公开(公告)号：US10091227B2

公开(公告)日：2018-10-02

申请号：US15339955

申请日：2016-11-01

Applicant: Splunk Inc.

Inventor： Munawar Monzy Merza ,  John Coates ,  James M Hansen ,  Lucas Murphey ,  David Hazekamp ,  Michael Kinsley ,  Alexander Raitz

IPC: H04L29/06 ,  G06F21/55 ,  G06F17/30

Abstract: A metric value is determined for each event in a set of events that characterizes a computational communication or object. For example, a metric value could include a length of a URL or agent string in the event. A subset criterion is generated, such that metric values within the subset are relatively separated from a population's center (e.g., within a distribution tail). Application of the criterion to metric values produces a subset. A representation of the subset is presented in an interactive dashboard. The representation can include unique values in the subset and counts of corresponding event occurrences. Clients can select particular elements in the representation to cause more detail to be presented with respect to individual events corresponding to specific values in the subset. Thus, clients can use their knowledge system operations and observance of value frequencies and underlying events to identify anomalous metric values and potential security threats.

公开(公告)号：US20170048264A1

公开(公告)日：2017-02-16

申请号：US15339952

申请日：2016-11-01

Applicant: Splunk Inc,

Inventor： Vijay Chauhan ,  Cary Noel ,  Wenhui Yu ,  Luke Murphey ,  Alexander Raitz ,  David Hazekamp

IPC: H04L29/06 ,  G06F17/30 ,  G06F21/62 ,  G06F17/24 ,  G06F3/0484

CPC classification number: H04L63/1425 ,  G06F3/0484 ,  G06F17/241 ,  G06F17/30551 ,  G06F17/30554 ,  G06F17/30557 ,  G06F21/629 ,  G06F2221/2151 ,  H04L43/06

Abstract: Techniques and mechanisms are disclosed that enable network security analysts and other users to efficiently conduct network security investigations and to produce useful representations of investigation results. As used herein, a network security investigation generally refers to an analysis by an analyst (or team of analysts) of one or more detected network events that may pose internal and/or external threats to a computer network under management. A network security application provides various interfaces that enable users to create investigation timelines, where the investigation timelines display a collection of events related to a particular network security investigation. A network security application further provides functionality to monitor and log user interactions with the network security application, where particular logged user interactions may also be added to one or more investigation timelines.

Abstract translation: 公开了技术和机制，使网络安全分析师和其他用户有效地进行网络安全调查并产生调查结果的有用表示。 如本文所使用的，网络安全调查通常是指分析者（或分析师小组）对可能对管理的计算机网络造成内部和/或外部威胁的一个或多个检测到的网络事件的分析。 网络安全应用程序提供各种接口，使用户能够创建调查时间表，其中调查时间表显示与特定网络安全调查相关的事件的集合。 网络安全应用程序还提供监视和记录与网络安全应用程序的用户交互的功能，其中特定记录的用户交互也可以被添加到一个或多个调查时间线。

公开(公告)号：US20130326620A1

公开(公告)日：2013-12-05

申请号：US13956252

申请日：2013-07-31

Applicant: Splunk Inc.

Inventor： Munawar Monzy Merza ,  John Coates ,  James Hansen ,  Lucas Murphey ,  David Hazekamp ,  Michael Kinsley ,  Alexander Raitz

IPC: H04L29/06

CPC classification number: H04L63/1425 ,  G06F17/30551 ,  G06F21/552 ,  G06F2221/2151 ,  H04L63/1408 ,  H04L63/1416

Abstract: A metric value is determined for each event in a set of events that characterizes a computational communication or object. For example, a metric value could include a length of a URL or agent string in the event. A subset criterion is generated, such that metric values within the subset are relatively separated from a population's center (e.g., within a distribution tail). Application of the criterion to metric values produces a subset. A representation of the subset is presented in an interactive dashboard. The representation can include unique values in the subset and counts of corresponding event occurrences. Clients can select particular elements in the representation to cause more detail to be presented with respect to individual events corresponding to specific values in the subset. Thus, clients can use their knowledge system operations and observance of value frequencies and underlying events to identify anomalous metric values and potential security threats.

Abstract translation: 为表征计算通信或对象的一组事件中的每个事件确定度量值。 例如，度量值可以包括事件中的URL或代理字符串的长度。 生成子集标准，使得子集内的度量值与群体的中心（例如，分布尾部）相对分开。 将标准应用于度量值产生一个子集。 该子集的表示呈现在交互式仪表板中。 该表示可以包括子集中的唯一值和相应事件发生的计数。 客户端可以选择表示中的特定元素，以便相对于子集中的特定值对应的各个事件来呈现更多的细节。 因此，客户可以使用他们的知识系统操作和遵守价值频率和基础事件来识别异常度量值和潜在的安全威胁。

公开(公告)号：US20200169579A1

公开(公告)日：2020-05-28

申请号：US16777544

申请日：2020-01-30

Applicant: SPLUNK INC.

Inventor： Munawar Monzy Merza ,  John Coates ,  James M. Hansen ,  Lucas Murphey ,  David Hazekamp ,  Michael Kinsley ,  Alexander Raitz

IPC: H04L29/06 ,  G06F21/55

Abstract: A metric value is determined for each event in a set of events that characterizes a computational communication or object. For example, a metric value could include a length of a URL or agent string in the event. A subset criterion is generated, such that metric values within the subset are relatively separated from a population's center (e.g., within a distribution tail). Application of the criterion to metric values produces a subset. A representation of the subset is presented in an interactive dashboard. The representation can include unique values in the subset and counts of corresponding event occurrences. Clients can select particular elements in the representation to cause more detail to be presented with respect to individual events corresponding to specific values in the subset. Thus, clients can use their knowledge system operations and observance of value frequencies and underlying events to identify anomalous metric values and potential security threats.

公开(公告)号：US10380799B2

公开(公告)日：2019-08-13

申请号：US14266511

申请日：2014-04-30

Applicant: Splunk Inc.

Inventor： Roy Arsan ,  Alexander Raitz ,  Clark Allan ,  Cary Glen Noel

IPC: G06T19/00 ,  G06F3/01

Abstract: A system and method that allows a user to view objects in a three-dimensional environment, where one or more of the objects have a data display (e.g., a data billboard, etc.) that shows data about the object. To enhance user experience and to provide relevant contextual data as the user navigates through the three-dimensional environment, the system calculates a location for the user and a location for each object and determines if a relationship between the user frame of reference and each object location satisfies a first criterion. If the first criterion is satisfied, the system is configured to move the data display to the bottom of a viewing area of the three-dimensional environment (e.g. docking the data display to the bottom of the viewing area, etc.). The system may also arrange the data displays in the same order as the objects are perceived by the user in the three-dimensional environment.

公开(公告)号：US20190166146A1

公开(公告)日：2019-05-30

申请号：US16264561

申请日：2019-01-31

Applicant: Splunk Inc,

Inventor： Vijay Chauhan ,  Cary Noel ,  Wenhui Yu ,  Luke Murphey ,  Alexander Raitz ,  David Hazekamp

IPC: H04L29/06 ,  G06F17/24 ,  G06F21/62 ,  G06F16/2458 ,  G06F16/25 ,  H04L12/26 ,  G06F3/0484 ,  G06F16/248

Abstract: Techniques and mechanisms are disclosed that enable network security analysts and other users to efficiently conduct network security investigations and to produce useful representations of investigation results. As used herein, a network security investigation generally refers to an analysis by an analyst (or team of analysts) of one or more detected network events that may pose internal and/or external threats to a computer network under management. A network security application provides various interfaces that enable users to create investigation timelines, where the investigation timelines display a collection of events related to a particular network security investigation. A network security application further provides functionality to monitor and log user interactions with the network security application, where particular logged user interactions may also be added to one or more investigation timelines.

公开(公告)号：US20180336726A1

公开(公告)日：2018-11-22

申请号：US16049622

申请日：2018-07-30

Applicant: SPLUNK INC.

Inventor： Roy Arsan ,  Alexander Raitz ,  Clark Allan ,  Cary Glen Noel

IPC: G06T19/00 ,  G06T15/00 ,  G06T15/20

Abstract: Systems and methods according to various embodiments enable a user to view three-dimensional representations of data objects (“nodes”) within a 3D environment from a first person perspective. The system may be configured to allow the user to interact with the nodes by moving a virtual camera through the 3D environment. The nodes may have one or more attributes that may correspond, respectively, to particular static or dynamic values within the data object's data fields. The attributes may include physical aspects of the nodes, such as color, size, or shape. The system may group related data objects within the 3D environment into clusters that are demarked using one or more cluster designators, which may be in the form of a dome or similar feature that encompasses the related data objects. The system may enable multiple users to access the 3D environment simultaneously, or to record their interactions with the 3D environment.

公开(公告)号：US20170048265A1

公开(公告)日：2017-02-16

申请号：US15339955

申请日：2016-11-01

Applicant: Splunk Inc.

Inventor： Munawar Monzy Merza ,  John Coates ,  James M. Hansen ,  Lucas Murphey ,  David Hazekamp ,  Michael Kinsley ,  Alexander Raitz

IPC: H04L29/06

CPC classification number: H04L63/1425 ,  G06F17/30551 ,  G06F21/552 ,  G06F2221/2151 ,  H04L63/1408 ,  H04L63/1416

Abstract: A metric value is determined for each event in a set of events that characterizes a computational communication or object. For example, a metric value could include a length of a URL or agent string in the event. A subset criterion is generated, such that metric values within the subset are relatively separated from a population's center (e.g., within a distribution tail). Application of the criterion to metric values produces a subset. A representation of the subset is presented in an interactive dashboard. The representation can include unique values in the subset and counts of corresponding event occurrences. Clients can select particular elements in the representation to cause more detail to be presented with respect to individual events corresponding to specific values in the subset. Thus, clients can use their knowledge system operations and observance of value frequencies and underlying events to identify anomalous metric values and potential security threats.

Abstract translation: 为表征计算通信或对象的一组事件中的每个事件确定度量值。 例如，度量值可以包括事件中的URL或代理字符串的长度。 生成子集标准，使得子集内的度量值与群体的中心（例如，分布尾部）相对分开。 将标准应用于度量值产生一个子集。 该子集的表示呈现在交互式仪表板中。 该表示可以包括子集中的唯一值和相应事件发生的计数。 客户端可以选择表示中的特定元素，以便相对于子集中的特定值对应的各个事件来呈现更多的细节。 因此，客户可以使用他们的知识系统操作和遵守价值频率和基础事件来识别异常度量值和潜在的安全威胁。

公开(公告)号：US11363047B2

公开(公告)日：2022-06-14

申请号：US17018360

申请日：2020-09-11

Applicant: Splunk Inc.

Inventor： Vijay Chauhan ,  Cary Noel ,  Wenhui Yu ,  Luke Murphey ,  Alexander Raitz ,  David Hazekamp

IPC: H04L9/40 ,  G06F3/0484 ,  G06F16/25 ,  G06F16/248 ,  G06F16/2458 ,  H04L43/026 ,  G06F40/169 ,  G06F21/62 ,  H04L43/06

Abstract: Techniques and mechanisms are disclosed that enable network security analysts and other users to efficiently conduct network security investigations and to produce useful representations of investigation results. As used herein, a network security investigation generally refers to an analysis by an analyst (or team of analysts) of one or more detected network events that may pose internal and/or external threats to a computer network under management. A network security application provides various interfaces that enable users to create investigation timelines, where the investigation timelines display a collection of events related to a particular network security investigation. A network security application further provides functionality to monitor and log user interactions with the network security application, where particular logged user interactions may also be added to one or more investigation timelines.

公开(公告)号：US10567412B2

公开(公告)日：2020-02-18

申请号：US16100147

申请日：2018-08-09

Applicant: SPLUNK INC.

Inventor： Munawar Monzy Merza ,  John Coates ,  James M Hansen ,  Lucas Murphey ,  David Hazekamp ,  Michael Kinsley ,  Alexander Raitz

IPC: H04L29/06 ,  G06F21/55 ,  G06F16/2458

Abstract: A metric value is determined for each event in a set of events that characterizes a computational communication or object. For example, a metric value could include a length of a URL or agent string in the event. A subset criterion is generated, such that metric values within the subset are relatively separated from a population's center (e.g., within a distribution tail). Application of the criterion to metric values produces a subset. A representation of the subset is presented in an interactive dashboard. The representation can include unique values in the subset and counts of corresponding event occurrences. Clients can select particular elements in the representation to cause more detail to be presented with respect to individual events corresponding to specific values in the subset. Thus, clients can use their knowledge system operations and observance of value frequencies and underlying events to identify anomalous metric values and potential security threats.