公开(公告)号：US20210314337A1

公开(公告)日：2021-10-07

申请号：US17350689

申请日：2021-06-17

Applicant: Splunk Inc.

Inventor： Satheesh Kumar JOSEPH DURAIRAJ ,  Stanislav MISKOVIC ,  Georgios APOSTOLOPOULOS

IPC: H04L29/06 ,  G06N20/00 ,  G06F16/901 ,  H04L12/24 ,  G06N5/02

Abstract: A lateral movement application identifies lateral movement (LM) candidates that potentially represent a security threat. Security platforms generate event data when performing security-related functions, such as authenticating a user account. The disclosed technology enables greatly increased accuracy identification of lateral movement (LM) candidates by, for example, refining a population of LM candidates based on an analysis of a time constrained graph in which nodes represent entities, and edges between nodes represent a time sequence of login or other association activities between the entities. The graph is created based on an analysis of the event data, including time sequences of the event data.

公开(公告)号：US11138218B2

公开(公告)日：2021-10-05

申请号：US16259975

申请日：2019-01-28

Applicant: Splunk Inc.

Inventor： Ashish Mathew ,  Ledion Bitincka ,  Igor Stojanovski ,  Dhruva Kumar Bhagi

IPC: G06F16/248 ,  G06F16/28 ,  G06F16/22 ,  G06F16/21

Abstract: Techniques and mechanisms are disclosed to optimize the size of index files to improve use of storage space available to indexers and other components of a data intake and query system. Index files of a data intake and query system may include, among other data, a keyword portion containing mappings between keywords and location references to event data containing the keywords. Optimizing an amount of storage space used by index files may include removing, modifying and/or recreating various components of index files in response to detecting one or more storage conditions related to the event data indexed by the index files. The optimization of index files generally may attempt to manage a tradeoff between an efficiency with which search requests can be processed using the index files and an amount of storage space occupied by the index files.

公开(公告)号：US20210303524A1

公开(公告)日：2021-09-30

申请号：US17344607

申请日：2021-06-10

Applicant: Splunk Inc.

Inventor： Eric Timothy Woo

IPC: G06F16/178 ,  G06F16/28 ,  G06F16/27

Abstract: Replication of search-related configuration customizations across multiple individual configuration files of search heads of a cluster for a consistent user experience. A search head leader of the cluster can receive a first journal entry relating to a first customization of a knowledge object from a first search head of the cluster. The search head leader may determine that the first journal entry references a parent commit journal entry matching a latest commit journal entry in a journal maintained by the search head leader. The first journal entry can be stored in the journal and sent to one or more search heads of the cluster.

公开(公告)号：US11113342B2

公开(公告)日：2021-09-07

申请号：US15663596

申请日：2017-07-28

Applicant: Splunk Inc.

Inventor： Ramesh Panuganty

IPC: G06F16/951

Abstract: Improved crawling and curation of data and metadata from diverse data sources is described. In some embodiments, improvements are achieved by interpreting the context, vocabulary and relationships of data element, to enable relational data search capability for users. The user querying process is improved by systematic identification of the data objects, context, and relationships across data objects and elements, aggregation methods and operators on the data objects and data elements as identified in the curation process. User query suggestions and recommendations can be adjusted based on the context, relationships between the data elements, user profile, and the data sources. When the user query is executed, the query text is translated into an equivalent of one or more query statements, such as SQL or PostGre statements, and the query is performed on the identified data sources. Results are assembled to present the answer in a meaningful visualization for the user query.

公开(公告)号：US11113301B1

公开(公告)日：2021-09-07

申请号：US15980008

申请日：2018-05-15

Applicant: Splunk Inc.

Inventor： Matthew Modestino ,  Zhimin Liang ,  David Christopher Baldwin ,  Marc Andre Chéné ,  Blaine Wastell

IPC: G06F7/00 ,  G06F16/25 ,  G06F16/13 ,  G06F16/14

Abstract: Systems and methods are disclosed for processing location information associated with isolated execution environments and generating metadata for events based on the location information. A system can parse location information of a log file that includes chunks of data associated with an isolated execution environment to identify characteristics of the isolated execution environment. The system can generate events based on the chunks of data and associated the events with metadata generated based on the characteristics of the isolated execution environment.

公开(公告)号：US11106691B2

公开(公告)日：2021-08-31

申请号：US16394754

申请日：2019-04-25

Applicant: SPLUNK INC.

Inventor： R. David Carasso ,  Micah James Delfino

IPC: G06F17/00 ,  G06F16/2458 ,  G06F16/901 ,  G06F40/284

Abstract: Embodiments are directed towards a graphical user interface identify locations within event records with splittable timestamp information. A display of event records is provided using any of a variety of formats. A splittable timestamp selector allows a user to select one or more locations within event records as having time related information that may be split across the one or more locations, including, information based on date, time of day, day of the week, or other time information. Any of a plurality of mechanisms is used to associate the selected locations with the split timestamp information, including tags, labels, or header information within the event records. In other embodiments, a separate table, list, index, or the like may be generated that associates the selected locations with the split timestamp information. The split timestamp information may be used within extraction rules for selecting subsets or the event records.

公开(公告)号：US11102095B2

公开(公告)日：2021-08-24

申请号：US16539981

申请日：2019-08-13

Applicant: SPLUNK INC.

Inventor： Ioannis Vlachogiannis ,  Panagiotis Papadomitsos

IPC: G06F15/173 ,  H04L12/26 ,  H04L12/58 ,  G06Q10/06 ,  G06Q10/10 ,  G06F11/14 ,  H04L12/861

Abstract: A computer-implemented method, system, and computer-readable media are disclosed herein. In embodiments, the computer-implemented method may entail receiving, by a data service, live data associated with an entity. The entity may be, for example, a customer of the data service. The method may then route the live data to a dual-queue system of the data service. The live data may be loaded into a live data queue of the dual queue system for processing. Processing may entail generating summary statistics from the live data. An alert may then be transmitted to the customer in response to detecting the occurrence of one or more alert events. In embodiments, the alert events may include events identified in the summary statistics. Additional embodiments are described and/or claimed.

公开(公告)号：US11095690B2

公开(公告)日：2021-08-17

申请号：US16520114

申请日：2019-07-23

Applicant: Splunk Inc.

Inventor： Brian Luger

IPC: H04L29/06

Abstract: Techniques and mechanisms are disclosed enabling efficient collection of forensic data from client devices, also referred to herein as endpoint devices, of a networked computer system. Embodiments described herein further enable correlating forensic data with other types of non-forensic data from other data sources. A network security application described herein further enables generating various dashboards, visualizations, and other interfaces for managing forensic data collection, and displaying information related to collected forensic data and information related to identified correlations between items of forensic data and other items of non-forensic data.

公开(公告)号：US11086897B2

公开(公告)日：2021-08-10

申请号：US16442338

申请日：2019-06-14

Applicant: Splunk Inc.

Inventor： Clayton S. Ching ,  Michael R. Dickey ,  Vladimir A. Shcherbakov ,  Nishant Teredesai ,  Matthew S. Zises

IPC: G06F16/26 ,  H04L12/26 ,  H04L29/06 ,  H04L12/24

Abstract: The disclosed embodiments provide a system that facilitates the processing of network data. During operation, the system causes for display a graphical user interface (GUI) for obtaining configuration information for configuring the generation of time-series event data from network packets captured by one or more remote capture agents. Next, the system causes for display, in the GUI, a first set of user-interface elements comprising event stream information for one or more ephemeral event streams used to temporarily generate the time-series event data from the network packets. The system then causes for display, in the GUI, a mechanism for navigating between the event stream information and creation information for one or more creators of the one or more ephemeral event streams.

公开(公告)号：US11068452B2

公开(公告)日：2021-07-20

申请号：US15956131

申请日：2018-04-18

Applicant: SPLUNK INC.

Inventor： Marc Vincent Robichaud ,  Cory Eugene Burke ,  Jeffrey Thomas Lloyd

IPC: G06F16/22 ,  G06F16/24 ,  G06F16/2455

Abstract: A search interface is displayed in a table format that includes a plurality of columns, each column including data items of an event attribute, the data items being of a set of events, each column being selectable by a user, and a plurality of rows forming cells with the one or more columns, each cell comprising one or more of the data items of the event attribute of a corresponding column. Based on the user selecting one or more of the columns, a list of options is displayed corresponding to the selected one or more columns, and one or more commands are added to a search query that corresponds to the set of events. The one or more commands are based on at least an option that is selected from the list of options and the event attribute of each of the selected one or more columns.