公开(公告)号：US10382472B2

公开(公告)日：2019-08-13

申请号：US15996866

申请日：2018-06-04

Applicant: SPLUNK INC.

Inventor： John Coates ,  Lucas Murphey ,  David Hazekamp ,  James Hansen

IPC: H04L29/06 ,  G06F16/28 ,  G06F21/55

Abstract: A disclosed computer-implemented method includes receiving and indexing the raw data. Indexing includes dividing the raw data into time stamped searchable events that include information relating to computer or network security. Store the indexed data in an indexed data store and extract values from a field in the indexed data using a schema. Search the extracted field values for the security information. Determine a group of security events using the security information. Each security event includes a field value specified by a criteria. Present a graphical interface (GI) including a summary of the group of security events, other summaries of security events, and a remove element (associated with the summary). Receive input corresponding to an interaction of the remove element. Interacting with the remove element causes the summary to be removed from the GI. Update the GI to remove the summary from the GI.

公开(公告)号：US20170048265A1

公开(公告)日：2017-02-16

申请号：US15339955

申请日：2016-11-01

Applicant: Splunk Inc.

Inventor： Munawar Monzy Merza ,  John Coates ,  James M. Hansen ,  Lucas Murphey ,  David Hazekamp ,  Michael Kinsley ,  Alexander Raitz

IPC: H04L29/06

CPC classification number: H04L63/1425 ,  G06F17/30551 ,  G06F21/552 ,  G06F2221/2151 ,  H04L63/1408 ,  H04L63/1416

Abstract: A metric value is determined for each event in a set of events that characterizes a computational communication or object. For example, a metric value could include a length of a URL or agent string in the event. A subset criterion is generated, such that metric values within the subset are relatively separated from a population's center (e.g., within a distribution tail). Application of the criterion to metric values produces a subset. A representation of the subset is presented in an interactive dashboard. The representation can include unique values in the subset and counts of corresponding event occurrences. Clients can select particular elements in the representation to cause more detail to be presented with respect to individual events corresponding to specific values in the subset. Thus, clients can use their knowledge system operations and observance of value frequencies and underlying events to identify anomalous metric values and potential security threats.

Abstract translation: 为表征计算通信或对象的一组事件中的每个事件确定度量值。 例如，度量值可以包括事件中的URL或代理字符串的长度。 生成子集标准，使得子集内的度量值与群体的中心（例如，分布尾部）相对分开。 将标准应用于度量值产生一个子集。 该子集的表示呈现在交互式仪表板中。 该表示可以包括子集中的唯一值和相应事件发生的计数。 客户端可以选择表示中的特定元素，以便相对于子集中的特定值对应的各个事件来呈现更多的细节。 因此，客户可以使用他们的知识系统操作和遵守价值频率和基础事件来识别异常度量值和潜在的安全威胁。

公开(公告)号：US20160182546A1

公开(公告)日：2016-06-23

申请号：US15056999

申请日：2016-02-29

Applicant: Splunk Inc.

Inventor： John Coates ,  Lucas Murphey ,  David Hazekamp ,  James Hansen

IPC: H04L29/06 ,  G06F21/55

CPC classification number: H04L63/1433 ,  G06F17/30598 ,  G06F21/554 ,  G06F2221/034 ,  G06F2221/2151 ,  H04L63/14 ,  H04L63/1408 ,  H04L63/1416 ,  H04L63/20

Abstract: A disclosed computer-implemented method includes receiving and indexing the raw data. Indexing includes dividing the raw data into time stamped searchable events that include information relating to computer or network security. Store the indexed data in an indexed data store and extract values from a field in the indexed data using a schema. Search the extracted field values for the security information. Determine a group of security events using the security information. Each security event includes a field value specified by a criteria. Present a graphical interface (GI) including a summary of the group of security events, other summaries of security events, and a remove element (associated with the summary). Receive input corresponding to an interaction of the remove element. Interacting with the remove element causes the summary to be removed from the GI. Update the GI to remove the summary from the GI.

Abstract translation: 所公开的计算机实现的方法包括接收和索引原始数据。 索引包括将原始数据划分为包含与计算机或网络安全相关的信息的时间戳搜索事件。 将索引数据存储在索引数据存储中，并使用模式从索引数据中的字段中提取值。 搜索提取的字段值以获取安全信息。 使用安全信息确定一组安全事件。 每个安全事件都包括由条件指定的字段值。 提供包括安全事件组的摘要，安全事件的其他摘要和删除元素（与摘要相关联）的图形界面（GI）。 接收与删除元素的交互相对应的输入。 与删除元素进行交互会导致摘要从GI中移除。 更新GI以从GI中删除摘要。

公开(公告)号：US09276946B2

公开(公告)日：2016-03-01

申请号：US14280311

申请日：2014-05-16

Applicant: Splunk Inc.

Inventor： John Coates ,  Lucas Murphey ,  David Hazekamp ,  James Hansen

IPC: G06F11/00 ,  H04L29/06

CPC classification number: H04L63/1433 ,  G06F17/30598 ,  G06F21/554 ,  G06F2221/034 ,  G06F2221/2151 ,  H04L63/14 ,  H04L63/1408 ,  H04L63/1416 ,  H04L63/20

Abstract: A disclosed computer-implemented method includes receiving and indexing the raw data. Indexing includes dividing the raw data into time stamped searchable events that include information relating to computer or network security. Store the indexed data in an indexed data store and extract values from a field in the indexed data using a schema. Search the extracted field values for the security information. Determine a group of security events using the security information. Each security event includes a field value specified by a criteria. Present a graphical interface (GI) including a summary of the group of security events, other summaries of security events, and a remove element (associated with the summary). Receive input corresponding to an interaction of the remove element. Interacting with the remove element causes the summary to be removed from the GI. Update the GI to remove the summary from the GI.

Abstract translation: 所公开的计算机实现的方法包括接收和索引原始数据。 索引包括将原始数据划分为包含与计算机或网络安全相关的信息的时间戳搜索事件。 将索引数据存储在索引数据存储中，并使用模式从索引数据中的字段中提取值。 搜索提取的字段值以获取安全信息。 使用安全信息确定一组安全事件。 每个安全事件都包括由条件指定的字段值。 提供包括安全事件组的摘要，安全事件的其他摘要和删除元素（与摘要相关联）的图形界面（GI）。 接收与删除元素的交互相对应的输入。 与删除元素进行交互会导致摘要从GI中移除。 更新GI以从GI中删除摘要。

公开(公告)号：US20160019316A1

公开(公告)日：2016-01-21

申请号：US14448081

申请日：2014-07-31

Applicant: Splunk Inc.

Inventor： Lucas Murphey ,  David Hazekamp

IPC: G06F17/30

CPC classification number: G06F16/90335 ,  G06F16/9032

Abstract: One or more processing devices provide a wizard for generating a correlation search, the wizard facilitating user input of (i) one or more search criteria for a search query of the correlation search, (ii) a triggering condition to be applied to a dataset produced by the search query, and (iii) one or more actions to be performed when the dataset produced by the search query satisfies the triggering condition, and causing generation of the correlation search based on the user input.

Abstract translation: 一个或多个处理设备提供用于生成相关搜索的向导，所述向导促进用户输入（i）用于搜索查询的相关搜索的一个或多个搜索条件，（ii）要应用于产生的数据集的触发条件 通过搜索查询，以及（iii）当由搜索查询产生的数据集满足触发条件时要执行的一个或多个动作，并且基于用户输入产生相关搜索。

公开(公告)号：US11100113B2

公开(公告)日：2021-08-24

申请号：US14977432

申请日：2015-12-21

Applicant: Splunk Inc.

Inventor： Lucas Murphey ,  David Hazekamp

IPC: G06F16/20 ,  G06F16/2457 ,  G06F16/951 ,  G06F16/23 ,  G06F16/2458 ,  G06F16/2455 ,  G06F16/22 ,  G06F16/215

Abstract: Systems and methods for assigning scores to objects based on evaluating triggering conditions applied to datasets produced by search queries in data aggregation and analysis systems. An example method may comprise: executing, by one or more processing devices, a search query to produce a dataset comprising one or more data items derived from source data; and responsive to determining that at least a portion of the dataset satisfies a triggering condition, modifying a score assigned to an object to which the portion of the dataset pertains.

公开(公告)号：US20210058418A1

公开(公告)日：2021-02-25

申请号：US16944460

申请日：2020-07-31

Applicant: Splunk Inc.

Inventor： Lucas Murphey ,  Francis Gerard ,  Richard Barger ,  Bhavin Patel ,  Patrick Schulz ,  Chinmay Kulkarni

IPC: H04L29/06 ,  G06F16/951 ,  G06F9/448

Abstract: Techniques and mechanisms are disclosed for a data intake and query system to generate “meta-notable” events by applying a meta-notable event rule to a collection of notable event data. A meta-notable event rule specifies one or more patterns of notable event instances defined by a set of notable event states and a set of transition rules (also referred to as association rules) indicating conditions for transitioning from one notable event state to another. The set of notable event states includes at least one start state and at least one end state. A meta-notable event is generated when a set of analyzed notable events satisfies a set of transition rules linking a start state to an end state (including transitions through any intermediary states between the start state and the end state).

公开(公告)号：US20200153714A1

公开(公告)日：2020-05-14

申请号：US16741450

申请日：2020-01-13

Applicant: SPLUNK INC.

Inventor： John Coates ,  Lucas Murphey ,  James Hansen ,  David Hazekamp

IPC: H04L12/26 ,  H04L12/24

Abstract: A system and computer-implemented is provided for displaying a configurable metric relating to an environment in a graphical display along with a value of the metric calculated over a configurable time period. The metric is used to identify events of interest in the environment based on processing real time machine data from one or more sources. The configurable metric is selected and a corresponding value is calculated based on the events of interest over the configurable time period. The value of the metric may be continuously updated in real time based on receiving additional real-time machine data and displayed in a graphical interface as time progresses. Statistical trends in the value of the metric may also be determined over the configurable time period and displayed in the graphical interface as well as an indication if the value of the metric exceeds a configurable threshold value. Further, a selection of one or more thresholds for the value of the metric may be applied and an indication displayed indicating if the threshold(s) have been exceeded.

公开(公告)号：US20190098032A1

公开(公告)日：2019-03-28

申请号：US15715015

申请日：2017-09-25

Applicant: Splunk Inc.

Inventor： Lucas Murphey ,  Francis Gerard ,  Richard Barger ,  Bhavin Patel ,  Patrick Schulz ,  Chinmay Kulkarni

IPC: H04L29/06 ,  G06F17/30

Abstract: Techniques and mechanisms are disclosed for a data intake and query system to generate “meta-notable” events by applying a meta-notable event rule to a collection of notable event data. A meta-notable event rule specifies one or more patterns of notable event instances defined by a set of notable event states and a set of transition rules (also referred to as association rules) indicating conditions for transitioning from one notable event state to another. The set of notable event states includes at least one start state and at least one end state. A meta-notable event is generated when a set of analyzed notable events satisfies a set of transition rules linking a start state to an end state (including transitions through any intermediary states between the start state and the end state).

公开(公告)号：US20170371979A1

公开(公告)日：2017-12-28

申请号：US15688323

申请日：2017-08-28

Applicant: Splunk Inc.

Inventor： Lucas Murphey ,  David Hazekamp

IPC: G06F17/30

CPC classification number: G06F16/90335 ,  G06F16/9032

Abstract: One or more processing devices receive a definition of a search query for a correlation search of a data store, the data store comprising time-stamped events that each comprise a portion of raw machine data reflecting activity in an information technology environment and produced by a component of the information technology environment, receive a definition of a triggering condition to be applied to a dataset that is produced by the search query, receive a definition of one or more actions to be performed when the dataset produced by the search query satisfies the triggering condition, test the search query with the triggering condition, and cause, based on results of the testing, generation of the correlation search using the defined search query, the triggering condition, and the one or more actions, the correlation search comprising search processing language having the search query and a processing command for criteria on which the triggering condition is based.