Identifying Possible Security Threats Using Event Group Summaries

摘要

A disclosed computer-implemented method includes receiving and indexing the raw data. Indexing includes dividing the raw data into time stamped searchable events that include information relating to computer or network security. Store the indexed data in an indexed data store and extract values from a field in the indexed data using a schema. Search the extracted field values for the security information. Determine a group of security events using the security information. Each security event includes a field value specified by a criteria. Present a graphical interface (GI) including a summary of the group of security events, other summaries of security events, and a remove element (associated with the summary). Receive input corresponding to an interaction of the remove element. Interacting with the remove element causes the summary to be removed from the GI. Update the GI to remove the summary from the GI.

主权项

1. A method, comprising:
creating an event group from a plurality of time-stamped, searchable events, each event in the event group matching criteria relating to one or more fields in the event, each event in the plurality of time-stamped, searchable events includes information relating to security aspects of an information technology system; determining an event group summary, the summary summarizing one or more fields of the events in the event group; causing display of a graphical user interface displaying a plurality of event group summaries including the event group summary; based on user input in response to the display of the graphical user interface, changing a visual appearance of a selected event group summary among the displayed plurality of event group summaries to indicate that the selected event group summary is a possible security threat; wherein the method is performed by one or more computing devices.