Selecting network security investigation timelines based on identifiers

US 10,237,292 B2
Filed: 04/30/2016
Issued: 03/19/2019
Est. Priority Date: 08/01/2015
Status: Active Grant

First Claim

Patent Images

1. A method, comprising:

causing display of one or more identifiers, each identifier identifying an investigation timeline associated with first data representing one or more computer network security events stored by a data intake and query system, and second data representing one or more actions taken by a user to investigate a network security incident, each identifier includes an indication of one or more users assigned to a corresponding investigation timeline;

receiving a selection of a particular identifier from the displayed identifiers; and

causing display of the investigation timeline identified by the selected identifier.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Techniques and mechanisms are disclosed that enable network security analysts and other users to efficiently conduct network security investigations and to produce useful representations of investigation results. As used herein, a network security investigation generally refers to an analysis by an analyst (or team of analysts) of one or more detected network events that may pose internal and/or external threats to a computer network under management. A network security application provides various interfaces that enable users to create investigation timelines, where the investigation timelines display a collection of events related to a particular network security investigation. A network security application further provides functionality to monitor and log user interactions with the network security application, where particular logged user interactions may also be added to one or more investigation timelines.

Citations

29 Claims

1. A method, comprising:
- causing display of one or more identifiers, each identifier identifying an investigation timeline associated with first data representing one or more computer network security events stored by a data intake and query system, and second data representing one or more actions taken by a user to investigate a network security incident, each identifier includes an indication of one or more users assigned to a corresponding investigation timeline;
  
  receiving a selection of a particular identifier from the displayed identifiers; and
  
  causing display of the investigation timeline identified by the selected identifier.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21, 22, 23, 24, 25, 26, 27)
- - 2. The method of claim 1, wherein each identifier displays a status of a corresponding investigation timeline.
  - 3. The method of claim 1, wherein each identifier displays a priority level assigned to a corresponding investigation timeline.
  - 4. The method of claim 1, further comprising displaying an indication of a total number of currently active investigation timelines.
  - 5. The method of claim 1, further comprising displaying an indication of a number of investigations completed by each of one or more users.
  - 6. The method of claim 1, further comprising displaying an indication of a kill chain status of a computer network, the kill chain status based on a status associated with a plurality of investigation timelines.
  - 7. The method of claim 1, further comprising:
    - receiving a selection of a first identifier and a second identifier from the one or more identifiers, the first identifier representing a first investigation timeline and the second identifier representing a second investigation timeline; and
      
      in response to receiving the selection of the first identifier and the second identifier, causing display of the first investigation timeline juxtaposed with the second investigation timeline.
  - 8. The method of claim 1, wherein a particular computer network security event of the one or more computer network security events corresponds to a detected malware infection, a security access violation, or network traffic.
  - 9. The method of claim 1, wherein the user actions taken by a user to investigate a network security incident include one or user interactions with a graphical user interface.
  - 10. The method of claim 1, wherein the user actions taken by a user to investigate a network security incident include submitting a search query.
  - 11. The method of claim 1, wherein causing display of the investigation timeline includes displaying a plurality of event identifiers, each event identifier of the plurality of event identifiers configured for display at a location on the investigation timeline based on a timestamp associated with a corresponding event.
  - 12. The method of claim 1, wherein causing display of the investigation timeline includes displaying a plurality of event identifiers, each event identifier of the plurality of event identifiers configured for display at a location on the investigation timeline based on a timestamp associated with a corresponding event;
    - andwherein at least one event identifier of the plurality of event identifiers corresponds to a plurality of events from a set including the one or more first events and the one or more second events.
  - 13. The method of claim 1, further comprising:
    - wherein causing display of the investigation timeline includes displaying a plurality of event identifiers, each event identifier of the plurality of event identifiers configured for display at a location on the investigation timeline based on a timestamp associated with a corresponding event;
      
      receiving input selecting a particular event identifier of the plurality of event identifiers, the particular event identifier corresponding to a particular event from a set of events derived from the first data and the second data;
      
      in response to receiving the selection of the particular event identifier, causing display of a detail view of the particular event, the detail view of the particular event including a timestamp associated with the particular event and a label associated with the particular event.
  - 14. The method of claim 1, further comprising:
    - wherein causing display of the investigation timeline includes displaying a plurality of event identifiers, each event identifier of the plurality of event identifiers configured for display at a location on the investigation timeline based on a timestamp associated with a respective event;
      
      receiving input selecting a particular event identifier of the plurality of event identifiers, the particular event identifier corresponding to a particular event from a set of events derived from the first data and the second data;
      
      in response to receiving the selection of the particular event identifier, causing display of a detail view of the particular event, the detail view of the particular event including display of at least a portion of raw data associated with the particular event.
  - 15. The method of claim 1, further comprising causing display of a detail view of a particular event from a set of events derived from the first data and the second data, the detail view of the particular event including an interface component for receiving a user annotation associated with the particular event.
  - 16. The method of claim 1, further comprising causing display of a detail view of a particular event from a set of events derived from the first data and the second data, the detail view of the particular event including a storyboard panel that displays the particular event as part of a series of events.
  - 17. The method of claim 1, further comprising creating a portable representation of the displayed investigation timeline, the portable representation including instructions for displaying the displayed investigation timeline using other application programs.
  - 18. The method of claim 1, further comprising:
    - receiving a selection of an assignment filter, the assignment filter indicating a request to display investigation timelines assigned to a particular user;
      
      wherein causing display of the one or more identifiers includes causing display of only identifiers representing investigation timelines assigned to the particular user.
  - 19. The method of claim 1, further comprising:
    - receiving a selection of an assignment filter, the assignment filter indicating a request to display investigation timelines assigned to a group of users;
      
      wherein causing display of the one or more identifiers includes causing display of only identifiers representing investigation timelines assigned to the group of users.
  - 20. The method of claim 1, wherein each identifier of the one or more identifiers includes a total number of hours worked on the corresponding investigation timeline by all users assigned to the respective investigation timeline.
  - 21. The method of claim 1, wherein each identifier of the one or more identifiers includes a number of hours worked on the corresponding investigation timeline for each user assigned to the respective investigation timeline.
  - 22. The method of claim 1, wherein the one or more identifiers are sorted based on a time each corresponding investigation timeline was last updated.
  - 23. The method of claim 1, wherein the one or more identifiers are sorted based on a time each corresponding investigation timeline was created.
  - 24. The method of claim 1, wherein the one or more identifiers are sorted based on a text label associated with each corresponding investigation timeline.
  - 25. The method of claim 1, wherein the one or more identifiers are sorted based on a set of users assigned to each corresponding investigation timeline.
  - 26. The method of claim 1, wherein the one or more identifiers are sorted based on a status associated with each corresponding investigation timeline.
  - 27. The method of claim 1, wherein the one or more identifiers are sorted based on a priority level associated with each corresponding investigation timeline.

28. One or more non-transitory computer-readable storage media, storing instructions, which when executed by one or more processors cause performance of:
- causing display of one or more identifiers, each identifier identifying an investigation timeline associated with first data representing one or more computer network security events stored by a data intake and query system, and second data representing one or more actions taken by a user to investigate a network security incident, each identifier includes an indication of one or more users assigned to a corresponding investigation timeline;
  
  receiving a selection of a particular identifier from the displayed identifiers; and
  
  causing display of the investigation timeline identified by the selected identifier.

29. An apparatus, comprising:
- a display subsystem, implemented at least partially in hardware, that causes display of one or more identifiers, each identifier identifying an investigation timeline associated with first data representing one or more computer network security events stored by a data intake and query system, and second data representing one or more actions taken by a user to investigate a network security incident, each identifier includes an indication of one or more users assigned to a corresponding investigation timeline;
  
  an input receiver subsystem, implemented at least partially in hardware, that receives a selection of a particular identifier from the displayed identifiers; and
  
  wherein the display subsystem further causes, in response to receiving the selection of the particular identifier, display of the investigation timeline identified by the selected identifier.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Splunk Inc. (Cisco Systems, Inc.)
Original Assignee
Splunk Inc. (Cisco Systems, Inc.)
Inventors
Chauhan, Vijay, Noel, Cary, Yu, Wenhui
Primary Examiner(s)
Shiau, Shen

Application Number

US15/143,566
Publication Number

US 20170034196A1
Time in Patent Office

1,053 Days
Field of Search
US Class Current
CPC Class Codes

G06F 16/2477   Temporal data queries

G06F 16/951   Indexing; Web crawling tech...

G06F 21/552   involving long-term monitor...

G06F 21/577   Assessing vulnerabilities a...

G06F 21/62   Protecting access to data v...

G06F 3/0484   for the control of specific...

G06F 3/04842   Selection of displayed obje...

H04L 41/22   comprising specially adapte...

H04L 43/045   for graphical visualisation...

H04L 63/1408   by monitoring network traff...

H04L 63/1416   Event detection, e.g. attac...

H04L 63/1425   Traffic logging, e.g. anoma...

Selecting network security investigation timelines based on identifiers

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

29 Claims

Specification

Solutions

Use Cases

Quick Links

Selecting network security investigation timelines based on identifiers

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

29 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links