Capture triggers for capturing network data

US 9,596,253 B2
Filed: 10/30/2014
Issued: 03/14/2017
Est. Priority Date: 10/30/2014
Status: Active Grant

First Claim

Patent Images

1. A method for facilitating the processing of network data, comprising:

identifying one or more events matching one or more specified parameters, the one or more events identified from time-series event data generated from network packets captured by one or more remote capture agents of a plurality of remote capture agents distributed across a network; and

in response to identifying the one or more events, sending configuration information to the one or more remote capture agents, the configuration information used by the one or more remote capture agents to generate additional time-series event data from network packets to be captured by the one or more remote capture agents.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

The disclosed embodiments provide a system that facilitates the processing of network data. During operation, the system provides a risk-identification mechanism for identifying a security risk from time-series event data generated from network packets captured by one or more remote capture agents distributed across a network. Next, the system provides a capture trigger for generating additional time-series event data from the network packets on the one or more remote capture agents based on the security risk, wherein the additional time-series event data includes one or more event attributes.

Citations

28 Claims

1. A method for facilitating the processing of network data, comprising:
- identifying one or more events matching one or more specified parameters, the one or more events identified from time-series event data generated from network packets captured by one or more remote capture agents of a plurality of remote capture agents distributed across a network; and
  
  in response to identifying the one or more events, sending configuration information to the one or more remote capture agents, the configuration information used by the one or more remote capture agents to generate additional time-series event data from network packets to be captured by the one or more remote capture agents.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11)
- - 2. The method of claim 1, further comprisingdisabling the generation of the additional time-series event data after a specified period has passed.
  - 3. The method of claim 1, further comprising:
    - receiving input specifying one or more capture trigger settings, the capture trigger settings related to settings used by the one or more remote capture agents to generate the additional time-series event data from network packets to be captured by the one or more remote capture agents; and
      
      updating the configuration information based on the received input.
  - 4. The method of claim 1, further comprising causing display of a graphical user interface (GUI) including at least one event identifier corresponding to the identified one or more events.
  - 5. The method of claim 1, further comprising causing display of a graphical user interface (GUI) including one or more interface elements corresponding to one or more capture trigger settings included in the configuration information.
  - 6. The method of claim 1, further comprising causing display of a graphical user interface (GUI) includinga user-interface element for defining a filter for generating the additional time-series event data.
  - 7. The method of claim 1, wherein the specified parameters correspond to search parameters for events from the time-series event data.
  - 8. The method of claim 1, wherein identifying the one or more events matching the one or more specified parameters is based on a recurring search.
  - 9. The method of claim 1, wherein the additional time-series event data comprises an event attribute associated with one or more protocols.
  - 10. The method of claim 1, wherein the identified one or more events represent a network security risk.
  - 11. The method of claim 1, wherein the configuration information specifies one or more of:
    - one or more types of event data to be generated, one or more fields to be included in the additional time-series event data, one or more filtering rules for filtering the additional time-series event data.

12. An apparatus, comprising:
- one or more processors; and
  
  memory storing instructions that, when executed by the one or more processors, cause the apparatus to;
  
  identify one or more events matching one or more specified parameters, the one or more events identified from time-series event data generated from network packets captured by one or more remote capture agents distributed across a network; and
  
  in response to identifying the one or more events, send configuration information to the one or more remote capture agents, the configuration information used by the one or more remote capture agents to generate additional time-series event data from network packets to be captured by the one or more remote capture agents.
- View Dependent Claims (13, 14, 15, 16, 17, 18, 19, 20)
- - 13. The apparatus of claim 12, wherein the instructions that, when executed by the one or more processors, further cause the apparatus todisable the generation of the additional time-series event data after a specified period has passed.
  - 14. The apparatus of claim 12, wherein the instructions that, when executed by the one or more processors, further cause the apparatus to:
    - receive input specifying one or more capture trigger settings, the capture trigger settings related to settings used by the one or more remote capture agents to generate the additional time-series event data from network packets to be captured by the one or more remote capture agents; and
      
      update the configuration information based on the received input.
  - 15. The apparatus of claim 12, wherein the instructions that, when executed by the one or more processors, further causes the apparatus to cause display of a graphical user interface (GUI) including at least one event identifier corresponding to the identified one or more events.
  - 16. The apparatus of claim 12, wherein the instructions that, when executed by the one or more processors, further cause the apparatus to cause display of a graphical user interface (GUI) includinga user-interface element for defining a filter for generating the additional time-series event data.
  - 17. The apparatus of claim 12,wherein identifying the one or more events matching the one or more specified parameters is based on a recurring search.
  - 18. The apparatus of claim 12, wherein the additional time-series event data comprises an event attribute associated with one or more protocols.
  - 19. The apparatus of claim 12, wherein the identified one or more events represent a network security risk.
  - 20. The apparatus of claim 12, wherein the configuration information specifies one or more of:
    - one or more types of event data to be generated, one or more fields to be included in the additional time-series event data, one or more filtering rules for filtering the additional time-series event data.

21. A non-transitory computer-readable storage medium storing instructions that, when executed by one or more processors, cause:
- identifying one or more events matching one or more specified parameters, the one or more events identified from time-series event data generated from network packets captured by one or more remote capture agents of a plurality of remote capture agents distributed across a network; and
  
  response to identifying the one or more events, sending configuration information to the one or more remote capture agents, the configuration information used by the one or more remote capture agents to generate additional time-series event data from network packets to be captured by the one or more remote capture agents.
- View Dependent Claims (22, 23, 24, 25, 26, 27, 28)
- - 22. The non-transitory computer-readable storage medium of claim 21, wherein the instructions which, when executed by the one or more processors, further causedisabling the generation of the additional time-series event data after a pre-specified period has passed.
  - 23. The non-transitory computer-readable storage medium of claim 21, wherein the instructions that, when executed by the one or more processors, further cause:
    - receiving input specifying one or more capture trigger settings, the capture trigger settings related to settings used by the one or more remote capture agents to generate the additional time-series event data from network packets to be captured by the one or more remote capture agents; and
      
      updating the configuration information based on the received input.
  - 24. The non-transitory computer-readable storage medium of claim 21, wherein the instructions that, when executed by the one or more processors, further cause display of a graphical user interface (GUI)includinguser-interface element for defining a filter for generating the additional time-series event data.
  - 25. The non-transitory computer-readable storage medium of claim 21, wherein identifying the one or more events matching the one or more specified parameters is based on a recurring search.
  - 26. The non-transitory computer-readable storage medium of claim 21, wherein the additional time-series event data comprises an event attribute associated with one or more protocols.
  - 27. The non-transitory computer-readable storage medium of claim 21, wherein the identified one or more events represent a network security risk.
  - 28. The non-transitory computer-readable storage medium of claim 21, wherein the configuration information specifies one or more of:
    - one or more types of event data to be generated, one or more fields to be included in the additional time-series event data, one or more filtering rules for filtering the additional time-series event data.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Splunk Inc. (Cisco Systems, Inc.)
Original Assignee
Splunk Inc. (Cisco Systems, Inc.)
Inventors
Chauhan, Vijay, Badhani, Devendra M., Murphey, Luke K., Hazekamp, David
Primary Examiner(s)
McNally, Michael S

Application Number

US14/528,918
Publication Number

US 20160127401A1
Time in Patent Office

866 Days
Field of Search

726/13
US Class Current

1/1
CPC Class Codes

H04L 63/0218   Distributed architectures, ...

H04L 63/0236   Filtering by address, proto...

H04L 63/1425   Traffic logging, e.g. anoma...

Capture triggers for capturing network data

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

28 Claims

Specification

Solutions

Use Cases

Quick Links

Capture triggers for capturing network data

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

28 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links