Method and system for generating a kill chain for monitoring computer network security
First Claim
1. A method comprising:
- receiving event data associated with network activities, wherein the event data comprises machine data;
evaluating event data based on a machine learning model utilizing historical data pertaining to evaluations of past events;
identifying at least one anomaly automatically determined from machine learning on the event data;
identifying at least one threat automatically determined from machine learning on the event data and the identified at least one anomaly, wherein a threat is associated with each identified anomaly that, individually or in combination, triggered the determination of the threat; and
upon selection by a user, via a graphical user interface, of an identified threat, generating a kill chain view associated with the threat, wherein the kill chain view includes a plurality of stages, and, for each stage, the kill chain view lists each type of identified anomaly associated with each stage of the kill chain and the number of anomalies of each type, wherein the listing of comprises a link for each anomaly type;
upon selection by the user, via a graphical user interface, of the link for a selected anomaly type, generating a listing of all anomalies of the selected type, including a link for each anomaly;
upon selection by the user of the link for a selected anomaly, generating a prompt to tag the anomaly for subsequent tracking; and
upon receiving input from the user regarding the identified threat based upon the anomalies in the generated kill chain view, providing feedback for training the machine learning model.
2 Assignments
0 Petitions
Accused Products
Abstract
A security platform employs a variety techniques and mechanisms to detect security related anomalies and threats in a computer network environment. The security platform is “big data” driven and employs machine learning to perform security analytics. The security platform performs user/entity behavioral analytics (UEBA) to detect the security related anomalies and threats, regardless of whether such anomalies/threats were previously known. The security platform can include both real-time and batch paths/modes for detecting anomalies and threats. By visually presenting analytical results scored with risk ratings and supporting evidence, the security platform enables network security administrators to respond to a detected anomaly or threat, and to take action promptly.
54 Citations
29 Claims
-
1. A method comprising:
-
receiving event data associated with network activities, wherein the event data comprises machine data; evaluating event data based on a machine learning model utilizing historical data pertaining to evaluations of past events; identifying at least one anomaly automatically determined from machine learning on the event data; identifying at least one threat automatically determined from machine learning on the event data and the identified at least one anomaly, wherein a threat is associated with each identified anomaly that, individually or in combination, triggered the determination of the threat; and upon selection by a user, via a graphical user interface, of an identified threat, generating a kill chain view associated with the threat, wherein the kill chain view includes a plurality of stages, and, for each stage, the kill chain view lists each type of identified anomaly associated with each stage of the kill chain and the number of anomalies of each type, wherein the listing of comprises a link for each anomaly type; upon selection by the user, via a graphical user interface, of the link for a selected anomaly type, generating a listing of all anomalies of the selected type, including a link for each anomaly; upon selection by the user of the link for a selected anomaly, generating a prompt to tag the anomaly for subsequent tracking; and upon receiving input from the user regarding the identified threat based upon the anomalies in the generated kill chain view, providing feedback for training the machine learning model. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15)
-
-
16. A non-transitory, computer-readable storage medium storing instructions, an execution of which in a computer system causes the computer system to perform operations comprising:
-
receiving event data associated with network activities, wherein the event data comprises machine data; evaluating event data based on a machine learning model utilizing historical data pertaining to evaluations of past events; identifying at least one anomaly automatically determined from machine learning on the event data; identifying at least one threat automatically determined from machine learning on the event data and the identified at least one anomaly, wherein a threat is associated with each identified anomaly that, individually or in combination, triggered the determination of the threat; and upon selection by a user, via a graphical user interface, of an identified threat, generating a kill chain view associated with the threat, wherein the kill chain view includes a plurality of stages, and, for each stage, the kill chain view lists each type of identified anomaly associated with each stage of the kill chain and the number of anomalies of each type, wherein the listing of comprises a link for each anomaly type; upon selection by the user, via a graphical user interface, of the link for a selected anomaly type, generating a listing of all anomalies of the selected type, including a link for each anomaly; upon selection by the user of the link for a selected anomaly, generating a prompt to tag the anomaly for subsequent tracking; and upon receiving input from the user regarding the identified threat based upon the anomalies in the generated kill chain view, providing feedback for training the machine learning model. - View Dependent Claims (17, 18, 19, 20, 21, 22, 23)
-
-
24. A computer system comprising:
-
computer memory for storing machine data; and a processor for; receiving event data associated with network activities, wherein the event data comprises machine data; evaluating event data based on a machine learning model utilizing historical data pertaining to evaluations of past events; identifying at least one anomaly automatically determined from machine learning on the event data; identifying at least one threat automatically determined from machine learning on the event data and the identified at least one anomaly, wherein a threat is associated with each identified anomaly that, individually or in combination, triggered the determination of the threat; and upon selection by a user, via a graphical user interface, of an identified threat, generating a kill chain view associated with the threat, wherein the kill chain view includes a plurality of stages, and, for each stage, the kill chain view lists each type of identified anomaly associated with each stage of the kill chain and the number of anomalies of each type, wherein the listing of comprises a link for each anomaly type; upon selection by the user, via a graphical user interface, of the link for a selected anomaly type, generating a listing of all anomalies of the selected type, including a link for each anomaly; upon selection by the user of the link for a selected anomaly, generating a prompt to tag the anomaly for subsequent tracking; and upon receiving input from the user regarding the identified threat based upon the anomalies in the generated kill chain view, providing feedback for training the machine learning model. - View Dependent Claims (25, 26, 27, 28, 29)
-
Specification