Method and system for reviewing identified threats for performing computer security monitoring
First Claim
1. A computerized method comprising:
- receiving event data associated with network activities by devices, applications, and network users that interact with a computer network, wherein the devices, applications, and network users are different types of entities;
identifying instances of potential network compromise automatically determined from the event data, wherein instances include threats and anomalies, the identified instances are associated with each of the respective devices, applications, and network users that participated in the network activities from which the instances were determined, and each threat is an interpretation or a conclusion based on one or more of the anomalies;
automatically determining a score for each entity, wherein the score indicates a risk level based at least in part on the number and/or type of identified instances of potential network compromise associated with the entity; and
causing display, in a graphical user interface, of an indication of the score for each of the entities, wherein;
the graphical user interface selectively provides an entities view for each of the types of entities,each entities view lists at least all entities of that selected type that participated in network activities that triggered determinations of potential network compromise, andeach entity listed in the entities view includes the associated score and a link which, upon selection by a user, causes the graphical user interface to generate a detailed view comprising additional data about the selected entity.
1 Assignment
0 Petitions
Accused Products
Abstract
A security platform employs a variety techniques and mechanisms to detect security related anomalies and threats in a computer network environment. The security platform is “big data” driven and employs machine learning to perform security analytics. The security platform performs user/entity behavioral analytics (UEBA) to detect the security related anomalies and threats, regardless of whether such anomalies/threats were previously known. The security platform can include both real-time and batch paths/modes for detecting anomalies and threats. By visually presenting analytical results scored with risk ratings and supporting evidence, the security platform enables network security administrators to respond to a detected anomaly or threat, and to take action promptly.
68 Citations
27 Claims
-
1. A computerized method comprising:
-
receiving event data associated with network activities by devices, applications, and network users that interact with a computer network, wherein the devices, applications, and network users are different types of entities; identifying instances of potential network compromise automatically determined from the event data, wherein instances include threats and anomalies, the identified instances are associated with each of the respective devices, applications, and network users that participated in the network activities from which the instances were determined, and each threat is an interpretation or a conclusion based on one or more of the anomalies; automatically determining a score for each entity, wherein the score indicates a risk level based at least in part on the number and/or type of identified instances of potential network compromise associated with the entity; and causing display, in a graphical user interface, of an indication of the score for each of the entities, wherein; the graphical user interface selectively provides an entities view for each of the types of entities, each entities view lists at least all entities of that selected type that participated in network activities that triggered determinations of potential network compromise, and each entity listed in the entities view includes the associated score and a link which, upon selection by a user, causes the graphical user interface to generate a detailed view comprising additional data about the selected entity. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17)
-
-
18. A non-transitory, computer-readable storage medium storing instructions, an execution of which in a computer system causes the computer system to perform operations comprising:
-
receiving event data associated with network activities by devices, applications, and network users that interact with a computer network, wherein the devices, applications, and network users are different types of entities; identifying instances of potential network compromise automatically determined from the event data, wherein instances include threats and anomalies, the identified instances are associated with each of the respective devices, applications, and network users that participated in the network activities from which the instances were determined, and each threat is an interpretation or a conclusion based on one or more of the anomalies; automatically determining a score for each entity, wherein the score indicates a risk level based at least in part on the number and/or type of identified instances of potential network compromise associated with the entity; causing for display, in a graphical user interface, of an indication of the score for each of the entities, wherein; the graphical user interface selectively provides an entities view for each of the types of entities, each entities view lists at least all entities of that selected type that participated in network activities that triggered determinations of potential network compromise, and each entity listed in the entities view includes the associated score and a link which, upon selection by a user, causes the graphical user interface to generate a detailed view comprising additional data about the selected entity. - View Dependent Claims (19, 20, 21, 22, 23, 24)
-
-
25. A computer system comprising:
-
computer memory for storing machine data; and a processor for; receiving event data associated with network activities by devices, applications, and network users that interact with a computer network, wherein the devices, applications, and network users are different types of entities; identifying instances of potential network compromise automatically determined from the event data, wherein instances include threats and anomalies, the identified instances are associated with each of the respective devices, applications, and network users that participated in the network activities from which the instances were determined, and each threat is an interpretation or a conclusion based on one or more of the anomalies; automatically determining a score for each entity, wherein the score indicates a risk level based at least in part on the number and type of identified instances of potential network compromise associated with the entity; causing display, in a graphical user interface, of an indication of the score for each of the entities wherein; the graphical user interface selectively provides an entities view for each of the types of entities, each entities view lists at least all entities of that selected type that participated in network activities that triggered determinations of potential network compromise, and each entity listed in the entities view includes the associated score and a link which, upon selection by a user, causes the graphical user interface to generate a detailed view comprising additional data about the selected entity. - View Dependent Claims (26, 27)
-
Specification