Identifying possible security threats using event group summaries

US 9,596,252 B2
Filed: 02/29/2016
Issued: 03/14/2017
Est. Priority Date: 07/31/2013
Status: Active Grant

First Claim

Patent Images

1. A method, comprising:

creating an event group from a plurality of time-stamped, searchable events stored in a field-searchable, non-tabular data store, each event in the event group having a portion of raw machine data reflecting activity in an information technology environment and matching criteria relating to one or more field values extracted from one or more fields present in the portion of raw machine data, wherein the criteria is evaluated using an extraction rule applied to at least a portion of the plurality of time-stamped, searchable events;

determining an event group summary, the summary summarizing field values from one or more fields of the events in the event group;

causing display of a graphical user interface displaying a plurality of event group summaries including the event group summary;

based on user input in response to the display of the graphical user interface, changing a visual appearance of a selected event group summary among the displayed plurality of event group summaries to indicate that the selected event group summary is a security threat or removing the selected event group summary from the displayed plurality of event group summaries indicating that the selected event group summary is not a security threat;

wherein the method is performed by one or more computing devices.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A disclosed computer-implemented method includes receiving and indexing the raw data. Indexing includes dividing the raw data into time stamped searchable events that include information relating to computer or network security. Store the indexed data in an indexed data store and extract values from a field in the indexed data using a schema. Search the extracted field values for the security information. Determine a group of security events using the security information. Each security event includes a field value specified by a criteria. Present a graphical interface (GI) including a summary of the group of security events, other summaries of security events, and a remove element (associated with the summary). Receive input corresponding to an interaction of the remove element. Interacting with the remove element causes the summary to be removed from the GI. Update the GI to remove the summary from the GI.

Citations

27 Claims

1. A method, comprising:
- creating an event group from a plurality of time-stamped, searchable events stored in a field-searchable, non-tabular data store, each event in the event group having a portion of raw machine data reflecting activity in an information technology environment and matching criteria relating to one or more field values extracted from one or more fields present in the portion of raw machine data, wherein the criteria is evaluated using an extraction rule applied to at least a portion of the plurality of time-stamped, searchable events;
  
  determining an event group summary, the summary summarizing field values from one or more fields of the events in the event group;
  
  causing display of a graphical user interface displaying a plurality of event group summaries including the event group summary;
  
  based on user input in response to the display of the graphical user interface, changing a visual appearance of a selected event group summary among the displayed plurality of event group summaries to indicate that the selected event group summary is a security threat or removing the selected event group summary from the displayed plurality of event group summaries indicating that the selected event group summary is not a security threat;
  
  wherein the method is performed by one or more computing devices.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9)
- - 2. The method as recited in claim 1, wherein at least one event group summary of the displayed event group summaries includes domain activity information.
  - 3. The method as recited in claim 1, further comprising:
    - causing display of a second graphical user interface displaying a second plurality of event group summaries, wherein each event group summary in the second plurality of event group summaries was removed from the displayed plurality of event group summaries indicating that each event group summary in the second plurality of event group summaries is not a security threat.
  - 4. The method as recited in claim 1, further comprising:
    - receiving log data;
      
      organizing the received log data into the plurality of time-stamped, searchable events, wherein an event is comprised of at least a portion of one or more lines of data within the log data.
  - 5. The method as recited in claim 1, wherein the extraction rule is a late binding schema.
  - 6. The method as recited in claim 1, wherein each event of the plurality of time-stamped, searchable events is associated with a time stamp, and wherein the event group summary encompasses events having time stamps within a specified time period.
  - 7. The method as recited in claim 1, further comprising:
    - removing an event from the plurality of time-stamped, searchable events when the event is not recognized as notable.
  - 8. The method as recited in claim 1, further comprising:
    - segmenting stored raw data into the plurality of time-stamped, searchable events, wherein each event in the plurality of time-stamped, searchable events includes information relating to security aspects of an information technology system.
  - 9. The method as recited in claim 1, wherein the event group summary includes a count of a number of events in the event group summary.

10. An apparatus, comprising:
- an event group creator, implemented at least partially in hardware, that creates an event group from a plurality of time-stamped, searchable events stored in a field-searchable, non-tabular data store, each event in the event group having a portion of raw machine data reflecting activity in an information technology environment and matching criteria relating to one or more field values extracted from one or more fields present in the portion of raw machine data, wherein the criteria is evaluated using an extraction rule applied to at least a portion of the plurality of time-stamped, searchable events;
  
  a summary creator, implemented at least partially in hardware, that determining an event group summary, the summary summarizing field values from one or more fields of the events in the event group;
  
  a display generator, implemented at least partially in hardware, that causing display of a graphical user interface displaying a plurality of event group summaries including the event group summary;
  
  wherein the display generator, based on user input in response to the display of the graphical user interface, changes a visual appearance of a selected event group summary among the displayed plurality of event group summaries to indicate that the selected event group summary is a security threat or removing the selected event group summary from the displayed plurality of event group summaries indicating that the selected event group summary is not a security threat.
- View Dependent Claims (11, 12, 13, 14, 15, 16, 17, 18)
- - 11. The apparatus as recited in claim 10, wherein at least one event group summary of the displayed event group summaries includes domain activity information.
  - 12. The apparatus as recited in claim 10, wherein the display generator, causes display of a second graphical user interface displaying a second plurality of event group summaries, wherein each event group summary in the second plurality of event group summaries was removed from the displayed plurality of event group summaries indicating that each event group summary in the second plurality of event group summaries is not a security threat.
  - 13. The apparatus as recited in claim 10, further comprising:
    - a log data receiver, implemented at least partially in hardware, that receives log data;
      
      an event creator, implemented at least partially in hardware, that organizes the received log data into the plurality of time-stamped, searchable events, wherein an event is comprised of at least a portion of one or more lines of data within the log data.
  - 14. The apparatus as recited in claim 10, wherein the extraction rule is a late binding schema.
  - 15. The apparatus as recited in claim 10, wherein each event of the plurality of time-stamped, searchable events is associated with a time stamp, and wherein the event group summary encompasses events having time stamps within a specified time period.
  - 16. The apparatus as recited in claim 10, further comprising:
    - an data reducer, implemented at least partially in hardware, that removes an event from the plurality of time-stamped, searchable events when the event is not recognized as notable.
  - 17. The apparatus as recited in claim 10, further comprising:
    - an event creator, implemented at least partially in hardware, that segments stored raw data into the plurality of time-stamped, searchable events, wherein each event in the plurality of time-stamped, searchable events includes information relating to security aspects of an information technology system.
  - 18. The apparatus as recited in claim 10, wherein the event group summary includes a count of a number of events in the event group summary.

19. One or more non-transitory computer-readable storage media, storing one or more sequences of instructions, which when executed by one or more processors cause performance of:
- creating an event group from a plurality of time-stamped, searchable events stored in a field-searchable, non-tabular data store, each event in the event group having a portion of raw machine data reflecting activity in an information technology environment and matching criteria relating to one or more field values extracted from one or more fields present in the portion of raw machine data, wherein the criteria is evaluated using an extraction rule applied to at least a portion of the plurality of time-stamped, searchable events;
  
  determining an event group summary, the summary summarizing field values from one or more fields of the events in the event group;
  
  causing display of a graphical user interface displaying a plurality of event group summaries including the event group summary;
  
  based on user input in response to the display of the graphical user interface, changing a visual appearance of a selected event group summary among the displayed plurality of event group summaries to indicate that the selected event group summary is a security threat or removing the selected event group summary from the displayed plurality of event group summaries indicating that the selected event group summary is not a security threat.
- View Dependent Claims (20, 21, 22, 23, 24, 25, 26, 27)
- - 20. The one or more non-transitory computer-readable storage media as recited in claim 19, wherein at least one event group summary of the displayed event group summaries includes domain activity information.
  - 21. The one or more non-transitory computer-readable storage media as recited in claim 19, wherein the one or more sequences of instructions, when executed by the one or more processors cause further performance of:
    - causing display of a second graphical user interface displaying a second plurality of event group summaries, wherein each event group summary in the second plurality of event group summaries was removed from the displayed plurality of event group summaries indicating that each event group summary in the second plurality of event group summaries is not a security threat.
  - 22. The one or more non-transitory computer-readable storage media as recited in claim 19, wherein the one or more sequences of instructions, when executed by the one or more processors cause further performance of:
    - receiving log data;
      
      organizing the received log data into the plurality of time-stamped, searchable events, wherein an event is comprised of at least a portion of one or more lines of data within the log data.
  - 23. The one or more non-transitory computer-readable storage media as recited in claim 19, wherein the extraction rule is a late binding schema.
  - 24. The one or more non-transitory computer-readable storage media as recited in claim 19, wherein each event of the plurality of time-stamped, searchable events is associated with a time stamp, and wherein the event group summary encompasses events having time stamps within a specified time period.
  - 25. The one or more non-transitory computer-readable storage media as recited in claim 19, wherein the one or more sequences of instructions, when executed by the one or more processors cause further performance of:
    - removing an event from the plurality of time-stamped, searchable events when the event is not recognized as notable.
  - 26. The one or more non-transitory computer-readable storage media as recited in claim 19, wherein the one or more sequences of instructions, when executed by the one or more processors cause further performance of:
    - segmenting stored raw data into the plurality of time-stamped, searchable events, wherein each event in the plurality of time-stamped, searchable events includes information relating to security aspects of an information technology system.
  - 27. The one or more non-transitory computer-readable storage media as recited in claim 19, wherein the event group summary includes a count of a number of events in the event group summary.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Splunk Inc. (Cisco Systems, Inc.)
Original Assignee
Splunk Inc. (Cisco Systems, Inc.)
Inventors
Coates, John, Murphey, Lucas, Hazekamp, David, Hansen, James
Primary Examiner(s)
BROWN, ANTHONY D

Application Number

US15/056,999
Publication Number

US 20160182546A1
Time in Patent Office

379 Days
Field of Search

726 22- 25
US Class Current

1/1
CPC Class Codes

G06F 16/285   Clustering or classification

G06F 21/554   involving event detection a...

G06F 2221/034   Test or assess a computer o...

G06F 2221/2151   Time stamp

H04L 63/14   for detecting or protecting...

H04L 63/1408   by monitoring network traff...

H04L 63/1416   Event detection, e.g. attac...

H04L 63/1433   Vulnerability analysis

H04L 63/20   for managing network securi...

Identifying possible security threats using event group summaries

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

27 Claims

Specification

Solutions

Use Cases

Quick Links

Identifying possible security threats using event group summaries

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

27 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links