Graphical display of events indicating security threats in an information technology system

US 9,992,220 B2
Filed: 01/31/2017
Issued: 06/05/2018
Est. Priority Date: 07/31/2013
Status: Active Grant

First Claim

Patent Images

1. A method, comprising:

extracting one or more values from each event in a plurality of time-stamped, searchable events after receipt of the events by a computing device, wherein the one or more values are extracted from a field present in raw machine data included in each event, the machine data having been produced by one or more components within an information technology environment and reflecting activity within the information technology environment;

creating an event group from a set of events in the plurality of time-stamped, searchable events, wherein each event in the set of events is associated with one or more extracted values that satisfy one or more criteria for a group of security-related events;

creating an event group summary for the event group, wherein the event group summary summarizes one or more fields present in the machine data included in the events in the event group; and

causing display of a plurality of event group summaries that includes the event group summary, wherein the plurality of event group summaries represents security threats in the information technology environment;

wherein the method is performed by one or more computing devices in a computer network.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A disclosed computer-implemented method includes receiving and indexing the raw data. Indexing includes dividing the raw data into time stamped searchable events that include information relating to computer or network security. Store the indexed data in an indexed data store and extract values from a field in the indexed data using a schema. Search the extracted field values for the security information. Determine a group of security events using the security information. Each security event includes a field value specified by a criteria. Present a graphical interface (GI) including a summary of the group of security events, other summaries of security events, and a remove element (associated with the summary). Receive input corresponding to an interaction of the remove element. Interacting with the remove element causes the summary to be removed from the GI. Update the GI to remove the summary from the GI.

14 Citations

View as Search Results

20 Claims

1. A method, comprising:
- extracting one or more values from each event in a plurality of time-stamped, searchable events after receipt of the events by a computing device, wherein the one or more values are extracted from a field present in raw machine data included in each event, the machine data having been produced by one or more components within an information technology environment and reflecting activity within the information technology environment;
  
  creating an event group from a set of events in the plurality of time-stamped, searchable events, wherein each event in the set of events is associated with one or more extracted values that satisfy one or more criteria for a group of security-related events;
  
  creating an event group summary for the event group, wherein the event group summary summarizes one or more fields present in the machine data included in the events in the event group; and
  
  causing display of a plurality of event group summaries that includes the event group summary, wherein the plurality of event group summaries represents security threats in the information technology environment;
  
  wherein the method is performed by one or more computing devices in a computer network.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11)
- - 2. The method as recited in claim 1, wherein at least one event group summary of the plurality of event group summaries includes domain activity information.
  - 3. The method as recited in claim 1, further comprising:
    - changing a visual appearance of a particular event group summary among the plurality of event group summaries to indicate that the particular event group summary is a possible security threat.
  - 4. The method as recited in claim 1, further comprising:
    - causing display of a graphical element that causes removal of a selected event group summary from the plurality of event group summaries;
      
      based on user input via the graphical element, removing the selected event group summary from the plurality of event group summaries, thereby indicating that the selected event group summary is not a security threat.
  - 5. The method as recited in claim 1, further comprising:
    - causing display of a graphical element that causes removal of a selected event group summary from the plurality of event group summaries;
      
      based on user input via the graphical element, removing the selected event group summary from the plurality of event group summaries, thereby indicating that the selected event group summary is not a security threat;
      
      causing display of a second graphical user interface displaying a second plurality of event group summaries including the selected event group summary, wherein each event group summary in the second plurality of event group summaries was removed from the plurality of event group summaries indicating that each event group summary in the second plurality of event group summaries is not a security threat.
  - 6. The method as recited in claim 1, further comprising:
    - wherein the machine data is log data; and
      
      organizing the machine data into the plurality of time-stamped, searchable events, wherein an event is comprised of at least a portion of log data within the machine data.
  - 7. The method as recited in claim 1, wherein the one or more criteria is evaluated using a late binding schema applied to at least a portion of the plurality of time-stamped, searchable events.
  - 8. The method as recited in claim 1, wherein each event of the plurality of time-stamped, searchable events is associated with a time stamp, and wherein the event group summary encompasses events having time stamps within a specified time period.
  - 9. The method as recited in claim 1, wherein the event group summary includes a numerical count of events in the set of events.
  - 10. The method as recited in claim 1, wherein the one or more criteria include a particular threshold string length for the one or more extracted values.
  - 11. The method as recited in claim 1, wherein the one or more criteria include a source address that poses a security threat.

12. One or more non-transitory computer-readable storage media, storing one or more sequences of instructions, which when executed by one or more processors of one or more devices in a computing network cause performance of:
- extracting one or more values from each event in a plurality of time-stamped, searchable events, wherein the one or more values are extracted from a field present in raw machine data included in each event, the machine data having been produced by one or more components within an information technology environment and reflecting activity within the information technology environment;
  
  creating an event group from a set of events in the plurality of time-stamped, searchable events, wherein each event in the set of events is associated with one or more extracted values that satisfy one or more criteria for a group of security-related events;
  
  creating an event group summary for the event group, wherein the event group summary summarizes one or more fields present in the machine data included in the events in the event group; and
  
  causing display of a plurality of event group summaries that includes the event group summary, wherein the plurality of event group summaries represents security threats in the information technology environment.
- View Dependent Claims (13, 14, 15, 16)
- - 13. The one or more non-transitory computer-readable storage media as recited in claim 12, wherein at least one event group summary of the plurality of event group summaries includes domain activity information.
  - 14. The one or more non-transitory computer-readable storage media as recited in claim 12, wherein the one or more sequences of instructions, when executed by the one or more processors cause further performance of:
    - changing a visual appearance of a particular event group summary among the plurality of event group summaries to indicate that the particular event group summary is a possible security threat.
  - 15. The one or more non-transitory computer-readable storage media as recited in claim 12, wherein the one or more sequences of instructions, when executed by the one or more processors cause further performance of:
    - causing display of a graphical element that causes removal of a selected event group summary from the plurality of event group summaries;
      
      based on user input via the graphical element, removing the selected event group summary from the plurality of event group summaries, thereby indicating that the selected event group summary is not a security threat.
  - 16. The one or more non-transitory computer-readable storage media as recited in claim 12, wherein the one or more sequences of instructions, when executed by the one or more processors cause further performance of:
    - wherein the machine data is log data; and
      
      organizing the machine data into the plurality of time-stamped, searchable events, wherein an event is comprised of at least a portion of one or more lines of data within the machine data.

17. An apparatus, comprising:
- a value extraction device, implemented at least partially in hardware of one or more devices in a computer network, that extracts one or more values from each event in a plurality of time-stamped, searchable events, wherein the one or more values are extracted from a field present in raw machine data included in each event, the machine data having been produced by one or more components within an information technology environment and reflecting activity within the information technology environment;
  
  an event group creator, implemented at least partially in hardware, that creates an event group from a set of events in the plurality of time-stamped, searchable events, wherein each event in the set of events is associated with one or more extracted values that satisfy one or more criteria for a group of security-related events;
  
  a summary creator, implemented at least partially in hardware, that creates an event group summary for the event group, wherein the event group summary summarizes one or more fields present in the machine data included in the events in the event group; and
  
  a display generator, implemented at least partially in hardware, that causes display of a plurality of event group summaries that includes the event group summary, wherein the plurality of event group summaries represents security threats in the information technology environment.
- View Dependent Claims (18, 19, 20)
- - 18. The apparatus as recited in claim 17, wherein at least one event group summary of the displayed event group summaries includes domain activity information.
  - 19. The apparatus as recited in claim 17, wherein the display generator changes a visual appearance of a particular event group summary among the plurality of event group summaries to indicate that the particular event group summary is a possible security threat.
  - 20. The apparatus as recited in claim 17, wherein the display generator, causes display of a graphical element that causes removal of a selected event group summary from the plurality of event group summaries, and wherein the display generator, based on user input via the graphical element, removes the selected event group summary from the plurality of event group summaries, thereby indicating that the selected event group summary is not a security threat.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Splunk Inc.
Original Assignee
Splunk Inc.
Inventors
Coates, John, Murphey, Lucas, Hazekamp, David, Hansen, James
Primary Examiner(s)
Brown, Anthony

Application Number

US15/421,420
Publication Number

US 20170142149A1
Time in Patent Office

490 Days
Field of Search

726 22- 25
US Class Current
CPC Class Codes

G06F 16/285   Clustering or classification

G06F 21/554   involving event detection a...

G06F 2221/034   Test or assess a computer o...

G06F 2221/2151   Time stamp

H04L 63/14   for detecting or protecting...

H04L 63/1408   by monitoring network traff...

H04L 63/1416   Event detection, e.g. attac...

H04L 63/1433   Vulnerability analysis

H04L 63/20   for managing network securi...

Graphical display of events indicating security threats in an information technology system

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

14 Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Graphical display of events indicating security threats in an information technology system

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

14 Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links