Identifying possible security threats using event group summaries
First Claim
1. A method, comprising:
- creating an event group from a plurality of time-stamped, searchable events stored in a field-searchable, non-tabular data store, each event in the event group having a portion of raw machine data reflecting activity in an information technology environment and matching criteria relating to one or more field values extracted from one or more fields present in the portion of raw machine data, wherein the criteria is evaluated using an extraction rule applied to at least a portion of the plurality of time-stamped, searchable events;
determining an event group summary, the summary summarizing field values from one or more fields of the events in the event group;
causing display of a graphical user interface displaying a plurality of event group summaries including the event group summary;
based on user input in response to the display of the graphical user interface, changing a visual appearance of a selected event group summary among the displayed plurality of event group summaries to indicate that the selected event group summary is a security threat or removing the selected event group summary from the displayed plurality of event group summaries indicating that the selected event group summary is not a security threat;
wherein the method is performed by one or more computing devices.
1 Assignment
0 Petitions
Accused Products
Abstract
A disclosed computer-implemented method includes receiving and indexing the raw data. Indexing includes dividing the raw data into time stamped searchable events that include information relating to computer or network security. Store the indexed data in an indexed data store and extract values from a field in the indexed data using a schema. Search the extracted field values for the security information. Determine a group of security events using the security information. Each security event includes a field value specified by a criteria. Present a graphical interface (GI) including a summary of the group of security events, other summaries of security events, and a remove element (associated with the summary). Receive input corresponding to an interaction of the remove element. Interacting with the remove element causes the summary to be removed from the GI. Update the GI to remove the summary from the GI.
-
Citations
27 Claims
-
1. A method, comprising:
-
creating an event group from a plurality of time-stamped, searchable events stored in a field-searchable, non-tabular data store, each event in the event group having a portion of raw machine data reflecting activity in an information technology environment and matching criteria relating to one or more field values extracted from one or more fields present in the portion of raw machine data, wherein the criteria is evaluated using an extraction rule applied to at least a portion of the plurality of time-stamped, searchable events; determining an event group summary, the summary summarizing field values from one or more fields of the events in the event group; causing display of a graphical user interface displaying a plurality of event group summaries including the event group summary; based on user input in response to the display of the graphical user interface, changing a visual appearance of a selected event group summary among the displayed plurality of event group summaries to indicate that the selected event group summary is a security threat or removing the selected event group summary from the displayed plurality of event group summaries indicating that the selected event group summary is not a security threat; wherein the method is performed by one or more computing devices. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9)
-
-
10. An apparatus, comprising:
-
an event group creator, implemented at least partially in hardware, that creates an event group from a plurality of time-stamped, searchable events stored in a field-searchable, non-tabular data store, each event in the event group having a portion of raw machine data reflecting activity in an information technology environment and matching criteria relating to one or more field values extracted from one or more fields present in the portion of raw machine data, wherein the criteria is evaluated using an extraction rule applied to at least a portion of the plurality of time-stamped, searchable events; a summary creator, implemented at least partially in hardware, that determining an event group summary, the summary summarizing field values from one or more fields of the events in the event group; a display generator, implemented at least partially in hardware, that causing display of a graphical user interface displaying a plurality of event group summaries including the event group summary; wherein the display generator, based on user input in response to the display of the graphical user interface, changes a visual appearance of a selected event group summary among the displayed plurality of event group summaries to indicate that the selected event group summary is a security threat or removing the selected event group summary from the displayed plurality of event group summaries indicating that the selected event group summary is not a security threat. - View Dependent Claims (11, 12, 13, 14, 15, 16, 17, 18)
-
-
19. One or more non-transitory computer-readable storage media, storing one or more sequences of instructions, which when executed by one or more processors cause performance of:
-
creating an event group from a plurality of time-stamped, searchable events stored in a field-searchable, non-tabular data store, each event in the event group having a portion of raw machine data reflecting activity in an information technology environment and matching criteria relating to one or more field values extracted from one or more fields present in the portion of raw machine data, wherein the criteria is evaluated using an extraction rule applied to at least a portion of the plurality of time-stamped, searchable events; determining an event group summary, the summary summarizing field values from one or more fields of the events in the event group; causing display of a graphical user interface displaying a plurality of event group summaries including the event group summary; based on user input in response to the display of the graphical user interface, changing a visual appearance of a selected event group summary among the displayed plurality of event group summaries to indicate that the selected event group summary is a security threat or removing the selected event group summary from the displayed plurality of event group summaries indicating that the selected event group summary is not a security threat. - View Dependent Claims (20, 21, 22, 23, 24, 25, 26, 27)
-
Specification