Management console for network security investigations

US 9,363,149 B1
Filed: 08/01/2015
Issued: 06/07/2016
Est. Priority Date: 08/01/2015
Status: Active Grant

First Claim

Patent Images

1. A method, comprising:

causing display of a graphical user interface including a plurality of interface elements representing a plurality of investigation timelines, each investigation timeline of the plurality of investigation timelines associated with both first data representing one or more computer network security events, and second data representing one or more occurrences of user interactions with a network security application;

wherein each interface element of the plurality of interface elements displays an indication of one or more users assigned to a respective investigation timeline;

receiving a selection of a particular interface element of the plurality of interface elements, the particular interface element representing a particular investigation timeline; and

in response to receiving the selection of the particular interface element, causing display of the particular investigation timeline.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Techniques and mechanisms are disclosed that enable network security analysts and other users to efficiently conduct network security investigations and to produce useful representations of investigation results. As used herein, a network security investigation generally refers to an analysis by an analyst (or team of analysts) of one or more detected network events that may pose internal and/or external threats to a computer network under management. A network security application provides various interfaces that enable users to create investigation timelines, where the investigation timelines display a collection of events related to a particular network security investigation. A network security application further provides functionality to monitor and log user interactions with the network security application, where particular logged user interactions may also be added to one or more investigation timelines.

Citations

29 Claims

1. A method, comprising:
- causing display of a graphical user interface including a plurality of interface elements representing a plurality of investigation timelines, each investigation timeline of the plurality of investigation timelines associated with both first data representing one or more computer network security events, and second data representing one or more occurrences of user interactions with a network security application;
  
  wherein each interface element of the plurality of interface elements displays an indication of one or more users assigned to a respective investigation timeline;
  
  receiving a selection of a particular interface element of the plurality of interface elements, the particular interface element representing a particular investigation timeline; and
  
  in response to receiving the selection of the particular interface element, causing display of the particular investigation timeline.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21, 22, 23, 24, 25, 26, 27)
- - 2. The method of claim 1, wherein each interface element of the plurality of interface elements displays a status of a respective investigation timeline.
  - 3. The method of claim 1, wherein each interface element of the plurality of interface elements displays a priority level assigned to a respective investigation timeline.
  - 4. The method of claim 1, wherein the graphical user interface displays an indication of a total number of currently active investigation timelines.
  - 5. The method of claim 1, wherein the graphical user interface displays an indication of a number of investigations completed by each of one or more users.
  - 6. The method of claim 1, wherein the graphical user interface displays an indication of a kill chain status of a computer network based on a status associated with each of the plurality of investigation timelines.
  - 7. The method of claim 1, further comprising:
    - receiving a selection of a first interface element and a second interface element of the plurality of interface elements, the first interface element representing a first investigation timeline and the second interface element representing a second investigation timeline; and
      
      in response to receiving the selection of the first interface element and the second interface element, causing display of the first investigation timeline juxtaposed with the second investigation timeline.
  - 8. The method of claim 1, wherein a particular computer network security event of the one or more computer network security events corresponds to a detected malware infection, a security access violation, or network traffic.
  - 9. The method of claim 1, wherein the second data corresponds to one or more log entries in a workflow log, the workflow log including a plurality of log entries corresponding to user actions involving one or more graphical user interfaces.
  - 10. The method of claim 1, wherein causing display of the particular investigation timeline includes displaying a plurality of graphical event indications, each graphical event indication of the plurality of graphical event indications configured for display at a location on the particular investigation timeline based on a timestamp associated with a respective event.
  - 11. The method of claim 1, wherein causing display of the particular investigation timeline includes displaying a plurality of graphical event indications, each graphical event indication of the plurality of graphical event indications configured for display at a location on the particular investigation timeline based on a timestamp associated with a respective event;
    - andwherein at least one graphical event indication of the plurality of graphical event indications corresponds to a plurality of events from a set including the one or more first events and the one or more second events.
  - 12. The method of claim 1, further comprising:
    - wherein causing display of the particular investigation timeline includes displaying a plurality of graphical event indications, each graphical event indication of the plurality of graphical event indications configured for display at a location on the particular investigation timeline based on a timestamp associated with a respective event;
      
      receiving input selecting a particular graphical event indication of the plurality of graphical event indications, the particular graphical event indication corresponding to a particular event from a set of events derived from the first data and the second data;
      
      in response to receiving the selection of the particular graphical event indication, causing display of a detail view of the particular event, the detail view of the particular event including a timestamp associated with the particular event and a label associated with the particular event.
  - 13. The method of claim 1, further comprising:
    - wherein causing display of the particular investigation timeline includes displaying a plurality of graphical event indications, each graphical event indication of the plurality of graphical event indications configured for display at a location on the particular investigation timeline based on a timestamp associated with a respective event;
      
      receiving input selecting a particular graphical event indication of the plurality of graphical event indications, the particular graphical event indication corresponding to a particular event from a set of events derived from the first data and the second data;
      
      in response to receiving the selection of the particular graphical event indication, causing display of a detail view of the particular event, the detail view of the particular event including display of at least a portion of raw data associated with the particular event.
  - 14. The method of claim 1, further comprising causing display of a detail view of a particular event from a set of events derived from the first data and the second data, the detail view of the particular event including an interface component for receiving a user annotation associated with the particular event.
  - 15. The method of claim 1, further comprising causing display of a detail view of a particular event from a set of events derived from the first data and the second data, the detail view of the particular event including a storyboard panel that displays the particular event as part of a series of events.
  - 16. The method of claim 1, further comprising creating a portable representation of the particular investigation timeline, the portable representation including instructions for displaying the particular investigation timeline.
  - 17. The method of claim 1, further comprising:
    - receiving a selection of an assignment filter, the assignment filter indicating a request to display investigation timelines assigned to a particular user;
      
      wherein causing display of the graphical user interface including the plurality of interface elements representing a plurality of investigation timelines includes causing display of only interface elements representing investigation timelines assigned to the particular user.
  - 18. The method of claim 1, further comprising:
    - receiving a selection of an assignment filter, the assignment filter indicating a request to display investigation timelines assigned to a group of users;
      
      wherein causing display of the graphical user interface including the plurality of interface elements representing a plurality of investigation timelines includes causing display of only interface elements representing investigation timelines assigned to the group of users.
  - 19. The method of claim 1, wherein each interface element of the plurality of interface elements displays a total number of hours worked on the respective investigation timeline by users assigned to the respective investigation timeline.
  - 20. The method of claim 1, wherein each interface element of the plurality interface elements displays a number of hours worked on the respective investigation timeline by each user assigned to the respective investigation timeline.
  - 21. The method of claim 1, wherein the plurality of interface elements representing the plurality of investigation timelines are sorted based on a time each investigation timeline was last updated.
  - 22. The method of claim 1, wherein the plurality of interface elements representing the plurality of investigation timelines are sorted based on a time each investigation timeline was created.
  - 23. The method of claim 1, wherein the plurality of interface elements representing the plurality of investigation timelines are sorted based on a text label associated with each investigation timeline of the plurality of investigation timelines.
  - 24. The method of claim 1, wherein the plurality of interface elements representing the plurality of investigation timelines are sorted based on a set of users assigned to each investigation timeline of the plurality of investigation timelines.
  - 25. The method of claim 1, wherein the plurality of interface elements representing the plurality of investigation timelines are sorted based on a status associated with each investigation timeline of the plurality of investigation timelines.
  - 26. The method of claim 1, wherein the plurality of interface elements representing the plurality of investigation timelines are sorted based on a priority level associated with each investigation timeline of the plurality of investigation timelines.
  - 27. The method of claim 1, wherein the plurality of interface elements representing the plurality of investigation timelines are sorted based on one or more tags associated with each investigation timeline of the plurality of investigation timelines.

28. One or more non-transitory computer-readable storage media, storing instructions, which when executed by one or more processors cause performance of:
- causing display of a graphical user interface including a plurality of interface elements representing a plurality of investigation timelines, each investigation timeline of the plurality of investigation timelines associated with both first data representing one or more computer network security events, and second data representing one or more occurrences of user interactions with a network security application;
  
  wherein each interface element of the plurality of interface elements displays an indication of one or more users assigned to a respective investigation timeline;
  
  receiving a selection of a particular interface element of the plurality of interface elements, the particular interface element representing a particular investigation timeline; and
  
  in response to receiving the selection of the particular interface element, causing display of the particular investigation timeline.

29. An apparatus, comprising:
- an interface display subsystem, implemented at least partially in hardware, that causes display of a graphical user interface including a plurality of interface elements representing a plurality of investigation timelines, each investigation timeline of the plurality of investigation timelines associated with both first data representing one or more computer network security events, and second data representing one or more occurrences of user interactions with a network security application;
  
  wherein each interface element of the plurality of interface elements displays an indication of one or more users assigned to a respective investigation timeline;
  
  an interface element selection subsystem, implemented at least partially in hardware, that receives a selection of a particular interface element of the plurality of interface elements, the particular interface element representing a particular investigation timeline; and
  
  wherein the interface display subsystem further causes, in response to receiving the selection of the particular interface element, display of the particular investigation timeline.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Splunk Inc. (Cisco Systems, Inc.)
Original Assignee
Splunk Inc. (Cisco Systems, Inc.)
Inventors
Chauhan, Vijay, Noel, Cary, Yu, Wenhui
Primary Examiner(s)
Shiau, Shen

Application Number

US14/815,983
Time in Patent Office

311 Days
Field of Search
US Class Current

1/1
CPC Class Codes

G06F 16/2477   Temporal data queries

G06F 16/951   Indexing; Web crawling tech...

G06F 21/552   involving long-term monitor...

G06F 21/577   Assessing vulnerabilities a...

G06F 21/62   Protecting access to data v...

G06F 3/0484   for the control of specific...

G06F 3/04842   Selection of displayed obje...

H04L 41/22   comprising specially adapte...

H04L 43/045   for graphical visualisation...

H04L 63/1408   by monitoring network traff...

H04L 63/1416   Event detection, e.g. attac...

H04L 63/1425   Traffic logging, e.g. anoma...

Management console for network security investigations

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

29 Claims

Specification

Solutions

Use Cases

Quick Links

Management console for network security investigations

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

29 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links