公开(公告)号：US09276946B2

公开(公告)日：2016-03-01

申请号：US14280311

申请日：2014-05-16

Applicant: Splunk Inc.

Inventor： John Coates ,  Lucas Murphey ,  David Hazekamp ,  James Hansen

IPC: G06F11/00 ,  H04L29/06

CPC classification number: H04L63/1433 ,  G06F17/30598 ,  G06F21/554 ,  G06F2221/034 ,  G06F2221/2151 ,  H04L63/14 ,  H04L63/1408 ,  H04L63/1416 ,  H04L63/20

Abstract: A disclosed computer-implemented method includes receiving and indexing the raw data. Indexing includes dividing the raw data into time stamped searchable events that include information relating to computer or network security. Store the indexed data in an indexed data store and extract values from a field in the indexed data using a schema. Search the extracted field values for the security information. Determine a group of security events using the security information. Each security event includes a field value specified by a criteria. Present a graphical interface (GI) including a summary of the group of security events, other summaries of security events, and a remove element (associated with the summary). Receive input corresponding to an interaction of the remove element. Interacting with the remove element causes the summary to be removed from the GI. Update the GI to remove the summary from the GI.

Abstract translation: 所公开的计算机实现的方法包括接收和索引原始数据。 索引包括将原始数据划分为包含与计算机或网络安全相关的信息的时间戳搜索事件。 将索引数据存储在索引数据存储中，并使用模式从索引数据中的字段中提取值。 搜索提取的字段值以获取安全信息。 使用安全信息确定一组安全事件。 每个安全事件都包括由条件指定的字段值。 提供包括安全事件组的摘要，安全事件的其他摘要和删除元素（与摘要相关联）的图形界面（GI）。 接收与删除元素的交互相对应的输入。 与删除元素进行交互会导致摘要从GI中移除。 更新GI以从GI中删除摘要。

公开(公告)号：US20160019316A1

公开(公告)日：2016-01-21

申请号：US14448081

申请日：2014-07-31

Applicant: Splunk Inc.

Inventor： Lucas Murphey ,  David Hazekamp

IPC: G06F17/30

CPC classification number: G06F16/90335 ,  G06F16/9032

Abstract: One or more processing devices provide a wizard for generating a correlation search, the wizard facilitating user input of (i) one or more search criteria for a search query of the correlation search, (ii) a triggering condition to be applied to a dataset produced by the search query, and (iii) one or more actions to be performed when the dataset produced by the search query satisfies the triggering condition, and causing generation of the correlation search based on the user input.

Abstract translation: 一个或多个处理设备提供用于生成相关搜索的向导，所述向导促进用户输入（i）用于搜索查询的相关搜索的一个或多个搜索条件，（ii）要应用于产生的数据集的触发条件 通过搜索查询，以及（iii）当由搜索查询产生的数据集满足触发条件时要执行的一个或多个动作，并且基于用户输入产生相关搜索。

公开(公告)号：US20240333752A1

公开(公告)日：2024-10-03

申请号：US18740314

申请日：2024-06-11

Applicant: SPLUNK INC.

Inventor： John Coates ,  Lucas Murphey ,  David Hazekamp ,  James Hansen

IPC: H04L9/40 ,  G06F16/28 ,  G06F21/55

CPC classification number: H04L63/1433 ,  G06F16/285 ,  G06F21/554 ,  H04L63/14 ,  H04L63/1408 ,  H04L63/1416 ,  G06F2221/034 ,  G06F2221/2151 ,  H04L63/20

Abstract: A disclosed computer-implemented method includes receiving and indexing the raw data. Indexing includes dividing the raw data into time stamped searchable events that include information relating to computer or network security. Store the indexed data in an indexed data store and extract values from a field in the indexed data using a schema. Search the extracted field values for the security information. Determine a group of security events using the security information. Each security event includes a field value specified by a criteria. Present a graphical interface (GI) including a summary of the group of security events, other summaries of security events, and a remove element (associated with the summary). Receive input corresponding to an interaction of the remove element. Interacting with the remove element causes the summary to be removed from the GI. Update the GI to remove the summary from the Gl.

公开(公告)号：US11178167B2

公开(公告)日：2021-11-16

申请号：US16526354

申请日：2019-07-30

Applicant: SPLUNK INC.

Inventor： John Coates ,  Lucas Murphey ,  David Hazekamp ,  James Hansen

IPC: H04L29/06 ,  G06F16/28 ,  G06F21/55

Abstract: A disclosed computer-implemented method includes receiving and indexing the raw data. Indexing includes dividing the raw data into time stamped searchable events that include information relating to computer or network security. Store the indexed data in an indexed data store and extract values from a field in the indexed data using a schema. Search the extracted field values for the security information. Determine a group of security events using the security information. Each security event includes a field value specified by a criteria. Present a graphical interface (GI) including a summary of the group of security events, other summaries of security events, and a remove element (associated with the summary). Receive input corresponding to an interaction of the remove element. Interacting with the remove element causes the summary to be removed from the GI. Update the GI to remove the summary from the GI.

公开(公告)号：US11134094B2

公开(公告)日：2021-09-28

申请号：US16777544

申请日：2020-01-30

Applicant: SPLUNK INC.

Inventor： Munawar Monzy Merza ,  John Coates ,  James M Hansen ,  Lucas Murphey ,  David Hazekamp ,  Michael Kinsley ,  Alexander Raitz

IPC: H04L29/06 ,  G06F21/55 ,  G06F16/2458

Abstract: A metric value is determined for each event in a set of events that characterizes a computational communication or object. For example, a metric value could include a length of a URL or agent string in the event. A subset criterion is generated, such that metric values within the subset are relatively separated from a population's center (e.g., within a distribution tail). Application of the criterion to metric values produces a subset. A representation of the subset is presented in an interactive dashboard. The representation can include unique values in the subset and counts of corresponding event occurrences. Clients can select particular elements in the representation to cause more detail to be presented with respect to individual events corresponding to specific values in the subset. Thus, clients can use their knowledge system operations and observance of value frequencies and underlying events to identify anomalous metric values and potential security threats.

公开(公告)号：US20190356690A1

公开(公告)日：2019-11-21

申请号：US16526354

申请日：2019-07-30

Applicant: SPLUNK INC.

Inventor： John Coates ,  Lucas Murphey ,  David Hazekamp ,  James Hansen

IPC: H04L29/06 ,  G06F21/55 ,  G06F16/28

Abstract: A disclosed computer-implemented method includes receiving and indexing the raw data. Indexing includes dividing the raw data into time stamped searchable events that include information relating to computer or network security. Store the indexed data in an indexed data store and extract values from a field in the indexed data using a schema. Search the extracted field values for the security information. Determine a group of security events using the security information. Each security event includes a field value specified by a criteria. Present a graphical interface (GI) including a summary of the group of security events, other summaries of security events, and a remove element (associated with the summary). Receive input corresponding to an interaction of the remove element. Interacting with the remove element causes the summary to be removed from the GI. Update the GI to remove the summary from the GI.

公开(公告)号：US20190124105A1

公开(公告)日：2019-04-25

申请号：US16228509

申请日：2018-12-20

Applicant: Splunk Inc.

Inventor： Vijay Chauhan ,  Devendra M. Badhani ,  Luke K. Murphey ,  David Hazekamp

IPC: H04L29/06

CPC classification number: H04L63/1425 ,  H04L63/0218 ,  H04L63/0236

Abstract: The disclosed embodiments provide a system that facilitates the processing of network data. During operation, the system provides a risk-identification mechanism for identifying a security risk from time-series event data generated from network packets captured by one or more remote capture agents distributed across a network. Next, the system provides a capture trigger for generating additional time-series event data from the network packets on the one or more remote capture agents based on the security risk, wherein the additional time-series event data includes one or more event attributes.

公开(公告)号：US10250628B2

公开(公告)日：2019-04-02

申请号：US15799906

申请日：2017-10-31

Applicant: Splunk Inc

Inventor： Vijay Chauhan ,  Cary Noel ,  Wenhui Yu ,  Luke Murphey ,  Alexander Raitz ,  David Hazekamp

IPC: H04L29/06 ,  G06F17/24 ,  G06F17/30 ,  G06F21/62 ,  H04L12/26 ,  G06F3/0484

Abstract: Techniques and mechanisms are disclosed that enable network security analysts and other users to efficiently conduct network security investigations and to produce useful representations of investigation results. As used herein, a network security investigation generally refers to an analysis by an analyst (or team of analysts) of one or more detected network events that may pose internal and/or external threats to a computer network under management. A network security application provides various interfaces that enable users to create investigation timelines, where the investigation timelines display a collection of events related to a particular network security investigation. A network security application further provides functionality to monitor and log user interactions with the network security application, where particular logged user interactions may also be added to one or more investigation timelines.

公开(公告)号：US20180351990A1

公开(公告)日：2018-12-06

申请号：US15996866

申请日：2018-06-04

Applicant: SPLUNK INC.

Inventor： John Coates ,  Lucas Murphey ,  David Hazekamp ,  James Hansen

IPC: H04L29/06 ,  G06F21/55 ,  G06F17/30

CPC classification number: H04L63/1433 ,  G06F16/285 ,  G06F21/554 ,  G06F2221/034 ,  G06F2221/2151 ,  H04L63/14 ,  H04L63/1408 ,  H04L63/1416 ,  H04L63/20

Abstract: A disclosed computer-implemented method includes receiving and indexing the raw data. Indexing includes dividing the raw data into time stamped searchable events that include information relating to computer or network security. Store the indexed data in an indexed data store and extract values from a field in the indexed data using a schema. Search the extracted field values for the security information. Determine a group of security events using the security information. Each security event includes a field value specified by a criteria. Present a graphical interface (GI) including a summary of the group of security events, other summaries of security events, and a remove element (associated with the summary). Receive input corresponding to an interaction of the remove element. Interacting with the remove element causes the summary to be removed from the GI. Update the GI to remove the summary from the GI.

公开(公告)号：US20180091528A1

公开(公告)日：2018-03-29

申请号：US15276756

申请日：2016-09-26

Applicant: Splunk Inc.

Inventor： Banipal Shahbaz ,  Siri Atma Oaklander De Licori ,  John Robert Coates ,  David Hazekamp ,  Devendra Badhani ,  Luke Murphey ,  Patrick Schulz

IPC: H04L29/06

Abstract: Techniques and mechanisms are disclosed for configuring actions to be performed by a network security application in response to the detection of potential security incidents, and for causing a network security application to report on the performance of those actions. For example, users may use such a network security application to configure one or more “modular alerts.” As used herein, a modular alert generally represents a component of a network security application which enables users to specify security modular alert actions to be performed in response to the detection of defined triggering conditions, and which further enables tracking information related to the performance of modular alert actions and reporting on the performance of those actions.