Graphical display of events indicating security threats in an information technology system
First Claim
1. A method, comprising:
- extracting one or more values from each event in a plurality of time-stamped, searchable events after receipt of the events by a computing device, wherein the one or more values are extracted from a field present in raw machine data included in each event, the machine data having been produced by one or more components within an information technology environment and reflecting activity within the information technology environment;
creating an event group from a set of events in the plurality of time-stamped, searchable events, wherein each event in the set of events is associated with one or more extracted values that satisfy one or more criteria for a group of security-related events;
creating an event group summary for the event group, wherein the event group summary summarizes one or more fields present in the machine data included in the events in the event group; and
causing display of a plurality of event group summaries that includes the event group summary, wherein the plurality of event group summaries represents security threats in the information technology environment;
wherein the method is performed by one or more computing devices in a computer network.
1 Assignment
0 Petitions
Accused Products
Abstract
A disclosed computer-implemented method includes receiving and indexing the raw data. Indexing includes dividing the raw data into time stamped searchable events that include information relating to computer or network security. Store the indexed data in an indexed data store and extract values from a field in the indexed data using a schema. Search the extracted field values for the security information. Determine a group of security events using the security information. Each security event includes a field value specified by a criteria. Present a graphical interface (GI) including a summary of the group of security events, other summaries of security events, and a remove element (associated with the summary). Receive input corresponding to an interaction of the remove element. Interacting with the remove element causes the summary to be removed from the GI. Update the GI to remove the summary from the GI.
-
Citations
20 Claims
-
1. A method, comprising:
-
extracting one or more values from each event in a plurality of time-stamped, searchable events after receipt of the events by a computing device, wherein the one or more values are extracted from a field present in raw machine data included in each event, the machine data having been produced by one or more components within an information technology environment and reflecting activity within the information technology environment; creating an event group from a set of events in the plurality of time-stamped, searchable events, wherein each event in the set of events is associated with one or more extracted values that satisfy one or more criteria for a group of security-related events; creating an event group summary for the event group, wherein the event group summary summarizes one or more fields present in the machine data included in the events in the event group; and causing display of a plurality of event group summaries that includes the event group summary, wherein the plurality of event group summaries represents security threats in the information technology environment; wherein the method is performed by one or more computing devices in a computer network. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11)
-
-
12. One or more non-transitory computer-readable storage media, storing one or more sequences of instructions, which when executed by one or more processors of one or more devices in a computing network cause performance of:
-
extracting one or more values from each event in a plurality of time-stamped, searchable events, wherein the one or more values are extracted from a field present in raw machine data included in each event, the machine data having been produced by one or more components within an information technology environment and reflecting activity within the information technology environment; creating an event group from a set of events in the plurality of time-stamped, searchable events, wherein each event in the set of events is associated with one or more extracted values that satisfy one or more criteria for a group of security-related events; creating an event group summary for the event group, wherein the event group summary summarizes one or more fields present in the machine data included in the events in the event group; and causing display of a plurality of event group summaries that includes the event group summary, wherein the plurality of event group summaries represents security threats in the information technology environment. - View Dependent Claims (13, 14, 15, 16)
-
-
17. An apparatus, comprising:
-
a value extraction device, implemented at least partially in hardware of one or more devices in a computer network, that extracts one or more values from each event in a plurality of time-stamped, searchable events, wherein the one or more values are extracted from a field present in raw machine data included in each event, the machine data having been produced by one or more components within an information technology environment and reflecting activity within the information technology environment; an event group creator, implemented at least partially in hardware, that creates an event group from a set of events in the plurality of time-stamped, searchable events, wherein each event in the set of events is associated with one or more extracted values that satisfy one or more criteria for a group of security-related events; a summary creator, implemented at least partially in hardware, that creates an event group summary for the event group, wherein the event group summary summarizes one or more fields present in the machine data included in the events in the event group; and a display generator, implemented at least partially in hardware, that causes display of a plurality of event group summaries that includes the event group summary, wherein the plurality of event group summaries represents security threats in the information technology environment. - View Dependent Claims (18, 19, 20)
-
Specification