Interface providing an interactive trendline for a detected threat to facilitate evaluation for false positives
First Claim
1. A method comprising:
- receiving event data generated by network activities of entities that interact with a computer network, wherein the event data comprises machine data, and the entities include computer users and/or devices in communication with the network;
based upon the received event data as it is received,(i) automatically detecting anomalies indicating deviations from expected or permitted network activities, wherein each anomaly is classified by type and is associated with an entity or entities that participated in network activities and a date at which the detected anomaly occurred, and(ii) automatically detecting threats based upon at least one of a number, type, or timing of detected anomalies, and generating a listing of detected threats as pending threats against the computer network;
upon receiving a user-selection of a detected threat, causing display, in a graphical user interface, of an interactive trendline, which indicates changes to the number of the occurrences of anomalies as a function of dates along the trendline to enable a user to visually depict a trend of the occurrences of the anomalies associated with the threat; and
upon receiving a user-selection, via the graphical user interface, to resolve the detected threat as a false positive, deleting the threat from the listing of pending threats.
1 Assignment
0 Petitions
Accused Products
Abstract
A security platform employs a variety techniques and mechanisms to detect security related anomalies and threats in a computer network environment. The security platform is “big data” driven and employs machine learning to perform security analytics. The security platform performs user/entity behavioral analytics (UEBA) to detect the security related anomalies and threats, regardless of whether such anomalies/threats were previously known. The security platform can include both real-time and batch paths/modes for detecting anomalies and threats. By visually presenting analytical results scored with risk ratings and supporting evidence, the security platform enables network security administrators to respond to a detected anomaly or threat, and to take action promptly.
-
Citations
20 Claims
-
1. A method comprising:
-
receiving event data generated by network activities of entities that interact with a computer network, wherein the event data comprises machine data, and the entities include computer users and/or devices in communication with the network; based upon the received event data as it is received, (i) automatically detecting anomalies indicating deviations from expected or permitted network activities, wherein each anomaly is classified by type and is associated with an entity or entities that participated in network activities and a date at which the detected anomaly occurred, and (ii) automatically detecting threats based upon at least one of a number, type, or timing of detected anomalies, and generating a listing of detected threats as pending threats against the computer network; upon receiving a user-selection of a detected threat, causing display, in a graphical user interface, of an interactive trendline, which indicates changes to the number of the occurrences of anomalies as a function of dates along the trendline to enable a user to visually depict a trend of the occurrences of the anomalies associated with the threat; and upon receiving a user-selection, via the graphical user interface, to resolve the detected threat as a false positive, deleting the threat from the listing of pending threats. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9)
-
-
10. A non-transitory, computer-readable storage medium storing instructions, an execution of which in a computer system causes the computer system to perform operations comprising:
-
receiving event data generated by network activities of entities that interact with a computer network, wherein the event data comprises machine data, and the entities include computer users and/or devices in communication with the network; based upon the received event data as it is received, (i) automatically detecting anomalies indicating deviations from expected or permitted network activities, wherein each anomaly is classified by type and is associated with an entity or entities that participated in network activities and a date at which the detected anomaly occurred, and (ii) automatically detecting threats based upon at least one of a number, type, or timing of detected anomalies, and generating a listing of detected threats as pending threats against the computer network; upon receiving a user-selection of a detected threat, causing display, in a graphical user interface, of an interactive trendline, which indicates changes to the number of the occurrences of anomalies as a function of dates along the trendline to enable a user to visually depict a trend of the occurrences of the anomalies associated with the threat; and upon receiving a user-selection, via the graphical user interface, to resolve the detected threat as a false positive, deleting the threat from the listing of pending threats. - View Dependent Claims (11, 12, 13, 14, 15, 16, 17, 18)
-
-
19. A computer system comprising:
-
computer memory for storing machine data; and a processor for; receiving event data generated by network activities of entities that interact with a computer network, wherein the event data comprises machine data, and the entities include computer users and/or devices in communication with the network; based upon the received event data as it is received, (i) automatically detecting anomalies indicating deviations from expected or permitted network activities, wherein each anomaly is classified by type and is associated with an entity or entities that participated in network activities and a date at which the detected anomaly occurred, and (ii) automatically detecting threats based upon at least one of a number, type, or timing of detected anomalies, and generating a listing of detected threats as pending threats against the computer network; upon receiving a user-selection of a detected threat, causing display, in a graphical user interface, of an interactive trendline, which indicates changes to the number of the occurrences of anomalies as a function of dates along the trendline to enable a user to visually depict a trend of the occurrences of the anomalies associated with the threat; and upon receiving a user-selection, via the graphical user interface, to resolve the detected threat as a false positive, deleting the threat from the listing of pending threats. - View Dependent Claims (20)
-
Specification