Investigative and dynamic detection of potential security-threat indicators from events in big data

摘要

A metric value is determined for each event in a set of events that characterizes a computational communication or object. For example, a metric value could include a length of a URL or agent string in the event. A subset criterion is generated, such that metric values within the subset are relatively separated from a population's center (e.g., within a distribution tail). Application of the criterion to metric values produces a subset. A representation of the subset is presented in an interactive dashboard. The representation can include unique values in the subset and counts of corresponding event occurrences. Clients can select particular elements in the representation to cause more detail to be presented with respect to individual events corresponding to specific values in the subset. Thus, clients can use their knowledge system operations and observance of value frequencies and underlying events to identify anomalous metric values and potential security threats.

主权项

1. A method performed by one or more computing devices, comprising:
organizing raw machine data collected from one or more remote hardware devices, wherein the collected raw machine data relates to operations or activities in an information technology environment, wherein the one or more computing devices is configured to collect the raw machine data as a plurality of data types from a plurality of remote hardware devices into a set of searchable, time-stamped events; storing the set of events in a data store stored in computer memory, wherein each event in the set of events is searchable based on its associated time stamp; executing a computer-implemented search to identify a subset of the set of events satisfying search criteria that includes having a time stamp occurring within a specified time period; while or after identifying the subset of the set of events, applying a schema to the raw machine data included in each event in the subset of the set of events in order to impose structure on the raw machine data and to extract a set of semantically related values; calculating a population statistic based on the set of values; receiving a criterion for determining whether each value in the set of values is sufficiently different than the population statistic; determining a subset of values in the set of values, wherein each value in the subset of values is identified as an outlier in relation to the population statistic based on application of the criterion to each value in the set of values; and causing graphical display of information relating to the subset of values.