Method And System For Reviewing Identified Threats For Performing Computer Security Monitoring
First Claim
1. A computerized method comprising:
- receiving event data associated with network activities by entities that interact with a computer network, wherein types of entities include at least one of devices, applications, and/or network users;
identifying instances of potential network compromise automatically determined from the event data, wherein instances include threats and/or anomalies, and the identified instances are associated with at least one entity;
automatically determining a score for each entity, wherein the score indicates a risk level based at least in part on the number and/or type of identified instances of potential network compromise associated with the entity; and
causing display, in a graphical user interface, of an indication of the score for each of the entities.
1 Assignment
0 Petitions
Accused Products
Abstract
A security platform employs a variety techniques and mechanisms to detect security related anomalies and threats in a computer network environment. The security platform is “big data” driven and employs machine learning to perform security analytics. The security platform performs user/entity behavioral analytics (UEBA) to detect the security related anomalies and threats, regardless of whether such anomalies/threats were previously known. The security platform can include both real-time and batch paths/modes for detecting anomalies and threats. By visually presenting analytical results scored with risk ratings and supporting evidence, the security platform enables network security administrators to respond to a detected anomaly or threat, and to take action promptly.
-
Citations
30 Claims
-
1. A computerized method comprising:
-
receiving event data associated with network activities by entities that interact with a computer network, wherein types of entities include at least one of devices, applications, and/or network users; identifying instances of potential network compromise automatically determined from the event data, wherein instances include threats and/or anomalies, and the identified instances are associated with at least one entity; automatically determining a score for each entity, wherein the score indicates a risk level based at least in part on the number and/or type of identified instances of potential network compromise associated with the entity; and causing display, in a graphical user interface, of an indication of the score for each of the entities. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18)
-
-
19. A non-transitory, computer-readable storage medium storing instructions, an execution of which in a computer system causes the computer system to perform operations comprising:
-
receiving event data associated with network activities by entities that interact with a computer network, wherein types of entities include at least one of devices, applications, and/or network users; identifying instances of potential network compromise automatically determined from the event data, wherein instances include threats and anomalies, and the identified instances are associated with at least one entity; automatically determining a score for each entity, wherein the score indicates a risk level based at least in part on the number and/or type of identified instances of potential network compromise associated with the entity; causing for display, in graphical user interface, of an indication of the score for each of the entities. - View Dependent Claims (20, 21, 22, 23, 24, 25, 26)
-
-
27. A computer system comprising:
-
computer memory for storing machine data; and a processor for; receiving event data associated with network activities by entities that interact with a computer network, wherein types of entities include at least one of devices, applications, and/or network users; identifying instances of potential network compromise automatically determined from the event data, wherein instances include threats and/or anomalies, and the identified instances are associated with one or more entities; automatically determining a score for each entity, wherein the score indicates a risk level based at least in part on the number and type of identified instances of potential network compromise associated with the entity; causing display, in a graphical user interface, of an indication of the score for each of the entities. - View Dependent Claims (28, 29, 30)
-
Specification