiving, via the GUI, input defining a second ephemeral event stream to be generated by the remote capture agent; and
      
      updating the configuration information based on input received defining the second ephemeral event stream.
  - 24. The non-transitory computer-readable storage medium of claim 22,wherein the input defining the ephemeral event stream further comprises at least one of:
    - a name for the ephemeral event stream;
      
      a description for the ephemeral event stream; and
      
      an identifier of an existing event stream from which to clone the ephemeral event stream.
  - 25. The non-transitory computer-readable storage medium of claim 22, the operations further comprising:
    - causing display, in the GUI, event stream information for one or more defined ephemeral event streams,wherein the event stream information for each defined ephemeral event stream comprises at least one of;
      
      a name of the defined ephemeral event stream;
      
      a number of event stream instances based on the defined ephemeral event stream;
      
      an application;
      
      a start time;
      
      an end time;
      
      a time remaining; and
      
      a status.
  - 26. The non-transitory computer-readable storage medium of claim 22, the operations further comprising:
    - causing display, in the GUI, a mechanism for applying an action associated with managing one or more defined ephemeral event streams to a set of selected ephemeral event streams.
  - 27. The non-transitory computer-readable storage medium of claim 22, further comprising operations including receiving input, via the GUI, to:
    - disable the ephemeral event stream;
      
      ordelete the ephemeral event stream.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Splunk Inc.
Original Assignee
Splunk Inc.
Inventors
Hsiao, Fang I., Ching, Clayton S., Dickey, Michael R., Shcherbakov, Vladimir A., Teredesai, Nishant, Noel, Cary Glen
Primary Examiner(s)
Ye, Zi

Application Number

US14/610,457
Publication Number

US 20150295780A1
Time in Patent Office

1,796 Days
Field of Search

709217, 709223
US Class Current
CPC Class Codes

H04L 41/22   comprising specially adapte...

H04L 43/022   by sampling

H04L 43/045   for graphical visualisation...

Managing ephemeral event streams generated from captured network data

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

303 Citations

27 Claims

Specification

Use Cases

Quick Links

Others

Managing ephemeral event streams generated from captured network data

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

303 Citations

27 Claims

Specification

Subscription Required

Use Cases

Quick Links

Others