BLACKLISTING AND WHITELISTING OF SECURITY-RELATED EVENTS

US 20150040225A1
Filed: 05/16/2014
Published: 02/05/2015
Est. Priority Date: 07/31/2013
Status: Active Grant

First Claim

Patent Images

1. A method, comprising:

creating an event group from a plurality of events, each event in the event group matching criteria relating to one or more fields;

determining an event group summary, the summary summarizing one or more fields of the events in the event group;

displaying a plurality of event group summaries including the event group summary;

based on user input, placing a selected event group summary on a whitelist or a blacklist, wherein placing the selected event group summary on the whitelist removes the selected event group summary from the displayed plurality of event group summaries, and wherein placing the selected event group summary on the blacklist changes a visual appearance of the selected event group summary among the displayed plurality of event group summaries.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A disclosed computer-implemented method includes receiving and indexing the raw data. Indexing includes dividing the raw data into time stamped searchable events that include information relating to computer or network security. Store the indexed data in an indexed data store and extract values from a field in the indexed data using a schema. Search the extracted field values for the security information. Determine a group of security events using the security information. Each security event includes a field value specified by a criteria. Present a graphical interface (GI) including a summary of the group of security events, other summaries of security events, and a remove element (associated with the summary). Receive input corresponding to an interaction of the remove element. Interacting with the remove element causes the summary to be removed from the GI. Update the GI to remove the summary from the GI.

37 Citations

View as Search Results

27 Claims

1. A method, comprising:
- creating an event group from a plurality of events, each event in the event group matching criteria relating to one or more fields;
  
  determining an event group summary, the summary summarizing one or more fields of the events in the event group;
  
  displaying a plurality of event group summaries including the event group summary;
  
  based on user input, placing a selected event group summary on a whitelist or a blacklist, wherein placing the selected event group summary on the whitelist removes the selected event group summary from the displayed plurality of event group summaries, and wherein placing the selected event group summary on the blacklist changes a visual appearance of the selected event group summary among the displayed plurality of event group summaries.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9)
- - 2. The method as recited in claim 1, wherein each event in the plurality of events includes security-related information.
  - 3. The method as recited in claim 1, wherein at least one event group summary of the displayed event group summaries includes domain activity information.
  - 4. The method as recited in claim 1, further comprising:
    - organizing received data into the plurality of events.
  - 5. The method as recited in claim 1, further comprising:
    - receiving machine data;
      
      organizing the received machine data into the plurality of events, wherein an event is comprised of at least a portion of one or more lines of data within the machine data.
  - 6. The method as recited in claim 1, further comprising:
    - receiving log data;
      
      organizing the received log data into the plurality of events, wherein an event is comprised of at least a portion of one or more lines of data within the log data.
  - 7. The method as recited in claim 1, wherein the criteria is evaluated using a late binding schema applied to at least a portion of the plurality of events.
  - 8. The method as recited in claim 1, wherein each event of the plurality of events is associated with a time stamp, and wherein the event group summary encompasses events having time stamps within a specified time period.
  - 9. The method as recited in claim 1, further comprising:
    - in response to a user input, removing an event group summary from the whitelist and displaying the removed event group summary with the displayed plurality of event group summaries.

10. An apparatus, comprising:
- a subsystem, implemented at least partially in hardware, that creates an event group from a plurality of events, each event in the event group matching criteria relating to one or more fields;
  
  a subsystem, implemented at least partially in hardware, that determines an event group summary, the summary summarizing one or more fields of the events in the event group;
  
  a subsystem, implemented at least partially in hardware, that displays a plurality of event group summaries including the event group summary;
  
  a list subsystem, implemented at least partially in hardware, that, based on user input, places a selected event group summary on a whitelist or a blacklist, wherein when the list subsystem places the selected event group summary on the whitelist the list subsystem removes the selected event group summary from the displayed plurality of event group summaries, and wherein when the list subsystem places the selected event group summary on the blacklist the list subsystem changes a visual appearance of the selected event group summary among the displayed plurality of event group summaries.
- View Dependent Claims (11, 12, 13, 14, 15, 16, 17, 18)
- - 11. The apparatus as recited in claim 10, wherein each event in the plurality of events includes security-related information.
  - 12. The apparatus as recited in claim 10, wherein at least one event group summary of the displayed event group summaries includes domain activity information.
  - 13. The apparatus as recited in claim 10, further comprising:
    - a subsystem, implemented at least partially in hardware, that organizes received data into the plurality of events.
  - 14. The apparatus as recited in claim 10, further comprising:
    - a subsystem, implemented at least partially in hardware, that receives machine data;
      
      a subsystem, implemented at least partially in hardware, that organizes the received machine data into the plurality of events, wherein an event is comprised of at least a portion of one or more lines of data within the machine data.
  - 15. The apparatus as recited in claim 10, further comprising:
    - a subsystem, implemented at least partially in hardware, that receives log data;
      
      a subsystem, implemented at least partially in hardware, that organizes the received log data into the plurality of events, wherein an event is comprised of at least a portion of one or more lines of data within the log data.
  - 16. The apparatus as recited in claim 10, wherein the criteria is evaluated using a late binding schema applied to at least a portion of the plurality of events.
  - 17. The apparatus as recited in claim 10, wherein each event of the plurality of events is associated with a time stamp, and wherein the event group summary encompasses events having time stamps within a specified time period.
  - 18. The apparatus as recited in claim 10, further comprising:
    - a subsystem, implemented at least partially in hardware, that, in response to a user input, removes an event group summary from the whitelist and displays the removed event group summary with the displayed plurality of event group summaries.

19. A non-transitory computer readable medium, storing software instructions, which when executed by one or more processors cause performance of:
- creating an event group from a plurality of events, each event in the event group matching criteria relating to one or more fields;
  
  determining an event group summary, the summary summarizing one or more fields of the events in the event group;
  
  displaying a plurality of event group summaries including the event group summary;
  
  based on user input, placing a selected event group summary on a whitelist or a blacklist, wherein placing the selected event group summary on the whitelist removes the selected event group summary from the displayed plurality of event group summaries, and wherein placing the selected event group summary on the blacklist changes a visual appearance of the selected event group summary among the displayed plurality of event group summaries.
- View Dependent Claims (20, 21, 22, 23, 24, 25, 26, 27)
- - 20. The non-transitory computer readable medium as recited in claim 19, wherein each event in the plurality of events includes security-related information.
  - 21. The non-transitory computer readable medium as recited in claim 19, wherein at least one event group summary of the displayed event group summaries includes domain activity information.
  - 22. The non-transitory computer readable medium as recited in claim 19, further comprising:
    - organizing received data into the plurality of events.
  - 23. The non-transitory computer readable medium as recited in claim 19, further comprising:
    - receiving machine data;
      
      organizing the received machine data into the plurality of events, wherein an event is comprised of at least a portion of one or more lines of data within the machine data.
  - 24. The non-transitory computer readable medium as recited in claim 19, further comprising:
    - receiving log data;
      
      organizing the received log data into the plurality of events, wherein an event is comprised of at least a portion of one or more lines of data within the log data.
  - 25. The non-transitory computer readable medium as recited in claim 19, wherein the criteria is evaluated using a late binding schema applied to at least a portion of the plurality of events.
  - 26. The non-transitory computer readable medium as recited in claim 19, wherein each event of the plurality of events is associated with a time stamp, and wherein the event group summary encompasses events having time stamps within a specified time period.
  - 27. The non-transitory computer readable medium as recited in claim 19, further comprising:
    - in response to a user input, removing an event group summary from the whitelist and displaying the removed event group summary with the displayed plurality of event group summaries.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Splunk Inc.
Original Assignee
Splunk Inc.
Inventors
Coates, John, Murphey, Lucas, Hazekamp, David, Hansen, James

Granted Patent

US 9,276,946 B2
Time in Patent Office

Days
Field of Search
US Class Current

726/23
CPC Class Codes

G06F 16/285   Clustering or classification

G06F 21/554   involving event detection a...

G06F 2221/034   Test or assess a computer o...

G06F 2221/2151   Time stamp

H04L 63/14   for detecting or protecting...

H04L 63/1408   by monitoring network traff...

H04L 63/1416   Event detection, e.g. attac...

H04L 63/1433   Vulnerability analysis

H04L 63/20   for managing network securi...

BLACKLISTING AND WHITELISTING OF SECURITY-RELATED EVENTS

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

37 Citations

27 Claims

Specification

Use Cases

Quick Links

Others

BLACKLISTING AND WHITELISTING OF SECURITY-RELATED EVENTS

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

37 Citations

27 Claims

Specification

Subscription Required

Use Cases

Quick Links

Others