Storyboard displays of information technology investigative events along a timeline
First Claim
1. A method comprising:
- causing display of a timeline view of events in an information technology security investigation;
causing display on the timeline view of one or more system events that contain data that reflect activity in an information technology environment, wherein each system event is positioned on the timeline according to a timestamp associated with the system event, wherein each system event is represented on the timeline by a graphical indicator;
causing display on the timeline view of one or more investigative events reflecting investigative activity performed in association with a security investigation of one or more of the system events, wherein each investigative event is represented on the timeline by a graphical indicator;
while causing display of the timeline view, causing display of a storyboard view of system events and investigative events displayed in the timeline view, wherein a storyboard panel includes a view of one or more selected system events in addition to a view of any related investigative events, the storyboard panel enables a user to progress through detailed information regarding user investigative activities associated with system events that are indicative of security threats in a chronological fashion, wherein the storyboard view displays one or more storyboard panels at a time;
receiving user input to add one or more annotations to a displayed storyboard panel, wherein the displayed storyboard panel displays information related to a specific system event;
storing the one or more annotations in association with the specific system event.
1 Assignment
0 Petitions
Accused Products
Abstract
Techniques and mechanisms are disclosed that enable network security analysts and other users to efficiently conduct network security investigations and to produce useful representations of investigation results. As used herein, a network security investigation generally refers to an analysis by an analyst (or team of analysts) of one or more detected network events that may pose internal and/or external threats to a computer network under management. A network security application provides various interfaces that enable users to create investigation timelines, where the investigation timelines display a collection of events related to a particular network security investigation. A network security application further provides functionality to monitor and log user interactions with the network security application, where particular logged user interactions may also be added to one or more investigation timelines.
47 Citations
20 Claims
-
1. A method comprising:
-
causing display of a timeline view of events in an information technology security investigation; causing display on the timeline view of one or more system events that contain data that reflect activity in an information technology environment, wherein each system event is positioned on the timeline according to a timestamp associated with the system event, wherein each system event is represented on the timeline by a graphical indicator; causing display on the timeline view of one or more investigative events reflecting investigative activity performed in association with a security investigation of one or more of the system events, wherein each investigative event is represented on the timeline by a graphical indicator; while causing display of the timeline view, causing display of a storyboard view of system events and investigative events displayed in the timeline view, wherein a storyboard panel includes a view of one or more selected system events in addition to a view of any related investigative events, the storyboard panel enables a user to progress through detailed information regarding user investigative activities associated with system events that are indicative of security threats in a chronological fashion, wherein the storyboard view displays one or more storyboard panels at a time; receiving user input to add one or more annotations to a displayed storyboard panel, wherein the displayed storyboard panel displays information related to a specific system event; storing the one or more annotations in association with the specific system event. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
-
-
9. One or more non-transitory computer-readable storage media, storing instructions, which when executed by one or more processors cause performance of:
-
causing display of a timeline view of events in an information technology security investigation; causing display on the timeline view of one or more system events that contain data that reflect activity in an information technology environment, wherein each system event is positioned on the timeline according to a timestamp associated with the system event, wherein each system event is represented on the timeline by a graphical indicator; causing display on the timeline view of one or more investigative events reflecting investigative activity performed in association with a security investigation of one or more of the system events, wherein each investigative event is represented on the timeline by a graphical indicator; while causing display of the timeline view, causing display of a storyboard view of system events and investigative events displayed in the timeline view, wherein a storyboard panel includes a view of one or more selected system events in addition to a view of any related investigative events, the storyboard panel enables a user to progress through detailed information regarding user investigative activities associated with system events that are indicative of security threats in a chronological fashion, wherein the storyboard view displays one or more storyboard panels at a time; receiving user input to add one or more annotations to a displayed storyboard panel, wherein the displayed storyboard panel displays information related to a specific system event; storing the one or more annotations in association with the specific system event. - View Dependent Claims (10, 11, 12, 13, 14)
-
-
15. An apparatus, comprising:
-
a display formatter, implemented at least partially in hardware, configured to cause display of a timeline view of events in an information technology security investigation; wherein the display formatter device causes display on the timeline view of one or more system events that contain data that reflect activity in an information technology environment, wherein each system event is positioned on the timeline according to a timestamp associated with the system event, wherein each system event is represented on the timeline by a graphical indicator; wherein the display formatter device causes display on the timeline view of one or more investigative events reflecting investigative activity performed in association with a security investigation of one or more of the system events, wherein each investigative event is represented on the timeline by a graphical indicator; wherein while causing display of the timeline view, the display formatter device causes display of a storyboard view of system events and investigative events displayed in the timeline view, wherein a storyboard panel includes a view of one or more selected system events in addition to a view of any related investigative events, the storyboard panel enables a user to progress through detailed information regarding user investigative activities associated with system events that are indicative of security threats in a chronological fashion, wherein the storyboard view displays one or more storyboard panels at a time; a user input receiver configured to receive user input to add one or more annotations to a displayed storyboard panel, wherein the displayed storyboard panel displays information related to a specific system event; an annotation storage device configured to store the one or more annotations in association with the specific system event. - View Dependent Claims (16, 17, 18, 19, 20)
-
Specification