What technology area does this patent fall under?

Primary CPC classification H04L63/1433. Mapped technology areas include Electricity.

When was this patent published?

Publication date Tue Mar 14 2017 00:00:00 GMT+0000 (Coordinated Universal Time) (B2). Legal status and post-grant events are not shown on this page.

What related patents are in patentsdb?

We list 2 related publications on this page (citations in our corpus or others sharing the same primary CPC).

Identifying possible security threats using event group summaries

US9596252B2 · US · B2

Patent metadata
Field	Value
Publication number	US-9596252-B2
Application number	US-201615056999-A
Country	US
Kind code	B2
Filing date	Feb 29, 2016
Priority date	Jul 31, 2013
Publication date	Mar 14, 2017
Grant date	Mar 14, 2017

How to read this patent

A practical reading order for non-experts. Skip the full description unless you need deep technical detail.

Title
What the patent document calls the invention.
Abstract
A short plain-language summary of the technical disclosure.
Assignees and inventors
Who owns or filed the patent and who is credited as inventor.
Key dates
Filing, priority, publication, and grant dates set the timeline.
First independent claim
The legal scope of protection — read this for what is actually claimed.
CPC / IPC classifications
Technology tags used to group this patent with similar filings.
Citations and related patents
Prior art links and similar publications in this corpus.

Abstract

Official abstract text for this publication.

A disclosed computer-implemented method includes receiving and indexing the raw data. Indexing includes dividing the raw data into time stamped searchable events that include information relating to computer or network security. Store the indexed data in an indexed data store and extract values from a field in the indexed data using a schema. Search the extracted field values for the security information. Determine a group of security events using the security information. Each security event includes a field value specified by a criteria. Present a graphical interface (GI) including a summary of the group of security events, other summaries of security events, and a remove element (associated with the summary). Receive input corresponding to an interaction of the remove element. Interacting with the remove element causes the summary to be removed from the GI. Update the GI to remove the summary from the GI.

First claim

Opening claim text (preview).

What is claimed is: 1. A method, comprising: creating an event group from a plurality of time-stamped, searchable events stored in a field-searchable, non-tabular data store, each event in the event group having a portion of raw machine data reflecting activity in an information technology environment and matching criteria relating to one or more field values extracted from one or more fields present in the portion of raw machine data, wherein the criteria is evaluated using an extraction rule applied to at least a portion of the plurality of time-stamped, searchable events; determining an event group summary, the summary summarizing field values from one or more fields of the events in the event group; causing display of a graphical user interface displaying a plurality of event group summaries including the event group summary; based on user input in response to the display of the graphical user interface, changing a visual appearance of a selected event group summary among the displayed plurality of event group summaries to indicate that the selected event group summary is a security threat or removing the selected event group summary from the displayed plurality of event group summaries indicating that the selected event group summary is not a security threat; wherein the method is performed by one or more computing devices. 2. The method as recited in claim 1 , wherein at least one event group summary of the displayed event group summaries includes domain activity information. 3. The method as recited in claim 1 , further comprising: causing display of a second graphical user interface displaying a second plurality of event group summaries, wherein each event group summary in the second plurality of event group summaries was removed from the displayed plurality of event group summaries indicating that each event group summary in the second plurality of event group summaries is not a security threat. 4. The method as recited in claim 1 , further comprising: receiving log data; organizing the received log data into the plurality of time-stamped, searchable events, wherein an event is comprised of at least a portion of one or more lines of data within the log data. 5. The method as recited in claim 1 , wherein the extraction rule is a late binding schema. 6. The method as recited in claim 1 , wherein each event of the plurality of time-stamped, searchable events is associated with a time stamp, and wherein the event group summary encompasses events having time stamps within a specified time period. 7. The method as recited in claim 1 , further comprising: removing an event from the plurality of time-stamped, searchable events when the event is not recognized as notable. 8. The method as recited in claim 1 , further comprising: segmenting stored raw data into the plurality of time-stamped, searchable events, wherein each event in the plurality of time-stamped, searchable events includes information relating to security aspects of an information technology system. 9. The method as recited in claim 1 , wherein the event group summary includes a count of a number of events in the event group summary. 10. An apparatus, comprising: an event group creator, implemented at least partially in hardware, that creates an event group from a plurality of time-stamped, searchable events stored in a field-searchable, non-tabular data store, each event in the event group having a portion of raw machine data reflecting activity in an information technology environment and matching criteria relating to one or more field values extracted from one or more fields present in the portion of raw machine data, wherein the criteria is evaluated using an extraction rule applied to at least a portion of the plurality of time-stamped, searchable events; a summary creator, implemented at least partially in hardware, that determining an event group summary, the summary summarizing field values from one or more fields of the events in the event group; a display generator, implemented at least partially in hardware, that causing display of a graphical user interface displaying a plurality of event group summaries including the event group summary; wherein the display generator, based on user input in response to the display of the graphical user interface, changes a visual appearance of a selected event group summary among the displayed plurality of event group summaries to indicate that the selected event group summary is a security threat or removing the selected event group summary from the displayed plurality of event group summaries indicating that the selected event group summary is not a security threat. 11. The apparatus as recited in claim 10 , wherein at least one event group summary of the displayed event group summaries includes domain activity information. 12. The apparatus as recited in claim 10 , wherein the display generator, causes display of a second graphical user interface displaying a second plurality of event group summaries, wherein each event group summary in the second plurality of event group summaries was removed from the displayed plurality of event group summaries indicating that each event group summary in the second plurality of event group summaries is not a security threat. 13. The apparatus as recited in claim 10 , further comprising: a log data receiver, implemented at least partially in hardware, that receives log data; an event creator, implemented at least partially in hardware, that organizes the received log data into the plurality of time-stamped, searchable events, wherein an event is comprised of at least a portion of one or more lines of data within the log data. 14. The apparatus as recited in claim 10 , wherein the extraction rule is a late binding schema. 15. The apparatus as recited in claim 10 , wherein each event of the plurality of time-stamped, searchable events is associated with a time stamp, and wherein the event group summary encompasses events having time stamps within a specified time period. 16. The apparatus as recited in claim 10 , further comprising: an data reducer, implemented at least partially in hardware, that removes an event from the plurality of time-stamped, searchable events when the event is not recognized as notable. 17. The apparatus as recited in claim 10 , further comprising: an event creator, implemented at least partially in hardware, that segments stored raw data into the plurality of time-stamped, searchable events, wherein each event in the plurality of time-stamped, searchable events includes information relating to security aspects of an information technology system. 18. The apparatus as recited in claim 10 , wherein the event group summary includes a count of a number of events in the event group summary. 19. One or more non-transitory computer-readable storage media, storing one or more sequences of instructions, which when executed by one or more processors cause performance of: creating an event group from a plurality of time-stamped, searchable events stored in a field-searchable, non-tabular data store, each event in the event group having a portion of raw machine data reflecting activity in an information technology environment and matching criteria relating to one or more field values extracted from one or more fields present in the portion of raw machine data, wherein the criteria is evaluated using an extraction rule applied to at least a portion of the plurality of time-stamped, searchable events; determining an event group summary, the summary summarizing

Assignees

Splunk Inc

Inventors

Classifications

H04L63/1408
by monitoring network traffic (monitoring network traffic per se H04L43/00) · CPC title
G06F16/285
Clustering or classification · CPC title
H04L63/20
for managing network security; network security policies in general (filtering policies H04L63/0227) · CPC title
H04L63/1433Primary
Vulnerability analysis · CPC title
G06F2221/2151
Time stamp · CPC title

Patent family

Related publications grouped by family.

View patent family 49622622

External sources

Frequently asked questions

Answers are generated from the same data shown on this page.

What does patent US9596252B2 cover?: A disclosed computer-implemented method includes receiving and indexing the raw data. Indexing includes dividing the raw data into time stamped searchable events that include information relating to computer or network security. Store the indexed data in an indexed data store and extract values from a field in the indexed data using a schema. Search the extracted field values for the security i…
Who is the assignee on this patent?: Splunk Inc
What technology area does this patent fall under?: Primary CPC classification H04L63/1433. Mapped technology areas include Electricity.
When was this patent published?: Publication date Tue Mar 14 2017 00:00:00 GMT+0000 (Coordinated Universal Time) (B2). Legal status and post-grant events are not shown on this page.
What related patents are in patentsdb?: We list 2 related publications on this page (citations in our corpus or others sharing the same primary CPC).