公开(公告)号：US20160307173A1

公开(公告)日：2016-10-20

申请号：US14691475

申请日：2015-04-20

Applicant: Splunk Inc.

Inventor： Vijay Chauhan ,  Banipal Shahbaz ,  David Hazekamp

IPC: G06Q20/14 ,  G06F17/30 ,  G06F17/27

CPC classification number: G06F17/30572 ,  G06F17/30312 ,  G06F17/30946 ,  G06Q2220/18

Abstract: A data intake and query system measures an amount of raw data ingested by the system during defined periods of time. As used herein, ingesting raw data generally refers to receiving the raw data from one or more computing devices and processing the data for storage and searchability. Processing the data may include, for example, parsing the raw data into “events,” where each event includes a portion of the received data and is associated with a timestamp. Based on a calculated number of events generated by the system during one or more defined time periods, the system may calculate various metrics including, but not limited to, a number of events generated during a particular day, a number of events generated per day over a period of time, a maximum number of events generated in a day over a period of time, an average number of events generated per day, etc.

Abstract translation: 数据采集​​和查询系统测量系统在定义的时间段内摄取的原始数据量。 如本文所使用的，摄取原始数据通常是指从一个或多个计算设备接收原始数据并处理数据以用于存储和可搜索性。 处理数据可以包括例如将原始数据解析为“事件”，其中每个事件包括接收到的数据的一部分并且与时间戳相关联。 基于在一个或多个定义的时间段期间由系统产生的计算的事件数量，系统可以计算各种度量，包括但不限于在特定日期期间生成的事件的数量，每天产生的事件的数量 一段时间，一段时间内每天生成的最大事件数，每天生成的平均事件数等。

公开(公告)号：US20160306871A1

公开(公告)日：2016-10-20

申请号：US14701301

申请日：2015-04-30

Applicant: Splunk Inc.

Inventor： Vijay Chauhan ,  Banipal Shahbaz ,  David Hazekamp

IPC: G06F17/30 ,  G06F17/27

Abstract: A data intake and query system measures an amount of raw data ingested by the system during defined periods of time. As used herein, ingesting raw data generally refers to receiving the raw data from one or more computing devices and processing the data for storage and searchability. Processing the data may include, for example, parsing the raw data into “events,” where each event includes a portion of the received data and is associated with a timestamp. Based on a calculated number of events generated by the system during one or more defined time periods, the system may calculate various metrics including, but not limited to, a number of events generated during a particular day, a number of events generated per day over a period of time, a maximum number of events generated in a day over a period of time, an average number of events generated per day, etc.

Abstract translation: 数据采集​​和查询系统测量系统在定义的时间段内摄取的原始数据量。 如本文所使用的，摄取原始数据通常是指从一个或多个计算设备接收原始数据并处理数据以用于存储和可搜索性。 处理数据可以包括例如将原始数据解析为“事件”，其中每个事件包括接收到的数据的一部分并且与时间戳相关联。 基于在一个或多个定义的时间段期间由系统产生的计算的事件数量，系统可以计算各种度量，包括但不限于在特定日期期间生成的事件的数量，每天产生的事件的数量 一段时间，一段时间内每天生成的最大事件数，每天生成的平均事件数等。

公开(公告)号：US20160057162A1

公开(公告)日：2016-02-25

申请号：US14929321

申请日：2015-10-31

Applicant: Splunk Inc.

Inventor： Munawar Monzy Merza ,  John Coates ,  James M Hansen ,  Lucas Murphey ,  David Hazekamp ,  Michael Kinsley ,  Alexander Raitz

IPC: H04L29/06

CPC classification number: H04L63/1425 ,  G06F17/30551 ,  G06F21/552 ,  G06F2221/2151 ,  H04L63/1408 ,  H04L63/1416

Abstract: A metric value is determined for each event in a set of events that characterizes a computational communication or object. For example, a metric value could include a length of a URL or agent string in the event. A subset criterion is generated, such that metric values within the subset are relatively separated from a population's center (e.g., within a distribution tail). Application of the criterion to metric values produces a subset. A representation of the subset is presented in an interactive dashboard. The representation can include unique values in the subset and counts of corresponding event occurrences. Clients can select particular elements in the representation to cause more detail to be presented with respect to individual events corresponding to specific values in the subset. Thus, clients can use their knowledge system operations and observance of value frequencies and underlying events to identify anomalous metric values and potential security threats.

Abstract translation: 为表征计算通信或对象的一组事件中的每个事件确定度量值。 例如，度量值可以包括事件中的URL或代理字符串的长度。 生成子集标准，使得子集内的度量值与群体的中心（例如，分布尾部）相对分开。 将标准应用于度量值产生一个子集。 该子集的表示呈现在交互式仪表板中。 该表示可以包括子集中的唯一值和相应事件发生的计数。 客户端可以选择表示中的特定元素，以便相对于子集中的特定值对应的各个事件来呈现更多的细节。 因此，客户可以使用他们的知识系统操作和遵守价值频率和基础事件来识别异常度量值和潜在的安全威胁。

公开(公告)号：US20160019215A1

公开(公告)日：2016-01-21

申请号：US14447995

申请日：2014-07-31

Applicant: Splunk Inc.

Inventor： Lucas Murphey ,  David Hazekamp

IPC: G06F17/30

CPC classification number: G06F17/3053 ,  G06F17/30303 ,  G06F17/30312 ,  G06F17/30368 ,  G06F17/3051 ,  G06F17/30551 ,  G06F17/30864

Abstract: Systems and methods for assigning scores to objects based on evaluating triggering conditions applied to datasets produced by search queries in data aggregation and analysis systems. An example method may comprise: executing, by one or more processing devices, a search query to produce a dataset comprising one or more data items derived from source data; and responsive to determining that at least a portion of the dataset satisfies a triggering condition, modifying a score assigned to an object to which the portion of the dataset pertains.

Abstract translation: 根据对数据汇总和分析系统中搜索查询产生的数据集的触发条件进行评估，为对象分配分数的系统和方法。 示例性方法可以包括：由一个或多个处理设备执行搜索查询以产生包括从源数据导出的一个或多个数据项的数据集; 并且响应于确定所述数据集的至少一部分满足触发条件，修改分配给所述数据集的所述部分所属对象的得分。

公开(公告)号：US20150040225A1

公开(公告)日：2015-02-05

申请号：US14280311

申请日：2014-05-16

Applicant: Splunk Inc.

Inventor： John Coates ,  Lucas Murphey ,  David Hazekamp ,  James Hansen

IPC: H04L29/06

CPC classification number: H04L63/1433 ,  G06F17/30598 ,  G06F21/554 ,  G06F2221/034 ,  G06F2221/2151 ,  H04L63/14 ,  H04L63/1408 ,  H04L63/1416 ,  H04L63/20

Abstract: A disclosed computer-implemented method includes receiving and indexing the raw data. Indexing includes dividing the raw data into time stamped searchable events that include information relating to computer or network security. Store the indexed data in an indexed data store and extract values from a field in the indexed data using a schema. Search the extracted field values for the security information. Determine a group of security events using the security information. Each security event includes a field value specified by a criteria. Present a graphical interface (GI) including a summary of the group of security events, other summaries of security events, and a remove element (associated with the summary). Receive input corresponding to an interaction of the remove element. Interacting with the remove element causes the summary to be removed from the GI. Update the GI to remove the summary from the GI.

Abstract translation: 所公开的计算机实现的方法包括接收和索引原始数据。 索引包括将原始数据划分为包含与计算机或网络安全相关的信息的时间戳搜索事件。 将索引数据存储在索引数据存储中，并使用模式从索引数据中的字段中提取值。 搜索提取的字段值以获取安全信息。 使用安全信息确定一组安全事件。 每个安全事件都包括由条件指定的字段值。 提供包括安全事件组的摘要，安全事件的其他摘要和删除元素（与摘要相关联）的图形界面（GI）。 接收与删除元素的交互相对应的输入。 与删除元素进行交互会导致摘要从GI中移除。 更新GI以从GI中删除摘要。

公开(公告)号：US12130866B1

公开(公告)日：2024-10-29

申请号：US17114423

申请日：2020-12-07

Applicant: Splunk Inc.

Inventor： Lucas Murphey ,  David Hazekamp

IPC: G06F16/30 ,  G06F16/903 ,  G06F16/9032 ,  G06F16/906 ,  G06F16/907

CPC classification number: G06F16/90335 ,  G06F16/9032 ,  G06F16/906 ,  G06F16/907

Abstract: One or more processing devices receive a definition of a search query for a correlation search of a data store, the data store comprising time-stamped events that each include raw machine data reflecting activity in an information technology environment and produced by a component of the information technology environment, receive a definition of a triggering condition to be evaluated based on aggregated statistics of values of one or more fields of a dataset produced by the search query, receive a definition of one or more actions to be performed when the triggering condition is satisfied, generate, using search processing language, a statement to define the search query and the triggering condition, and in view of the results of the execution of the search processing language, cause generation of the correlation search using the defined search query, the triggering condition, and the one or more actions, the correlation search comprising updated search processing language having the search query and a processing command for criteria on which the triggering condition is based.

公开(公告)号：US12034759B2

公开(公告)日：2024-07-09

申请号：US17507698

申请日：2021-10-21

Applicant: SPLUNK INC.

Inventor： John Coates ,  Lucas Murphey ,  David Hazekamp ,  James Hansen

IPC: H04L9/40 ,  G06F16/28 ,  G06F21/55

CPC classification number: H04L63/1433 ,  G06F16/285 ,  G06F21/554 ,  H04L63/14 ,  H04L63/1408 ,  H04L63/1416 ,  G06F2221/034 ,  G06F2221/2151 ,  H04L63/20

Abstract: A disclosed computer-implemented method includes receiving and indexing the raw data. Indexing includes dividing the raw data into time stamped searchable events that include information relating to computer or network security. Store the indexed data in an indexed data store and extract values from a field in the indexed data using a schema. Search the extracted field values for the security information. Determine a group of security events using the security information. Each security event includes a field value specified by a criteria. Present a graphical interface (GI) including a summary of the group of security events, other summaries of security events, and a remove element (associated with the summary). Receive input corresponding to an interaction of the remove element. Interacting with the remove element causes the summary to be removed from the GI. Update the GI to remove the summary from the GI.

公开(公告)号：US11677760B2

公开(公告)日：2023-06-13

申请号：US16944433

申请日：2020-07-31

Applicant: Splunk Inc.

Inventor： Banipal Shahbaz ,  Siri Atma Oaklander De Licori ,  John Robert Coates ,  David Hazekamp ,  Devendra Badhani ,  Luke Murphey ,  Patrick Schulz

IPC: G06F21/55 ,  H04L9/40 ,  G06F21/53 ,  G06F16/248 ,  G06F16/26

CPC classification number: H04L63/1416 ,  G06F21/53 ,  G06F21/554 ,  H04L63/145 ,  H04L63/1458 ,  H04L63/1475 ,  G06F16/248 ,  G06F16/26 ,  G06F2221/2151 ,  H04L2463/121 ,  H04L2463/141

Abstract: Techniques and mechanisms are disclosed for configuring actions to be performed by a network security application in response to the detection of potential security incidents, and for causing a network security application to report on the performance of those actions. For example, users may use such a network security application to configure one or more “modular alerts.” As used herein, a modular alert generally represents a component of a network security application which enables users to specify security modular alert actions to be performed in response to the detection of defined triggering conditions, and which further enables tracking information related to the performance of modular alert actions and reporting on the performance of those actions.

公开(公告)号：US20220300522A1

公开(公告)日：2022-09-22

申请号：US17833816

申请日：2022-06-06

Applicant: Splunk Inc.

Inventor： Lucas Murphey ,  David Hazekamp

IPC: G06F16/2457 ,  G06F16/951 ,  G06F16/23 ,  G06F16/2458 ,  G06F16/2455 ,  G06F16/22 ,  G06F16/215

Abstract: Systems and methods for assigning scores to objects based on evaluating triggering conditions applied to datasets produced by search queries in data aggregation and analysis systems. An example method includes causing display of a user interface for generating a correlation search, the correlation search comprising a search query, a triggering condition to be applied to a dataset produced by the search query, and one or more actions to be performed when the dataset produced by the search query satisfies the triggering condition, wherein the one or more actions comprise at least modifying a score assigned to an object to which the dataset produced by the search query pertains. The example method also includes receiving, via the user interface, user input identifying the one or more actions to be performed when the dataset produced by the search query satisfies the triggering condition, the one or more actions comprising modifying the score assigned to the object, and causing generation of the correlation search based on the user input, the correlation search reflecting an association between the one or more actions and the triggering condition.

公开(公告)号：US11363047B2

公开(公告)日：2022-06-14

申请号：US17018360

申请日：2020-09-11

Applicant: Splunk Inc.

Inventor： Vijay Chauhan ,  Cary Noel ,  Wenhui Yu ,  Luke Murphey ,  Alexander Raitz ,  David Hazekamp

IPC: H04L9/40 ,  G06F3/0484 ,  G06F16/25 ,  G06F16/248 ,  G06F16/2458 ,  H04L43/026 ,  G06F40/169 ,  G06F21/62 ,  H04L43/06

Abstract: Techniques and mechanisms are disclosed that enable network security analysts and other users to efficiently conduct network security investigations and to produce useful representations of investigation results. As used herein, a network security investigation generally refers to an analysis by an analyst (or team of analysts) of one or more detected network events that may pose internal and/or external threats to a computer network under management. A network security application provides various interfaces that enable users to create investigation timelines, where the investigation timelines display a collection of events related to a particular network security investigation. A network security application further provides functionality to monitor and log user interactions with the network security application, where particular logged user interactions may also be added to one or more investigation timelines.