Graphical display of events indicating security threats in an information technology system
US-10382472-B2 · Aug 13, 2019 · US
Automatic creation and updating of event group summaries
US12034759B2 · US · B2
| Field | Value |
|---|---|
| Publication number | US-12034759-B2 |
| Application number | US-202117507698-A |
| Country | US |
| Kind code | B2 |
| Filing date | Oct 21, 2021 |
| Priority date | Jul 31, 2013 |
| Publication date | Jul 9, 2024 |
| Grant date | Jul 9, 2024 |
How to read this patent
A practical reading order for non-experts. Skip the full description unless you need deep technical detail.
- Title
What the patent document calls the invention.
- Abstract
A short plain-language summary of the technical disclosure.
- Assignees and inventors
Who owns or filed the patent and who is credited as inventor.
- Key dates
Filing, priority, publication, and grant dates set the timeline.
- First independent claim
The legal scope of protection — read this for what is actually claimed.
- CPC / IPC classifications
Technology tags used to group this patent with similar filings.
- Citations and related patents
Prior art links and similar publications in this corpus.
Abstract
Official abstract text for this publication.
A disclosed computer-implemented method includes receiving and indexing the raw data. Indexing includes dividing the raw data into time stamped searchable events that include information relating to computer or network security. Store the indexed data in an indexed data store and extract values from a field in the indexed data using a schema. Search the extracted field values for the security information. Determine a group of security events using the security information. Each security event includes a field value specified by a criteria. Present a graphical interface (GI) including a summary of the group of security events, other summaries of security events, and a remove element (associated with the summary). Receive input corresponding to an interaction of the remove element. Interacting with the remove element causes the summary to be removed from the GI. Update the GI to remove the summary from the GI.
First claim
Opening claim text (preview).
What is claimed is: 1. A method comprising: creating, by a computer system, an event group, the event group including a plurality of events, each event in the event group having a respective portion of machine data, wherein each event in the event group is included in the event group based on an event matching criterion relating to one or more field values of a respective one or more fields present in a respective portion of machine data; creating, by the computer system, an event group summary that summarizes one or more fields present in the portion of machine data included in the plurality of events included in the event group; causing, by the computer system, display of a graphical user interface that includes a plurality of event group summaries including the event group summary; receiving, by the computer system, one or more new events, each having a respective portion of machine data; and in response to receiving the one or more new events, identifying, by the computer system, the one or more new events as belonging to the event group, and modifying, by the computer system, the event group summary based upon one or more fields present in the machine data contained in the one or more new events. 2. The method of claim 1 , further comprising: receiving first input indicating selection of the event group summary; receiving second input indicating a time frame; and suppressing, by the computer system, display of the event group summary by removing the event group summary from the graphical user interface, wherein the event group summary is suppressed during the time frame indicated by the second input. 3. The method of claim 1 , wherein at least one event group summary of the plurality of event group summaries includes domain activity information. 4. The method of claim 1 , further comprising: changing, by the computer system, a visual appearance of a particular event group summary among the plurality of event group summaries to indicate that the particular event group summary is a potential security threat. 5. The method of claim 1 , further comprising: causing, by the computer system, display of a second graphical user interface displaying a second plurality of event group summaries including the event group summary, wherein each event group summary in the second plurality of event group summaries was removed from the plurality of event group summaries indicating that each event group summary in the second plurality of event group summaries is not a security threat. 6. The method of claim 1 , wherein the machine data comprises log data; the method further comprising: organizing the machine data into the plurality of events, wherein an event comprises at least a portion of log data within the machine data. 7. The method of claim 1 , wherein each event of the plurality of events is associated with a time stamp, and wherein the event group summary encompasses events having time stamps within a specified time period. 8. The method of claim 1 , wherein the event group summary includes a numerical count of events in the event group. 9. The method of claim 1 , wherein the criterion includes at least one of: an HTTP agent string, a network traffic size, a length of a uniform resource locator string, a byte count per request, a domain name, or a source address. 10. The method of claim 1 , wherein the criterion includes a particular threshold string length for the one or more field values. 11. The method of claim 1 , wherein the criterion includes a particular threshold string length for a network resource locator. 12. The method of claim 1 , wherein the criterion includes a source address associated with a security threat. 13. The method of claim 1 , further comprising: generating, by the computer system, a display that includes an add element and one or more event group summaries that have been removed from the graphical interface, wherein the one or more event group summaries include the event group summary, and wherein a user interaction with the add element causes the event group summary to be added back to the graphical interface; and in response to a user interaction with the add element, updating, by the computer system, the graphical interface to add the event group summary back to the graphical interface. 14. The method of claim 1 , wherein each event in the plurality of events includes information relating to security of an information technology environment. 15. A non-transitory machine-readable storage medium storing instructions, execution of which in a computer system causes performance by the computer system of operations comprising: creating an event group, the event group including a plurality of events, each event in the event group having a respective portion of machine data, wherein each event in the event group is included in the event group based on an event matching criterion relating to one or more field values of a respective one or more fields present in a respective portion of raw machine data; creating an event group summary that summarizes one or more fields present in the portion of machine data included in the plurality of events included in the event group; causing display of a graphical user interface that includes a plurality of event group summaries including the event group summary; receiving one or more new events, each having a respective portion of machine data; and in response to receiving the one or more new events, identifying the one or more new events as belonging to the event group, and modifying the event group summary based upon one or more fields present in the machine data contained in the one or more new events. 16. The non-transitory machine-readable storage medium of claim 15 , wherein said operations further comprise: segmenting stored machine data into the plurality of events, wherein each event in the plurality of events includes information relating to security of an information technology environment. 17. The non-transitory machine-readable storage medium of claim 15 , wherein said operations further comprise: extracting values for fields in events in the event group, by applying a late binding schema to at least a portion of the plurality of events. 18. A computer system comprising: a network interface via which to communicate with a remote computer system over a network; a memory; and a processor coupled to the memory and the network interface and configured to cause the system to perform operations including: creating an event group, the event group including a plurality of events, each event in the event group having a respective portion of machine data, wherein each event in the event group is included in the event group based on an event matching criterion relating to one or more field values of a respective one or more fields present in a respective portion of raw machine data; creating an event group summary that summarizes one or more fields present in the portion of machine data included in the plurality of events included in the event group; causing display of a graphical user interface that includes a plurality of event group summaries including the event group summary; receiving one or more new events, each having a respective portion of machine data; and in response to receiving the one or more new events, identifying the one or more new events as belonging to the event group, and modifying the event group summary based upon one or more fields present in the machine data contained in the one or more new events. 19. The comp
Assignees
Inventors
Classifications
for detecting or protecting against malicious traffic · CPC title
Time stamp · CPC title
Test or assess a computer or a system · CPC title
involving event detection and direct action · CPC title
by monitoring network traffic (monitoring network traffic per se H04L43/00) · CPC title
Patent family
Related publications grouped by family.
External sources
Frequently asked questions
Answers are generated from the same data shown on this page.
- What does patent US12034759B2 cover?
- A disclosed computer-implemented method includes receiving and indexing the raw data. Indexing includes dividing the raw data into time stamped searchable events that include information relating to computer or network security. Store the indexed data in an indexed data store and extract values from a field in the indexed data using a schema. Search the extracted field values for the security i…
- Who is the assignee on this patent?
- Splunk Inc
- What technology area does this patent fall under?
- Primary CPC classification H04L63/1433. Mapped technology areas include Electricity.
- When was this patent published?
- Publication date Tue Jul 09 2024 00:00:00 GMT+0000 (Coordinated Universal Time) (B2). Legal status and post-grant events are not shown on this page.
- What related patents are in patentsdb?
- We list 4 related publications on this page (citations in our corpus or others sharing the same primary CPC).