Selecting network security investigation timelines based on identifiers
First Claim
1. A method, comprising:
- causing display of one or more identifiers, each identifier identifying an investigation timeline associated with first data representing one or more computer network security events stored by a data intake and query system, and second data representing one or more actions taken by a user to investigate a network security incident, each identifier includes an indication of one or more users assigned to a corresponding investigation timeline;
receiving a selection of a particular identifier from the displayed identifiers; and
causing display of the investigation timeline identified by the selected identifier.
1 Assignment
0 Petitions
Accused Products
Abstract
Techniques and mechanisms are disclosed that enable network security analysts and other users to efficiently conduct network security investigations and to produce useful representations of investigation results. As used herein, a network security investigation generally refers to an analysis by an analyst (or team of analysts) of one or more detected network events that may pose internal and/or external threats to a computer network under management. A network security application provides various interfaces that enable users to create investigation timelines, where the investigation timelines display a collection of events related to a particular network security investigation. A network security application further provides functionality to monitor and log user interactions with the network security application, where particular logged user interactions may also be added to one or more investigation timelines.
-
Citations
29 Claims
-
1. A method, comprising:
-
causing display of one or more identifiers, each identifier identifying an investigation timeline associated with first data representing one or more computer network security events stored by a data intake and query system, and second data representing one or more actions taken by a user to investigate a network security incident, each identifier includes an indication of one or more users assigned to a corresponding investigation timeline; receiving a selection of a particular identifier from the displayed identifiers; and causing display of the investigation timeline identified by the selected identifier. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21, 22, 23, 24, 25, 26, 27)
-
-
28. One or more non-transitory computer-readable storage media, storing instructions, which when executed by one or more processors cause performance of:
-
causing display of one or more identifiers, each identifier identifying an investigation timeline associated with first data representing one or more computer network security events stored by a data intake and query system, and second data representing one or more actions taken by a user to investigate a network security incident, each identifier includes an indication of one or more users assigned to a corresponding investigation timeline; receiving a selection of a particular identifier from the displayed identifiers; and causing display of the investigation timeline identified by the selected identifier.
-
-
29. An apparatus, comprising:
-
a display subsystem, implemented at least partially in hardware, that causes display of one or more identifiers, each identifier identifying an investigation timeline associated with first data representing one or more computer network security events stored by a data intake and query system, and second data representing one or more actions taken by a user to investigate a network security incident, each identifier includes an indication of one or more users assigned to a corresponding investigation timeline; an input receiver subsystem, implemented at least partially in hardware, that receives a selection of a particular identifier from the displayed identifiers; and wherein the display subsystem further causes, in response to receiving the selection of the particular identifier, display of the investigation timeline identified by the selected identifier.
-
Specification