EVENT VIEWS IN DATA INTAKE STAGE OF MACHINE DATA PROCESSING PLATFORM

US 20170063903A1
Filed: 10/30/2015
Published: 03/02/2017
Est. Priority Date: 08/31/2015
Status: Active Grant

First Claim

Patent Images

1. A method comprising:

receiving event data representing an event on a computer network; and

adding a view identifier to the event data to allow a downstream entity, by having designated the view identifier, to receive select information about the event, through an interface identified by the view identifier,wherein the interface extracts the select information from and/or generates the select information based on the event data.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A security platform employs a variety techniques and mechanisms to detect security related anomalies and threats in a computer network environment. The security platform is “big data” driven and employs machine learning to perform security analytics. The security platform performs user/entity behavioral analytics (UEBA) to detect the security related anomalies and threats, regardless of whether such anomalies/threats were previously known. The security platform can include both real-time and batch paths/modes for detecting anomalies and threats. By visually presenting analytical results scored with risk ratings and supporting evidence, the security platform enables network security administrators to respond to a detected anomaly or threat, and to take action promptly.

Citations

30 Claims

1. A method comprising:
- receiving event data representing an event on a computer network; and
  
  adding a view identifier to the event data to allow a downstream entity, by having designated the view identifier, to receive select information about the event, through an interface identified by the view identifier,wherein the interface extracts the select information from and/or generates the select information based on the event data.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21, 22, 23, 24, 25)
- - 2. The method of claim 1, wherein the interface further includes logic operable to perform an action on the event data representing the event to generate the select information.
  - 3. The method of claim 1, wherein the interface further includes logic operable to perform an action on the event data representing the event to generate the select information, and wherein the interface further includes an input for controlling the action that the logic performs.
  - 4. The method of claim 1, wherein the select information only includes a defined subset of a complete set of the event data representing the event.
  - 5. The method of claim 1, further comprising:
    - repeating said identifying and adding steps for event data representing each of a plurality of events to enable, via the interface, a uniform way to access information about the plurality of events.
  - 6. The method of claim 1, further comprising:
    - repeating said identifying and adding steps for event data representing each of a plurality of events to enable, via the interface, a uniform way to access information about the plurality of events, wherein event data representing the plurality of events are in different data formats.
  - 7. The method of claim 1, further comprising:
    - repeating said adding step for event data representing each of a plurality of events that belong to a same category as the event to enable, via the interface, a uniform way to access information about the plurality of events.
  - 8. The method of claim 1, further comprising:
    - determining an event category to which the event belongs, from a plurality of event categories, based on the event data, wherein the view identifier and the interface correspond to the event category.
  - 9. The method of claim 1, further comprising:
    - determining an event category to which the event belongs, from a plurality of event categories, based on a type of a machine that generated the event, wherein the view identifier and the interface correspond to the event category.
  - 10. The method of claim 1, wherein the view identifier and the interface correspond to an event category to which the event belongs.
  - 11. The method of claim 1, further comprising:
    - determining an event category to which the event belongs, from a plurality of event categories, based on a type of a machine that generated the event, wherein the view identifier and the interface correspond to the event category, the event category characterizing events generated by a plurality of types of machines.
  - 12. The method of claim 1, wherein said identifying step comprises parsing the event data based on a predetermined data format.
  - 13. The method of claim 1, wherein said identifying step comprises parsing the event data based on a predetermined data format that specifies which data in the event represent a key or a value.
  - 14. The method of claim 1, wherein the view identifier is added as a field in the event.
  - 15. The method of claim 1, further comprising:
    - identifying a plurality of attributes of the event, based on the event data,wherein the select information includes a defined subset of the plurality of attributes of the event.
  - 16. The method of claim 1, further comprising:
    - identifying a plurality of attributes of the event, based on the event data,wherein the select information includes a defined subset of the plurality of attributes of the event,wherein the attributes include at least one of;
      
      a key, a value, or a key-value pair.
  - 17. The method of claim 1, further comprising:
    - performing, by the downstream entity, analytics on event data representing a plurality of events using information about the plurality of events.
  - 18. The method of claim 1, further comprising:
    - performing, by the downstream entity, analytics on event data representing a plurality of events using information about the plurality of events,wherein information accessible via the interface includes at least one of;
      
      (1) information generated by logic included in the interface, the logic being operable to perform an action on the event data representing the plurality of events, or (2) a predefined subset of a complete set of the event data representing the plurality of events.
  - 19. The method of claim 1, further comprising:
    - using the view identifier to determine whether the event is relevant to the downstream entity.
  - 20. The method of claim 1, further comprising:
    - automatically routing the information to the downstream entity having designated the view identifier.
  - 21. The method of claim 1, further comprising:
    - automatically routing the information to the downstream entity having designated the view identifier,wherein the downstream entity is configured to identify security-oriented anomalies represented by the event.
  - 22. The method of claim 1, wherein the event data comprises machine data.
  - 23. The method of claim 1, wherein the event data comprises timestamped machine data.
  - 24. The method of claim 1, further comprising:
    - configuring said adding step by making an adjustment to a configuration file.
  - 25. The method of claim 1, wherein the method is performed as part of an extract-transform-load stage of at least one of a distributed event processing system or an anomaly detection system.

26. A computer system comprising:
- a communication device; and
  
  a processor configured to;
  
  receive, via the communication device, event data representing an event on a computer network; and
  
  add a view identifier to the event data to allow a downstream entity, by having designated the view identifier, to receive select information about the event, through an interface identified by the view identifier,wherein the interface extracts the select information from and/or generates the select information based on the event data.
- View Dependent Claims (27, 28, 29)
- - 27. The computer system of claim 26, wherein the interface further includes logic operable to perform an action on the event data representing the event to generate the select information.
  - 28. The computer system of claim 26, wherein the select information only includes a defined subset of a complete set of the event data representing the event.
  - 29. The computer system of claim 26, wherein the processor is further configured to:
    - repeat said identifying and adding steps for event data representing each of a plurality of events to enable, via the interface, a uniform way to access information about the plurality of events.

30. A non-transitory machine-readable storage medium for use in a processing system, the non-transitory machine-readable storage medium storing instructions, an execution of which in the processing system causes the processing system to perform operations comprising:
- receiving event data representing an event on a computer network; and
  
  adding a view identifier to the event data to allow a downstream entity, by having designated the view identifier, to receive select information about the event, through an interface identified by the view identifier,wherein the interface extracts the select information from and/or generates the select information based on the event data.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Splunk Inc.
Original Assignee
Splunk Inc.
Inventors
Muddu, Sudhakar, Tryfonas, Christos, Bulusu, Ravi Prasad

Granted Patent

US 10,243,970 B2
Time in Patent Office

Days
Field of Search
US Class Current

1/1
CPC Class Codes

G06F 16/24578   using ranking

G06F 16/254   Extract, transform and load...

G06F 16/285   Clustering or classification

G06F 16/444   Spatial browsing, e.g. 2D m...

G06F 16/9024   Graphs; Linked lists G06F16...

G06F 3/0482   Interaction with lists of s...

G06F 3/0484   for the control of specific...

G06F 3/04842   Selection of displayed obje...

G06F 3/04847   Interaction techniques to c...

G06F 40/134   Hyperlinking

G06N 20/00   Machine learning

G06N 20/20   Ensemble learning

G06N 5/022   Knowledge engineering; Know...

G06N 5/04   Inference or reasoning models

G06N 7/01   Probabilistic graphical mod...

G06V 10/225   based on a marking or ident...

H04L 2463/121   Timestamp cryptographic mec...

H04L 41/0893   Assignment of logical group...

H04L 41/145   involving simulating, desig...

H04L 41/22   comprising specially adapte...

H04L 43/00 : Arrangements for monitoring...

H04L 43/045 : for graphical visualisation...

H04L 43/062 : related to network traffic

H04L 43/08 : Monitoring or testing based...

H04L 63/06 : for supporting key manageme...

H04L 63/1408 : by monitoring network traff...

H04L 63/1416 : Event detection, e.g. attac...

H04L 63/1425 : Traffic logging, e.g. anoma...

H04L 63/1433 : Vulnerability analysis

H04L 63/1441 : Countermeasures against mal...

H04L 63/20 : for managing network securi...

View All

EVENT VIEWS IN DATA INTAKE STAGE OF MACHINE DATA PROCESSING PLATFORM

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

Citations

30 Claims

Specification

Solutions

Use Cases

Quick Links

EVENT VIEWS IN DATA INTAKE STAGE OF MACHINE DATA PROCESSING PLATFORM

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

30 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links