Network security investigation workflow logging
First Claim
1. A method, comprising:
- causing display of a graphical user interface including a plurality of interface elements and an investigative workflow log view, the plurality of interface elements related to one or more events stored by a data intake and query system, the investigative workflow log view displaying one or more investigative workflow events in a timeline view describing prior user interactions with one or more interface elements of the plurality of interface elements while investigating the one or more events;
wherein each event of the one or more events is related to one or more performance characteristics of one or more computing devices;
while causing display of the graphical user interface, receiving an indication of a user interaction with one or more interface elements of the plurality of interface elements, wherein the user interaction is an investigative action performed by a user in response to observing one or more particular events among the one or more events; and
in response to receiving the indication of the user interaction, causing the workflow log view displayed in the graphical user interface to be updated to display a new investigation workflow event describing the user investigative interaction concurrently with the displayed one or more investigative workflow events.
1 Assignment
0 Petitions
Accused Products
Abstract
Techniques and mechanisms are disclosed that enable network security analysts and other users to efficiently conduct network security investigations and to produce useful representations of investigation results. As used herein, a network security investigation generally refers to an analysis by an analyst (or team of analysts) of one or more detected network events that may pose internal and/or external threats to a computer network under management. A network security application provides various interfaces that enable users to create investigation timelines, where the investigation timelines display a collection of events related to a particular network security investigation. A network security application further provides functionality to monitor and log user interactions with the network security application, where particular logged user interactions may also be added to one or more investigation timelines.
49 Citations
30 Claims
-
1. A method, comprising:
-
causing display of a graphical user interface including a plurality of interface elements and an investigative workflow log view, the plurality of interface elements related to one or more events stored by a data intake and query system, the investigative workflow log view displaying one or more investigative workflow events in a timeline view describing prior user interactions with one or more interface elements of the plurality of interface elements while investigating the one or more events; wherein each event of the one or more events is related to one or more performance characteristics of one or more computing devices; while causing display of the graphical user interface, receiving an indication of a user interaction with one or more interface elements of the plurality of interface elements, wherein the user interaction is an investigative action performed by a user in response to observing one or more particular events among the one or more events; and in response to receiving the indication of the user interaction, causing the workflow log view displayed in the graphical user interface to be updated to display a new investigation workflow event describing the user investigative interaction concurrently with the displayed one or more investigative workflow events. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16)
-
-
17. One or more non-transitory computer-readable storage media, storing instructions, which when executed by one or more processors cause performance of:
-
causing display of a graphical user interface including a plurality of interface elements and an investigative workflow log view, the plurality of interface elements related to one or more events stored by a data intake and query system, the investigative workflow log view displaying one or more investigative workflow events in a timeline view describing prior user interactions with one or more interface elements of the plurality of interface elements while investigating the one or more events; wherein each event of the one or more events is related to one or more performance characteristics of one or more computing devices; while causing display of the graphical user interface, receiving an indication of a user interaction with one or more interface elements of the plurality of interface elements, wherein the user interaction is an investigative action performed by a user in response to observing one or more particular events among the one or more events; and in response to receiving the indication of the user interaction, causing the workflow log view displayed in the graphical user interface to be updated to display a new investigation workflow event describing the user investigative interaction concurrently with the displayed one or more investigative workflow events. - View Dependent Claims (18, 19, 20, 21, 22, 23, 24, 25)
-
-
26. An apparatus, comprising:
-
one or more processors in the apparatus; an interface display creator, implemented at least partially in hardware, that causes display of a graphical user interface including a plurality of interface elements and an investigative workflow log view, the plurality of interface elements related to one or more events stored by a data intake and query system, the investigative workflow log view displaying one or more investigative workflow events in a timeline view describing prior user interactions with one or more interface elements of the plurality of interface elements while investigating the one or more events; wherein each event of the one or more events related to one or more performance characteristics of one or more computing devices; an action indication receiver, implemented at least partially in hardware, that, while the interface display creator causes display of the graphical user interface, receives an indication of a user interaction with one or more interface elements of the plurality of interface elements, wherein the user interaction is an investigative action performed by a user in response to observing one or more particular events among the one or more events; and wherein the user interface display creator, in response to receiving the indication of the user interaction, further causes the workflow log view displayed in the graphical user interface to be updated to display a new investigation workflow event describing the user investigative interaction concurrently with the displayed one or more investigative workflow events. - View Dependent Claims (27, 28, 29, 30)
-
Specification