Network security investigation workflow logging

US 10,254,934 B2
Filed: 08/01/2015
Issued: 04/09/2019
Est. Priority Date: 08/01/2015
Status: Active Grant

First Claim

Patent Images

1. A method, comprising:

causing display of a graphical user interface including a plurality of interface elements and an investigative workflow log view, the plurality of interface elements related to one or more events stored by a data intake and query system, the investigative workflow log view displaying one or more investigative workflow events in a timeline view describing prior user interactions with one or more interface elements of the plurality of interface elements while investigating the one or more events;

wherein each event of the one or more events is related to one or more performance characteristics of one or more computing devices;

while causing display of the graphical user interface, receiving an indication of a user interaction with one or more interface elements of the plurality of interface elements, wherein the user interaction is an investigative action performed by a user in response to observing one or more particular events among the one or more events; and

in response to receiving the indication of the user interaction, causing the workflow log view displayed in the graphical user interface to be updated to display a new investigation workflow event describing the user investigative interaction concurrently with the displayed one or more investigative workflow events.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Techniques and mechanisms are disclosed that enable network security analysts and other users to efficiently conduct network security investigations and to produce useful representations of investigation results. As used herein, a network security investigation generally refers to an analysis by an analyst (or team of analysts) of one or more detected network events that may pose internal and/or external threats to a computer network under management. A network security application provides various interfaces that enable users to create investigation timelines, where the investigation timelines display a collection of events related to a particular network security investigation. A network security application further provides functionality to monitor and log user interactions with the network security application, where particular logged user interactions may also be added to one or more investigation timelines.

49 Citations

View as Search Results

30 Claims

1. A method, comprising:
- causing display of a graphical user interface including a plurality of interface elements and an investigative workflow log view, the plurality of interface elements related to one or more events stored by a data intake and query system, the investigative workflow log view displaying one or more investigative workflow events in a timeline view describing prior user interactions with one or more interface elements of the plurality of interface elements while investigating the one or more events;
  
  wherein each event of the one or more events is related to one or more performance characteristics of one or more computing devices;
  
  while causing display of the graphical user interface, receiving an indication of a user interaction with one or more interface elements of the plurality of interface elements, wherein the user interaction is an investigative action performed by a user in response to observing one or more particular events among the one or more events; and
  
  in response to receiving the indication of the user interaction, causing the workflow log view displayed in the graphical user interface to be updated to display a new investigation workflow event describing the user investigative interaction concurrently with the displayed one or more investigative workflow events.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16)
- - 2. The method of claim 1, further comprising:
    - receiving input to add one or more particular workflow events of the one or more workflow events displayed in the workflow log view to a timeline view; and
      
      causing display of the timeline view including one or more graphical event indications corresponding to the one or more particular workflow events.
  - 3. The method of claim 1, wherein the new workflow event describing the user interaction is stored as a log entry in a workflow log, the log entry including a timestamp indicating when the user interaction occurred.
  - 4. The method of claim 1, wherein the new workflow event describing the user interaction is stored as a log entry in a workflow log, the log entry indicating an action type of the user interaction;
    - andwherein the action type is one or more of a search, an interface view, an alert response, an alert status change, and a data set filter.
  - 5. The method of claim 1, wherein the user interaction is a search, and wherein the new workflow event describing the user interaction is stored as a log entry in a workflow log, the log entry including a search string associated with the search.
  - 6. The method of claim 1, wherein the user interaction is viewing a particular interface, and wherein the new workflow event describing the user interaction is stored as a log entry in a workflow log, the log entry including an indication of a particular interface viewed.
  - 7. The method of claim 1, wherein the displayed one or more workflow events are sorted based on a timestamp associated with each workflow event of the one or more workflow events.
  - 8. The method of claim 1, wherein the displayed one or more workflow events are sorted based on an action type associated with each workflow event of the one or more workflow events.
  - 9. The method of claim 1, wherein the displayed one or more workflow events are sorted based on a label associated with each workflow event of the one or more workflow events.
  - 10. The method of claim 1, further comprising receiving input selecting one or more user action types to log.
  - 11. The method of claim 1, further comprising receiving input selecting one or more user action types to display in the workflow log view.
  - 12. The method of claim 1, further comprising:
    - receiving input selecting a particular graphical event indication of a plurality of graphical event indications displayed on a timeline view, the particular graphical event indication corresponding to a particular workflow event of the one or more workflow events; and
      
      in response to receiving the selection of the particular graphical event indication, causing display of the particular workflow event in the workflow log view.
  - 13. The method of claim 1, wherein at least one event of the one or more events corresponds to a detected malware infection, a security access violation, or network traffic.
  - 14. The method of claim 1, further comprising:
    - receiving input specifying a search string for one or more workflow events;
      
      causing the workflow log view to display one or more workflow event results, each workflow event result of the one or more workflow event results including information matching the search string.
  - 15. The method of claim 1, further comprising:
    - receiving input specifying an action type filter;
      
      causing the workflow log view to display one or more workflow event results, each workflow event result of the one or more workflow event results including information matching the action type filter.
  - 16. The method of claim 1, further comprising:
    - receiving input specifying one or more timeframes;
      
      causing the workflow log view to display one or more workflow event results, each workflow event result of the one or more workflow event results is associated with a timestamp matching at least one timeframe of the one or more timeframes.

17. One or more non-transitory computer-readable storage media, storing instructions, which when executed by one or more processors cause performance of:
- causing display of a graphical user interface including a plurality of interface elements and an investigative workflow log view, the plurality of interface elements related to one or more events stored by a data intake and query system, the investigative workflow log view displaying one or more investigative workflow events in a timeline view describing prior user interactions with one or more interface elements of the plurality of interface elements while investigating the one or more events;
  
  wherein each event of the one or more events is related to one or more performance characteristics of one or more computing devices;
  
  while causing display of the graphical user interface, receiving an indication of a user interaction with one or more interface elements of the plurality of interface elements, wherein the user interaction is an investigative action performed by a user in response to observing one or more particular events among the one or more events; and
  
  in response to receiving the indication of the user interaction, causing the workflow log view displayed in the graphical user interface to be updated to display a new investigation workflow event describing the user investigative interaction concurrently with the displayed one or more investigative workflow events.
- View Dependent Claims (18, 19, 20, 21, 22, 23, 24, 25)
- - 18. The one or more non-transitory computer-readable storage media of claim 17, wherein the instructions which, when executed by the one or more computing devices, further cause:
    - receiving input to add one or more particular workflow events of the one or more workflow events displayed in the workflow log view to a timeline view; and
      
      causing display of the timeline view including one or more graphical event indications corresponding to the one or more particular workflow events.
  - 19. The one or more non-transitory computer-readable storage media of claim 17, wherein the new workflow event describing the user interaction is stored as a log entry in a workflow log, the log entry including a timestamp indicating when the user interaction occurred.
  - 20. The one or more non-transitory computer-readable storage media of claim 17, wherein the new workflow event describing the user interaction is stored as a log entry in a workflow log, the log entry indicating an action type of the user action;
    - andwherein the action type is one or more of a search, an interface view, an alert response, an alert status change, and a data set filter.
  - 21. The one or more non-transitory computer-readable storage media of claim 17, wherein the user interaction is viewing a particular interface, and wherein the new workflow event describing the user interaction is stored as a log entry in a workflow log, the log entry including an indication of a particular interface viewed.
  - 22. The one or more non-transitory computer-readable storage media of claim 17, wherein the displayed one or more workflow events are sorted based on a timestamp associated with each workflow event of the one or more workflow events.
  - 23. The one or more non-transitory computer-readable storage media of claim 17, wherein the displayed one or more workflow events are sorted based on an action type associated with each workflow event of the one or more workflow events.
  - 24. The one or more non-transitory computer-readable storage media of claim 17, wherein the instructions which, when executed by the one or more computing devices, further cause receiving input selecting one or more user action types to log.
  - 25. The one or more non-transitory computer-readable storage media of claim 17, wherein at least one event of the one or more events corresponds to a detected malware infection, a security access violation, or network traffic.

26. An apparatus, comprising:
- one or more processors in the apparatus;
  
  an interface display creator, implemented at least partially in hardware, that causes display of a graphical user interface including a plurality of interface elements and an investigative workflow log view, the plurality of interface elements related to one or more events stored by a data intake and query system, the investigative workflow log view displaying one or more investigative workflow events in a timeline view describing prior user interactions with one or more interface elements of the plurality of interface elements while investigating the one or more events;
  
  wherein each event of the one or more events related to one or more performance characteristics of one or more computing devices;
  
  an action indication receiver, implemented at least partially in hardware, that, while the interface display creator causes display of the graphical user interface, receives an indication of a user interaction with one or more interface elements of the plurality of interface elements, wherein the user interaction is an investigative action performed by a user in response to observing one or more particular events among the one or more events; and
  
  wherein the user interface display creator, in response to receiving the indication of the user interaction, further causes the workflow log view displayed in the graphical user interface to be updated to display a new investigation workflow event describing the user investigative interaction concurrently with the displayed one or more investigative workflow events.
- View Dependent Claims (27, 28, 29, 30)
- - 27. The apparatus of claim 26, wherein the new workflow event describing the user interaction is stored as a log entry in a workflow log, the log entry including a timestamp indicating when the user interaction occurred.
  - 28. The apparatus of claim 26, wherein the new workflow event describing the user interaction is stored as a log entry in a workflow log, the log entry indicating an action type of the user action;
    - andwherein the action type is one or more of a search, an interface view, an alert response, an alert status change, and a data set filter.
  - 29. The apparatus of claim 26, wherein the displayed one or more workflow events are sorted based on a timestamp associated with each workflow event of the one or more workflow events.
  - 30. The apparatus of claim 26, wherein at least one event of the one or more events corresponds to a detected malware infection, a security access violation, or network traffic.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Splunk Inc.
Original Assignee
Splunk Inc.
Inventors
Chauhan, Vijay, Noel, Cary, Yu, Wenhui, Murphey, Luke
Primary Examiner(s)
Kim, Sang H

Application Number

US14/815,984
Publication Number

US 20170031565A1
Time in Patent Office

1,347 Days
Field of Search
US Class Current
CPC Class Codes

G06F 3/04842   Selection of displayed obje...

G06F 3/04847   Interaction techniques to c...

H04L 63/1416   Event detection, e.g. attac...

H04L 63/1425   Traffic logging, e.g. anoma...

Network security investigation workflow logging

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

49 Citations

30 Claims

Specification

Solutions

Use Cases

Quick Links

Network security investigation workflow logging

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

49 Citations

30 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links