公开(公告)号：US10462169B2

公开(公告)日：2019-10-29

申请号：US15582645

申请日：2017-04-29

Applicant: Splunk Inc.

Inventor： Satheesh Kumar Joseph Durairaj ,  Stanislav Miskovic ,  Georgios Apostolopoulos

IPC: G08B23/00 ,  G06F12/16 ,  G06F12/14 ,  G06F11/00 ,  H04L29/06 ,  G06N20/00 ,  G06F16/901

Abstract: A lateral movement application identifies lateral movement (LM) candidates that potentially represent a security threat. Security platforms generate event data when performing security-related functions, such as authenticating a user account. The disclosed technology enables greatly increased accuracy identification of lateral movement (LM) candidates by, for example, refining a population of LM candidates based on an analysis of a time constrained graph in which nodes represent entities, and edges between nodes represent a time sequence of login or other association activities between the entities. The graph is created based on an analysis of the event data, including time sequences of the event data.

公开(公告)号：US10462004B2

公开(公告)日：2019-10-29

申请号：US14699807

申请日：2015-04-29

Applicant: Splunk Inc.

Inventor： Fang I. Hsiao ,  Wei Jiang ,  Vladimir A. Shcherbakov ,  Ramkumar Chandrasekharan ,  Clayton S. Ching

IPC: G06F16/00 ,  H04L12/24 ,  G06F3/0482 ,  G06F3/0484 ,  G06F16/26 ,  G06F3/0481 ,  H04L29/08

Abstract: The disclosed embodiments provide a system that facilitates the processing of network data. During operation, the system causes for display a graphical user interface (GUI) for configuring the generation of time-series event data from network packets captured by one or more remote capture agents. Next, the system causes for display, in the GUI, a first set of user-interface elements containing a set of statistics associated with one or more event streams that comprise the time-series event data. The system then causes for display, in the GUI, one or more graphs comprising one or more values from the set of statistics. Finally, the system causes for display, in the GUI, a value of a statistic from the set of statistics based on a position of a cursor over the one or more graphs.

公开(公告)号：US10459939B1

公开(公告)日：2019-10-29

申请号：US15224618

申请日：2016-07-31

Applicant: Splunk Inc.

Inventor： Marshall Chalmers Agnew ,  Michael Porath ,  Patrick Wied ,  Clark Eugene Mullen

IPC: G06F16/30 ,  G06F16/248 ,  G06T11/20 ,  G06F16/26 ,  G06F16/22

Abstract: Disclosed are a system and a method for providing user-interactive parallel coordinates charts. In an embodiment, a machine data search and analysis system retrieves search results including a plurality of events, each of the events containing time-stamped data in response to a search query. The system identifies a plurality of characteristics from the data corresponding to the events. The system causes display of a multiple-dimensional chart (e.g., a parallel coordinates chart) depicting the data corresponding to the events. The multiple-dimensional chart includes a plurality of axes. Each of the axes corresponds to one of the identified characteristics. The multiple-dimensional chart further includes a plurality of polylines representing the events. Each of the polylines includes a plurality of vertices on the axes.

公开(公告)号：US10459819B2

公开(公告)日：2019-10-29

申请号：US15011517

申请日：2016-01-30

Applicant: Splunk Inc.

Inventor： Peter Chen ,  Min Zhang ,  Feng Shao ,  Qianjie Zhong ,  Geng Qin ,  D. Randall Young ,  Roy Zhang ,  Aaron Zhang

IPC: G06F16/248 ,  G06F11/34 ,  G06F11/30 ,  G06F11/32

Abstract: Techniques and mechanisms are disclosed that enable a data intake and query system to generate and cause display of circular timelines of timestamped event data. As used herein, a circular timeline generally refers to a graphical display of timestamped events stored by a data intake and query system, wherein the timestamped events may be displayed as arcs of one or more concentric circles and located in a circular timeline area according to a chronological ordering associated with the events. One or more display attributes of each arc may further depend on other data associated with the corresponding events. For example, each arc of a circular time may be displayed at a particular radial distance, with a particular thickness, using a particular shading and/or color, etc., depending on various data values associated with the one or more events represented by the arc.

公开(公告)号：US20190327251A1

公开(公告)日：2019-10-24

申请号：US16503181

申请日：2019-07-03

Applicant: SPLUNK INC.

Inventor： Sudhakar Muddu ,  Christos Tryfonas ,  Joseph Auguste Zadeh ,  Alexander Beebe Bond ,  Ashwin Athalye

IPC: H04L29/06 ,  G06N20/00 ,  G06N5/04 ,  G06F16/901 ,  G06F16/44 ,  G06F16/28 ,  G06F16/25 ,  H04L12/26 ,  G06F16/2457 ,  H04L12/24 ,  G06F3/0484 ,  G06K9/20 ,  G06F3/0482 ,  G06N5/02 ,  G06F17/22 ,  G06N7/00

Abstract: A security platform employs a variety techniques and mechanisms to detect security related anomalies and threats in a computer network environment. The security platform is “big data” driven and employs machine learning to perform security analytics. The security platform performs user/entity behavioral analytics (UEBA) to detect the security related anomalies and threats, regardless of whether such anomalies/threats were previously known. The security platform can include both real-time and batch paths/modes for detecting anomalies and threats. By visually presenting analytical results scored with risk ratings and supporting evidence, the security platform enables network security administrators to respond to a detected anomaly or threat, and to take action promptly.

公开(公告)号：US20190317943A1

公开(公告)日：2019-10-17

申请号：US16455193

申请日：2019-06-27

Applicant: SPLUNK INC.

Inventor： Steve Yu Zhang ,  Stephen Phillip Sorkin

IPC: G06F16/2457 ,  G06F16/9032 ,  H04L12/24 ,  G06F16/2455 ,  G06F16/9535 ,  G06F16/9038 ,  G06F16/2458 ,  G06F16/23 ,  G06F16/951 ,  G06F16/33 ,  G06F16/248 ,  G06F16/182 ,  G06F16/24 ,  G06F16/22 ,  H04L29/08

Abstract: A method, system, and processor-readable storage medium are directed towards generating a report derived from data, such as event data, stored on a plurality of distributed nodes. In one embodiment the analysis is generated using a “divide and conquer” algorithm, such that each distributed node analyzes locally stored event data while an aggregating node combines these analysis results to generate the report. In one embodiment, each distributed node also transmits a list of event data references associated with the analysis result to the aggregating node. The aggregating node may then generate a global ordered list of data references based on the list of event data references received from each distributed node. Subsequently, in response to a user selection of a range of global event data, the report may dynamically retrieve event data from one or more distributed nodes for display according to the global order.

公开(公告)号：US20190303385A1

公开(公告)日：2019-10-03

申请号：US16442338

申请日：2019-06-14

Applicant: Splunk Inc.

Inventor： Clayton S. Ching ,  Michael R. Dickey ,  Vladimir A. Shcherbakov ,  Nishant Teredesai ,  Matthew S. Zises

IPC: G06F16/26 ,  H04L12/26 ,  H04L12/24 ,  H04L29/06

Abstract: The disclosed embodiments provide a system that facilitates the processing of network data. During operation, the system causes for display a graphical user interface (GUI) for obtaining configuration information for configuring the generation of time-series event data from network packets captured by one or more remote capture agents. Next, the system causes for display, in the GUI, a first set of user-interface elements comprising event stream information for one or more ephemeral event streams used to temporarily generate the time-series event data from the network packets. The system then causes for display, in the GUI, a mechanism for navigating between the event stream information and creation information for one or more creators of the one or more ephemeral event streams.

公开(公告)号：US20190303365A1

公开(公告)日：2019-10-03

申请号：US16397466

申请日：2019-04-29

Applicant: SPLUNK INC.

Inventor： Brian Bingham ,  Tristan Fletcher ,  Alok Anant Bhide

IPC: G06F16/248 ,  G06F16/26 ,  G06F11/32 ,  G06F3/0482 ,  G06F3/0484 ,  G06F9/455

Abstract: The disclosed system and method acquire and store performance measurements relating to performance of a component in an information technology (IT) environment and log data produced by the IT environment, in association with corresponding time stamps. The disclosed system and method correlate at least one of the performance measurements with at least one of the portions of log data.

公开(公告)号：US20190294718A1

公开(公告)日：2019-09-26

申请号：US15936372

申请日：2018-03-26

Applicant: Splunk Inc.

Inventor： Joerg Beringer ,  Isabelle Park ,  Joshua Walters ,  Eric Tschetter ,  Simon Fishel ,  Horst Werner

IPC: G06F17/30

Abstract: Systems and methods are disclosed for analyzing multiple groups of ordered events having raw machine data associated with a timestamp. The events in a particular group of ordered events can be related based on a common field value for a particular field associated with a pivot identifier. Further, the events in a particular group of ordered events can be categorized based on one or more field values for field associated with a step identifier. One or more visualizations can be generated based on one or more of the groups of ordered events.

公开(公告)号：US10419462B2

公开(公告)日：2019-09-17

申请号：US15860049

申请日：2018-01-02

Applicant: SPLUNK INC.

Inventor： Sudhakar Muddu ,  Christos Tryfonas ,  Ravi Prasad Bulusu

IPC: H04L29/06 ,  G06N20/00 ,  G06F16/25 ,  G06F16/28 ,  G06F16/44 ,  G06F16/901 ,  G06F16/2457 ,  G06N7/00 ,  G06F3/0482 ,  G06K9/20 ,  G06F3/0484 ,  H04L12/24 ,  H04L12/26 ,  G06F17/22 ,  G06N5/04 ,  G06N5/02

Abstract: A security platform employs a variety techniques and mechanisms to detect security related anomalies and threats in a computer network environment. The security platform is “big data” driven and employs machine learning to perform security analytics. The security platform performs user/entity behavioral analytics (UEBA) to detect the security related anomalies and threats, regardless of whether such anomalies/threats were previously known. The security platform can include both real-time and batch paths/modes for detecting anomalies and threats. By visually presenting analytical results scored with risk ratings and supporting evidence, the security platform enables network security administrators to respond to a detected anomaly or threat, and to take action promptly.