Storyboard displays of information technology investigative events along a timeline

US 10,250,628 B2
Filed: 10/31/2017
Issued: 04/02/2019
Est. Priority Date: 08/01/2015
Status: Active Grant

First Claim

Patent Images

1. A method comprising:

causing display of a timeline view of events in an information technology security investigation;

causing display on the timeline view of one or more system events that contain data that reflect activity in an information technology environment, wherein each system event is positioned on the timeline according to a timestamp associated with the system event, wherein each system event is represented on the timeline by a graphical indicator;

causing display on the timeline view of one or more investigative events reflecting investigative activity performed in association with a security investigation of one or more of the system events, wherein each investigative event is represented on the timeline by a graphical indicator;

while causing display of the timeline view, causing display of a storyboard view of system events and investigative events displayed in the timeline view, wherein a storyboard panel includes a view of one or more selected system events in addition to a view of any related investigative events, the storyboard panel enables a user to progress through detailed information regarding user investigative activities associated with system events that are indicative of security threats in a chronological fashion, wherein the storyboard view displays one or more storyboard panels at a time;

receiving user input to add one or more annotations to a displayed storyboard panel, wherein the displayed storyboard panel displays information related to a specific system event;

storing the one or more annotations in association with the specific system event.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Techniques and mechanisms are disclosed that enable network security analysts and other users to efficiently conduct network security investigations and to produce useful representations of investigation results. As used herein, a network security investigation generally refers to an analysis by an analyst (or team of analysts) of one or more detected network events that may pose internal and/or external threats to a computer network under management. A network security application provides various interfaces that enable users to create investigation timelines, where the investigation timelines display a collection of events related to a particular network security investigation. A network security application further provides functionality to monitor and log user interactions with the network security application, where particular logged user interactions may also be added to one or more investigation timelines.

47 Citations

View as Search Results

20 Claims

1. A method comprising:
- causing display of a timeline view of events in an information technology security investigation;
  
  causing display on the timeline view of one or more system events that contain data that reflect activity in an information technology environment, wherein each system event is positioned on the timeline according to a timestamp associated with the system event, wherein each system event is represented on the timeline by a graphical indicator;
  
  causing display on the timeline view of one or more investigative events reflecting investigative activity performed in association with a security investigation of one or more of the system events, wherein each investigative event is represented on the timeline by a graphical indicator;
  
  while causing display of the timeline view, causing display of a storyboard view of system events and investigative events displayed in the timeline view, wherein a storyboard panel includes a view of one or more selected system events in addition to a view of any related investigative events, the storyboard panel enables a user to progress through detailed information regarding user investigative activities associated with system events that are indicative of security threats in a chronological fashion, wherein the storyboard view displays one or more storyboard panels at a time;
  
  receiving user input to add one or more annotations to a displayed storyboard panel, wherein the displayed storyboard panel displays information related to a specific system event;
  
  storing the one or more annotations in association with the specific system event.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
- - 2. The method of claim 1, wherein each investigative event corresponds to an entry in a workflow log, the workflow log including a plurality of log entries corresponding to user actions involving one or more graphical user interfaces performed while investigating one or more system events.
  - 3. The method of claim 1, further comprising:
    - associating a timestamp with the one or more annotations.
  - 4. The method of claim 1, further comprising:
    - wherein each investigative event corresponds to an entry in a workflow log, the workflow log including a plurality of log entries corresponding to user actions involving one or more graphical user interfaces performed while investigating one or more system events;
      
      causing display of a workflow log view displaying information describing one or more log entries of the plurality of log entries.
  - 5. The method of claim 1, further comprising:
    - receiving input to add a screenshot to the timeline view; and
      
      in response to receiving the input to add the screenshot to the timeline view, causing display of an identifier of the screenshot at a particular location on the timeline view.
  - 6. The method of claim 1, further comprising:
    - wherein access to the timeline view is granted to a first user;
      
      receiving input from the first user to grant a second user access to the timeline view; and
      
      granting the second user access to the timeline view.
  - 7. The method of claim 1, further comprising:
    - receiving an indication of one or more actions taken by a user to investigate a system event associated with the timeline view; and
      
      in response to receiving the indication of the one or more actions, storing one or more log entries describing the one or more actions in a workflow log.
  - 8. The method of claim 1, further comprising:
    - receiving input selecting a particular event identifier from a plurality of event identifiers, the particular event identifier corresponding to a particular event from the one or more system events or the one or more investigative events; and
      
      in response to receiving the selection of the particular event identifier, causing display of a detailed view of the particular event.

9. One or more non-transitory computer-readable storage media, storing instructions, which when executed by one or more processors cause performance of:
- causing display of a timeline view of events in an information technology security investigation;
  
  causing display on the timeline view of one or more system events that contain data that reflect activity in an information technology environment, wherein each system event is positioned on the timeline according to a timestamp associated with the system event, wherein each system event is represented on the timeline by a graphical indicator;
  
  causing display on the timeline view of one or more investigative events reflecting investigative activity performed in association with a security investigation of one or more of the system events, wherein each investigative event is represented on the timeline by a graphical indicator;
  
  while causing display of the timeline view, causing display of a storyboard view of system events and investigative events displayed in the timeline view, wherein a storyboard panel includes a view of one or more selected system events in addition to a view of any related investigative events, the storyboard panel enables a user to progress through detailed information regarding user investigative activities associated with system events that are indicative of security threats in a chronological fashion, wherein the storyboard view displays one or more storyboard panels at a time;
  
  receiving user input to add one or more annotations to a displayed storyboard panel, wherein the displayed storyboard panel displays information related to a specific system event;
  
  storing the one or more annotations in association with the specific system event.
- View Dependent Claims (10, 11, 12, 13, 14)
- - 10. The one or more non-transitory storage media of claim 9, wherein each investigative event corresponds to an entry in a workflow log, the workflow log including a plurality of log entries corresponding to user actions involving one or more graphical user interfaces.
  - 11. The one or more non-transitory storage media of claim 9, wherein the instructions which, when executed by the one or more computing devices, further cause:
    - associating a timestamp with the one or more annotations.
  - 12. The one or more non-transitory storage media of claim 9, wherein the instructions which, when executed by the one or more computing devices, further cause:
    - wherein each user-selected investigative event corresponds to an entry in a workflow log, the workflow log including a plurality of log entries corresponding to user actions involving one or more graphical user interfaces;
      
      causing display of a workflow log view displaying information describing one or more log entries of the plurality of log entries.
  - 13. The one or more non-transitory storage media of claim 9, wherein the instructions which, when executed by the one or more computing devices, further cause:
    - receiving input to add a screenshot to the timeline view; and
      
      in response to receiving the input to add the screenshot to the timeline view, causing display of an identifier of the screenshot at a particular location on the timeline view.
  - 14. The one or more non-transitory storage media of claim 9, wherein the instructions which, when executed by the one or more computing devices, further cause:
    - receiving an indication of one or more actions taken by a user to investigate a system event associated with the timeline view; and
      
      in response to receiving the indication of the one or more actions, storing one or more log entries describing the one or more actions in a workflow log.

15. An apparatus, comprising:
- a display formatter, implemented at least partially in hardware, configured to cause display of a timeline view of events in an information technology security investigation;
  
  wherein the display formatter device causes display on the timeline view of one or more system events that contain data that reflect activity in an information technology environment, wherein each system event is positioned on the timeline according to a timestamp associated with the system event, wherein each system event is represented on the timeline by a graphical indicator;
  
  wherein the display formatter device causes display on the timeline view of one or more investigative events reflecting investigative activity performed in association with a security investigation of one or more of the system events, wherein each investigative event is represented on the timeline by a graphical indicator;
  
  wherein while causing display of the timeline view, the display formatter device causes display of a storyboard view of system events and investigative events displayed in the timeline view, wherein a storyboard panel includes a view of one or more selected system events in addition to a view of any related investigative events, the storyboard panel enables a user to progress through detailed information regarding user investigative activities associated with system events that are indicative of security threats in a chronological fashion, wherein the storyboard view displays one or more storyboard panels at a time;
  
  a user input receiver configured to receive user input to add one or more annotations to a displayed storyboard panel, wherein the displayed storyboard panel displays information related to a specific system event;
  
  an annotation storage device configured to store the one or more annotations in association with the specific system event.
- View Dependent Claims (16, 17, 18, 19, 20)
- - 16. The apparatus of claim 15, wherein each investigative event corresponds to an entry in a workflow log, the workflow log including a plurality of log entries corresponding to user actions involving one or more graphical user interfaces.
  - 17. The apparatus of claim 15, wherein the annotation storage device associates a timestamp with the one or more annotations.
  - 18. The apparatus of claim 15, wherein each user-selected investigative event corresponds to an entry in a workflow log, the workflow log including a plurality of log entries corresponding to user actions involving one or more graphical user interfaces;
    - and wherein the display formatter causes display of a workflow log view displaying information describing one or more log entries of the plurality of log entries.
  - 19. The apparatus of claim 15, wherein the user input receiver receives input to add a note to the timeline view;
    - and wherein the display formatter, in response to receiving the input to add the note to the timeline view, causes display of an identifier of the note at a particular location on the timeline view.
  - 20. The apparatus of claim 15, wherein the user input receiver receives input to add a screenshot to the timeline view;
    - and wherein the display formatter, in response to receiving the input to add the screenshot to the timeline view, causes display of an identifier of the screenshot at a particular location on the timeline view.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Splunk Inc.
Original Assignee
Splunk Inc.
Inventors
Chauhan, Vijay, Noel, Cary, Yu, Wenhui, Murphey, Luke, Raitz, Alexander, Hazekamp, David
Primary Examiner(s)
McNally, Michael S

Application Number

US15/799,906
Publication Number

US 20180069887A1
Time in Patent Office

518 Days
Field of Search

726 17
US Class Current
CPC Class Codes

G06F 16/2477   Temporal data queries

G06F 16/248   Presentation of query results

G06F 16/25   Integrating or interfacing ...

G06F 21/629   to features or functions of...

G06F 2221/2151   Time stamp

G06F 3/0484   for the control of specific...

G06F 40/169   Annotation, e.g. comment da...

H04L 43/026   using flow identification

H04L 43/06   Generation of reports

H04L 63/1425   Traffic logging, e.g. anoma...

Storyboard displays of information technology investigative events along a timeline

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

47 Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Storyboard displays of information technology investigative events along a timeline

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

47 Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links