CAPTURE TRIGGERS FOR CAPTURING NETWORK DATA

US 20170142146A1
Filed: 01/31/2017
Published: 05/18/2017
Est. Priority Date: 10/30/2014
Status: Active Grant

First Claim

Patent Images

1. A method for facilitating the processing of network data, comprising:

providing, on a computer system, a risk-identification mechanism for identifying a security risk from time-series event data generated from network packets captured by one or more remote capture agents distributed across a network; and

providing, on the computer system, a capture trigger for generating additional time-series event data from the network packets on the one or more remote capture agents based on the security risk, wherein the additional time-series event data comprises one or more event attributes.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

The disclosed embodiments provide a system that facilitates the processing of network data. During operation, the system provides a risk-identification mechanism for identifying a security risk from time-series event data generated from network packets captured by one or more remote capture agents distributed across a network. Next, the system provides a capture trigger for generating additional time-series event data from the network packets on the one or more remote capture agents based on the security risk, wherein the additional time-series event data includes one or more event attributes.

Citations

20 Claims

1. A method for facilitating the processing of network data, comprising:
- providing, on a computer system, a risk-identification mechanism for identifying a security risk from time-series event data generated from network packets captured by one or more remote capture agents distributed across a network; and
  
  providing, on the computer system, a capture trigger for generating additional time-series event data from the network packets on the one or more remote capture agents based on the security risk, wherein the additional time-series event data comprises one or more event attributes.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9)
- - 2. The method of claim 1, further comprising:
    - using the capture trigger to configure the generation of the additional time-series event data from the network packets; and
      
      disabling the generation of the additional time-series event data after a pre-specified period has passed.
  - 3. The method of claim 1, wherein the additional time-series event data is generated from the network packets by updating configuration information for configuring the generation of the time-series event data from the network packets captured by the one or more remote capture agents.
  - 4. The method of claim 1, wherein the risk-identification mechanism for identifying the security risk from the time-series event data comprises a graphical user interface (GUI) that displays an event of interest related to the security risk.
  - 5. The method of claim 1, wherein the capture trigger for generating the additional time-series event data from the network packets is received through one or more user-interface elements in a graphical user interface (GUI) that displays an error representing the security risk.
  - 6. The method of claim 1,wherein the capture trigger for generating the additional time-series event data from the network packets is received through one or more user-interface elements in a graphical user interface (GUI) that displays an error representing the security risk, andwherein the one or more user-interface elements comprise:
    - a first user-interface element for activating the capture trigger; and
      
      a second user-interface element for providing a filter for generating the additional time-series event data from the network packets.
  - 7. The method of claim 1, wherein the risk-identification mechanism for identifying the security risk from the time-series event data comprises a search for a subset of the time-series event data matching the security risk.
  - 8. The method of claim 1,wherein the risk-identification mechanism for identifying the security risk from the time-series event data comprises a recurring search for a subset of the time-series event data matching the security risk, andwherein the capture trigger for generating the additional time-series event data from the network packets is automatically activated upon identifying the subset of the time-series event data matching the security risk during the recurring search.
  - 9. The method of claim 1, wherein the additional time-series event data comprises an event attribute associated with a protocol that facilitates analysis of the security risk.

10. An apparatus, comprising:
- one or more processors; and
  
  memory storing instructions that, when executed by the one or more processors, cause the apparatus to;
  
  provide a risk-identification mechanism for identifying a security risk from time-series event data generated from network packets captured by one or more remote capture agents distributed across a network; and
  
  provide a capture trigger for generating additional time-series event data from the network packets on the one or more remote capture agents based on the security risk, wherein the additional time-series event data comprises one or more event attributes for facilitating analysis of the security risk.
- View Dependent Claims (11, 12, 13, 14, 15, 16)
- - 11. The apparatus of claim 10, wherein the memory further stores instructions that, when executed by the one or more processors, cause the apparatus to:
    - use the capture trigger to configure the generation of the additional time-series event data from the network packets; and
      
      disable the generation of the additional time-series event data after a pre-specified period has passed.
  - 12. The apparatus of claim 10, wherein the additional time-series event data is generated from the network packets by updating configuration information for configuring the generation of the time-series event data from the network packets captured by the one or more remote capture agents.
  - 13. The apparatus of claim 10, wherein the risk-identification mechanism for identifying the security risk from the time-series event data comprises a graphical user interface (GUI) that displays an event of interest related to the security risk.
  - 14. The apparatus of claim 10,wherein the capture trigger for generating the additional time-series event data from the network packets is received through one or more user-interface elements in a graphical user interface (GUI) that displays an error representing the security risk, andwherein the one or more user-interface elements comprise:
    - a first user-interface element for activating the capture trigger; and
      
      a second user-interface element for providing a filter for generating the additional time-series event data from the network packets.
  - 15. The apparatus of claim 10,wherein the risk-identification mechanism for identifying the security risk from the time-series event data comprises a recurring search for a subset of the time-series event data matching the security risk, andwherein the capture trigger for generating the additional time-series event data from the network packets is activated upon identifying the subset of the time-series event data matching the security risk during the recurring search.
  - 16. The apparatus of claim 10, wherein the additional time-series event data comprises an event attribute associated with a protocol that facilitates analysis of the security risk.

17. A non-transitory computer-readable storage medium storing instructions that when executed by a computer cause the computer to perform a method for facilitating the processing of network data, the method comprising:
- providing, on a computer system, a risk-identification mechanism for identifying a security risk from time-series event data generated from network packets captured by one or more remote capture agents distributed across a network; and
  
  providing, on the computer system, a capture trigger for generating additional time-series event data from the network packets on the one or more remote capture agents based on the security risk, wherein the additional time-series event data comprises one or more event attributes for facilitating analysis of the security risk.
- View Dependent Claims (18, 19, 20)
- - 18. The non-transitory computer-readable storage medium of claim 17, the method further comprising:
    - using the capture trigger to configure the generation of the additional time-series event data from the network packets; and
      
      disabling the generation of the additional time-series event data after a pre-specified period has passed.
  - 19. The non-transitory computer-readable storage medium of claim 17, wherein the additional time-series event data is generated from the network packets by updating configuration information for configuring the generation of the time-series event data from the network packets captured by the one or more remote capture agents.
  - 20. The non-transitory computer-readable storage medium of claim 17,wherein the capture trigger for generating the additional time-series event data from the network packets is received through one or more user-interface elements in a graphical user interface (GUI) that displays an error representing the security risk, andwherein the one or more user-interface elements comprise:
    - a first user-interface element for activating the capture trigger; and
      
      a second user-interface element for providing a filter for generating the additional time-series event data from the network packets.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Splunk Inc. (Cisco Systems, Inc.)
Original Assignee
Splunk Inc. (Cisco Systems, Inc.)
Inventors
Chauhan, Vijay, Badhani, Devendra M., Murphey, Luke K., Hazekamp, David

Granted Patent

US 9,843,598 B2
Time in Patent Office

Days
Field of Search
US Class Current
CPC Class Codes

H04L 63/0218   Distributed architectures, ...

H04L 63/0236   Filtering by address, proto...

H04L 63/1425   Traffic logging, e.g. anoma...

CAPTURE TRIGGERS FOR CAPTURING NETWORK DATA

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

CAPTURE TRIGGERS FOR CAPTURING NETWORK DATA

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links