Identifying possible security threats using event group summaries

摘要

A disclosed computer-implemented method includes receiving and indexing the raw data. Indexing includes dividing the raw data into time stamped searchable events that include information relating to computer or network security. Store the indexed data in an indexed data store and extract values from a field in the indexed data using a schema. Search the extracted field values for the security information. Determine a group of security events using the security information. Each security event includes a field value specified by a criteria. Present a graphical interface (GI) including a summary of the group of security events, other summaries of security events, and a remove element (associated with the summary). Receive input corresponding to an interaction of the remove element. Interacting with the remove element causes the summary to be removed from the GI. Update the GI to remove the summary from the GI.

主权项

1. A method, comprising:
creating an event group from a plurality of time-stamped, searchable events stored in a field-searchable, non-tabular data store, each event in the event group having a portion of raw machine data reflecting activity in an information technology environment and matching criteria relating to one or more field values extracted from one or more fields present in the portion of raw machine data, wherein the criteria is evaluated using an extraction rule applied to at least a portion of the plurality of time-stamped, searchable events; determining an event group summary, the summary summarizing field values from one or more fields of the events in the event group; causing display of a graphical user interface displaying a plurality of event group summaries including the event group summary; based on user input in response to the display of the graphical user interface, changing a visual appearance of a selected event group summary among the displayed plurality of event group summaries to indicate that the selected event group summary is a security threat or removing the selected event group summary from the displayed plurality of event group summaries indicating that the selected event group summary is not a security threat; wherein the method is performed by one or more computing devices.