Threat intelligence management in security and compliance environment
First Claim
1. A method to provide threat intelligence for hosted services, the method comprising:
- receiving data associated with a tenant'"'"'s service environment, wherein the received data includes communications, stored content, metadata associated with the received data, and activities associated with the received data;
correlating the received data at multiple levels based on the metadata associated with the received data and the activities associated with the received data to generate correlated and multi-stage evaluated data;
determining, based on a contextual correlation analysis of the correlated and multi-stage evaluated data, a threat, wherein the contextual correlation analysis is based on one or more contextual factors;
determining, based on the contextual correlation analysis, a potential impact for the threat;
presenting information regarding the threat and the potential impact through an interactive visualization, wherein at least one element of the interactive visualization is actionable;
determining at least one targeted user receiving the threat;
presenting a listing of the determined targeted users;
in response to receiving a selection of a user from the list of determined targeted users, presenting one or more selected from a group consisting of a communication exchanged with the selected user, a document shared by the selected user, a document processed by the selected user, and a resource used by the selected user; and
one or more selected from a group consisting of presenting a remediation action and automatically implementing a remediation action associated with the received threat.
1 Assignment
0 Petitions
Accused Products
Abstract
Threat intelligence management is provided in a security and compliance environment. A threat explorer platform or module of a security and compliance service may detect, investigate, manage, and provide actionable insights for threats at an organizational level. Working with a data insights platform that collects different types of signals (metadata, documents, activities, etc.) and correlates in a multi-stage evaluation, the threat intelligence module may provide actionable visual information on potential threats, affected areas, and actionable insights derived from internal threat data and external information using contextual correlation of data within the data insight platform. User experience may be dynamically adjusted at multiple levels based on context and allow users to drill down arbitrarily deep.
54 Citations
19 Claims
-
1. A method to provide threat intelligence for hosted services, the method comprising:
-
receiving data associated with a tenant'"'"'s service environment, wherein the received data includes communications, stored content, metadata associated with the received data, and activities associated with the received data; correlating the received data at multiple levels based on the metadata associated with the received data and the activities associated with the received data to generate correlated and multi-stage evaluated data; determining, based on a contextual correlation analysis of the correlated and multi-stage evaluated data, a threat, wherein the contextual correlation analysis is based on one or more contextual factors; determining, based on the contextual correlation analysis, a potential impact for the threat; presenting information regarding the threat and the potential impact through an interactive visualization, wherein at least one element of the interactive visualization is actionable; determining at least one targeted user receiving the threat; presenting a listing of the determined targeted users; in response to receiving a selection of a user from the list of determined targeted users, presenting one or more selected from a group consisting of a communication exchanged with the selected user, a document shared by the selected user, a document processed by the selected user, and a resource used by the selected user; and one or more selected from a group consisting of presenting a remediation action and automatically implementing a remediation action associated with the received threat. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11)
-
-
12. A server configured to provide threat intelligence for hosted services, the server comprising:
-
a communication interface configured to facilitate communication between another server hosting a security and compliance service, one or more client devices, and the server; a memory configured to store instructions; and one or more processors coupled to the communication interface and the memory and configured to execute a threat intelligence module, wherein the threat intelligence module is configured to; receive data associated with a tenant'"'"'s service environment, wherein the received data includes communications, stored content metadata associated with the received data, and activities associated with the received data; correlate the received data at multiple levels based on the metadata associated with the received data and the activities associated with the received data to generate correlated and multi-stage evaluated data; determine, based on a contextual correlation analysis of the correlated and multi-stage evaluated data, a threat, wherein the contextual correlation analysis is based on one or more contextual factors; determine, based on the contextual correlation analysis, a potential impact and a remediation action associated with the threat; present a dashboard that includes one or more interactive visualizations representing one or more selected from a group consisting of threat trends, information regarding the threat, and the potential impact of the threat, wherein a portion of the one or more visualizations is actionable; determine at least one targeted user receiving the threat; present a listing of the determined targeted users; in response to receiving a selection of a user from the listing of determined targeted users, presenting one or more selected from a group consisting of a communication exchanged with the selected user, a document shared by the selected user, a document processed by the selected user, and a resource used by the selected user; and automatically implement the remediation action associated with the received threat. - View Dependent Claims (13, 14, 15, 16, 17)
-
-
18. A computer-readable memory device with instructions stored thereon to provide threat intelligence for hosted services, the instructions, when executed, configured to cause one or more computing devices to perform actions comprising:
-
receive data associated with a tenant'"'"'s service environment, wherein the received data includes communications, stored content metadata associated with the received data, and activities associated with the received data; correlate the received data at multiple levels based on the metadata associated with the received data and the activities associated with the received data to generate correlated and multi-stage evaluated data; determine, based on a contextual correlation analysis of the correlated and multi-stage evaluated data, a threat, wherein the contextual correlation analysis is based on one or more contextual factors; determine, based on the contextual correlation analysis, a potential impact and a remediation action associated with the threat; present a dashboard that includes one or more interactive visualizations representing one or more selected from a group consisting of threat trends, information regarding the threat, and the potential impact of the threat, wherein a portion of the one or more visualizations is actionable; customize the dashboard based on one or more selected from a group consisting of detected threat types, a tenant profile, and a platform; determine at least one targeted user receiving the threat; present a listing of the determined targeted users; in response to receiving a selection of a user from the listing of determined targeted users, presenting one or more selected from a group consisting of a communication exchanged with the selected user, a document shared by the selected user, a document processed by the selected user, and a resource used by the selected user; and automatically implement the remediation action associated with the received threat. - View Dependent Claims (19)
-
Specification