Abstract: A method includes defining a set of context types; defining a set of source types, each comprising context types; defining, for each source type, and for each context type included in the events from data sources having the source type, a context definition comprising a set of fields, in events from the data sources, that are associated with the context type; receiving a query comprising a first field value and a time period; retrieving a plurality of events that include the first field value and the time period; for each retrieved event, and for each context definition defined for a source type and a context type of a data source from which the retrieved event originated, determining field values of fields in the set of fields of the context definition; aggregating, for each context type, determined field values from the events; and generating an output.

Abstract: A processing device receives a first query comprising a first field value and a first time period. The processing device performs a first search of a data store to identify a first plurality of events having the first time period and at least one field that comprises the first field value. The processing device generates a first search object comprising the first field value. The processing device generates a search event comprising the first field value and a reference to the first search object. An event entry for the first search event is then written to the data store. Future searches may return both the first search event and other events.

Abstract: A processing device receives a first query comprising a first field value and a first time period. The processing device performs a first search of a data store to identify a first plurality of events having the first time period and at least one field that comprises the first field value. The processing device generates a first search object comprising the first field value. The processing device generates a search event comprising the first field value and a reference to the first search object. An event entry for the first search event is then written to the data store. Future searches may return both the first search event and other events.

Abstract: A method includes defining a set of context types; defining a set of source types, each comprising context types; defining, for each source type, and for each context type included in the events from data sources having the source type, a context definition comprising a set of fields, in events from the data sources, that are associated with the context type; receiving a query comprising a first field value and a time period; retrieving a plurality of events that include the first field value and the time period; for each retrieved event, and for each context definition defined for a source type and a context type of a data source from which the retrieved event originated, determining field values of fields in the set of fields of the context definition; aggregating, for each context type, determined field values from the events; and generating an output.

Abstract: A processing device receives a first query comprising a first field value and a first time period. The processing device performs a first search of a data store to identify a first plurality of events having the first time period and at least one field that comprises the first field value. The processing device generates a first search object comprising the first field value. The processing device generates a search event comprising the first field value and a reference to the first search object. An event entry for the first search event is then written to the data store. Future searches may return both the first search event and other events.

Abstract: A processing device receives a first query comprising a first field value and a first time period. The processing device performs a first search of a data store to identify a first plurality of events having the first time period and at least one field that comprises the first field value. The processing device generates a first search object comprising the first field value. The first search object may be a data structure, file or data record, and is stored in the data store. The processing device generates a search event comprising the first field value and a reference to the first search object. An event entry for the first search event is then written to the data store. Future searches may return both the first search event and other events, as well as search objects.

Abstract: A processing device receives a query comprising a first field value and a time period and performs a first search of a data store using the first field value to identify a plurality of events having the time period and a field that comprises the first field value. The processing device determines a first subset of the plurality of events associated with a first context definition and determines a plurality of fields specified in the first context definition. The processing device determines, for events in the first subset, field values of one or more fields specified in the first context definition. The processing device generates a report based on the field values of the one or more fields specified in the first context definition from the events in the first subset. The processing device generates a response to the query that comprises at least a portion of the report.

Abstract: A method includes defining a set of context types; defining a set of source types, each comprising context types; defining, for each source type, and for each context type included in the events from data sources having the source type, a context definition comprising a set of fields, in events from the data sources, that are associated with the context type; receiving a query comprising a first field value and a time period; retrieving a plurality of events that include the first field value and the time period; for each retrieved event, and for each context definition defined for a source type and a context type of a data source from which the retrieved event originated, determining field values of fields in the set of fields of the context definition; aggregating, for each context type, determined field values from the events; and generating an output.

Abstract: A processing device receives a first query comprising a first field value and a first time period. The processing device performs a first search of a data store to identify a first plurality of events having the first time period and at least one field that comprises the first field value. The processing device generates a first search object comprising the first field value. The first search object may be a data structure, file or data record, and is stored in the data store. The processing device generates a search event comprising the first field value and a reference to the first search object. An event entry for the first search event is then written to the data store. Future searches may return both the first search event and other events, as well as search objects.

Abstract: A processing device receives a first query comprising a first field value and a first time period. The processing device performs a first search of a data store to identify a first plurality of events having the first time period and at least one field that comprises the first field value. The processing device generates a first search object comprising the first field value. The processing device generates a search event comprising the first field value and a reference to the first search object. An event entry for the first search event is then written to the data store. Future searches may return both the first search event and other events.

Abstract: A processing device receives a query comprising a first field value and a time period. The processing device performs a first search of a data store using the first field value to identify a first plurality of events having the time period and a field that comprises the first field value. The processing device determines, for one of the plurality of events, a second field value of a second field that is specified in a first context definition, the second field having an assigned field type. The processing device automatically performs a second search of the data store using the additional field value to identify a second plurality of events having the time period and the additional field value. Information from the first plurality of events and the second plurality of events is aggregated, and a response to the query is generated that comprises the aggregated information.

Abstract: A processing device receives a plurality of discrete log entries from a first data store and generates an event for each discrete log entry that satisfies a criterion. To generate an event the processing device determines a source type associated with a discrete log entry, parses the discrete log entry based on the source type, determines a plurality of fields of the discrete log entry, identifies a subset of the plurality of fields, wherein one or more fields in the subset are to be used as link keys for linking together events, and assigns a field type to each field in the subset of the plurality of fields. The processing device additionally writes a plurality of event entries for the event into a second data store. A separate event entry is written for each field of the subset of the plurality of fields having an assigned field type.

Abstract: A processing device receives a first query comprising a first field value and a first time period. The processing device performs a first search of a data store to identify a first plurality of events having the first time period and at least one field that comprises the first field value. The processing device generates a first search object comprising the first field value. The processing device generates a search event comprising the first field value and a reference to the first search object. An event entry for the first search event is then written to the data store. Future searches may return both the first search event and other events.

Abstract: A processing device receives a plurality of discrete log entries from a first data store and generates an event for each discrete log entry that satisfies a criterion. To generate an event the processing device determines a source type associated with a discrete log entry, parses the discrete log entry based on the source type, determines a plurality of fields of the discrete log entry, identifies a subset of the plurality of fields, wherein one or more fields in the subset are to be used as keys for indexing events, and assigns a field type to each field in the subset of the plurality of fields. The processing device additionally writes a plurality of event entries for the event into a second data store. A separate event entry is written for each field of the subset of the plurality of fields having an assigned field type.

Abstract: A processing device receives a query comprising a first field value and a time period. The processing device performs a first search of a data store using the first field value to identify a first plurality of events having the time period and a field that comprises the first field value. The processing device determines, for one of the plurality of events, a second field value of a second field that is specified in a first context definition, the second field having an assigned field type. The processing device automatically performs a second search of the data store using the additional field value to identify a second plurality of events having the time period and the additional field value. Information from the first plurality of events and the second plurality of events is aggregated, and a response to the query is generated that comprises the aggregated information.

Abstract: A processing device receives a query comprising a first field value and a time period and performs a first search of a data store using the first field value to identify a plurality of events having the time period and a field that comprises the first field value. The processing device determines a first subset of the plurality of events associated with a first context definition and determines a plurality of fields specified in the first context definition. The processing device determines, for events in the first subset, field values of one or more fields specified in the first context definition. The processing device generates a report based on the field values of the one or more fields specified in the first context definition from the events in the first subset. The processing device generates a response to the query that comprises at least a portion of the report.

Abstract: A processing device receives a plurality of discrete log entries from a first data store and generates an event for each discrete log entry that satisfies a criterion. To generate an event the processing device determines a source type associated with a discrete log entry, parses the discrete log entry based on the source type, determines a plurality of fields of the discrete log entry, identifies a subset of the plurality of fields, wherein one or more fields in the subset are to be used as link keys for linking together events, and assigns a field type to each field in the subset of the plurality of fields. The processing device additionally writes a plurality of event entries for the event into a second data store. A separate event entry is written for each field of the subset of the plurality of fields having an assigned field type.

Abstract: A processing device receives a plurality of discrete log entries from a first data store and generates an event for each discrete log entry that satisfies a criterion. To generate an event the processing device determines a source type associated with a discrete log entry, parses the discrete log entry based on the source type, determines a plurality of fields of the discrete log entry, identifies a subset of the plurality of fields, wherein one or more fields in the subset are to be used as keys for indexing events, and assigns a field type to each field in the subset of the plurality of fields. The processing device additionally writes a plurality of event entries for the event into a second data store. A separate event entry is written for each field of the subset of the plurality of fields having an assigned field type.

Abstract: A processing device receives a query from a service, the query comprising a first field value, a time period and a content request. The processing device performs a first search of a data store using the first field value to identify a plurality of events having the time period and at least one field that comprises the first field value and determines a first subset of the plurality of events associated with a first context definition. The processing device determines a plurality of fields specified in the first context definition and further determines, for events in the first subset, field values of one or more fields specified in the first context definition. The processing device determines, from the field values of the one or more fields specified in the first context definition, content that satisfies the content request and generates a response to the query that comprises the content.

Abstract: Different network segments can have overlapping address spaces. In one embodiment, the present invention includes a distributed agent of a security system receiving a security event from a network device monitored by the agent. In one embodiment, the agent normalizes the security event into an event schema including one or more zone fields. In one embodiment, the agent also determines one or more zones associated with the received security event, the one or more zones each describing a part of a network, and populates the one or more zone fields using the determined one or more zones.