Timeline displays of network security investigation events

US 9,516,052 B1
Filed: 08/01/2015
Issued: 12/06/2016
Est. Priority Date: 08/01/2015
Status: Active Grant

First Claim

Patent Images

1. A method comprising:

receiving a selection of one or more first events stored by a data intake and query system for inclusion in a timeline view, each first event of the one or more first events corresponding to a computer network security event;

receiving a selection of one or more second events stored by the data intake and query system for inclusion in the timeline view, each second event of the one or more second events corresponding to one or more actions taken by a user to investigate a network security incident;

generating the timeline view including a plurality of event identifiers, the plurality of event identifiers including (a) at least one first event identifier corresponding to an event from the first events, and (b) at least one second event identifier corresponding to an event from the second events;

wherein each event identifier of the plurality of event identifiers is configured for display at a location on the timeline view based on a timestamp associated with a respective event; and

causing display of the timeline view.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Techniques and mechanisms are disclosed that enable network security analysts and other users to efficiently conduct network security investigations and to produce useful representations of investigation results. As used herein, a network security investigation generally refers to an analysis by an analyst (or team of analysts) of one or more detected network events that may pose internal and/or external threats to a computer network under management. A network security application provides various interfaces that enable users to create investigation timelines, where the investigation timelines display a collection of events related to a particular network security investigation. A network security application further provides functionality to monitor and log user interactions with the network security application, where particular logged user interactions may also be added to one or more investigation timelines.

120 Citations

View as Search Results

30 Claims

1. A method comprising:
- receiving a selection of one or more first events stored by a data intake and query system for inclusion in a timeline view, each first event of the one or more first events corresponding to a computer network security event;
  
  receiving a selection of one or more second events stored by the data intake and query system for inclusion in the timeline view, each second event of the one or more second events corresponding to one or more actions taken by a user to investigate a network security incident;
  
  generating the timeline view including a plurality of event identifiers, the plurality of event identifiers including (a) at least one first event identifier corresponding to an event from the first events, and (b) at least one second event identifier corresponding to an event from the second events;
  
  wherein each event identifier of the plurality of event identifiers is configured for display at a location on the timeline view based on a timestamp associated with a respective event; and
  
  causing display of the timeline view.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16)
- - 2. The method of claim 1, wherein each second event of the one or more second events corresponds to an entry in a workflow log, the workflow log including a plurality of log entries corresponding to user actions involving one or more graphical user interfaces.
  - 3. The method of claim 1, further comprising:
    - wherein each second event of the one or more second events corresponds to an entry in a workflow log, the workflow log including a plurality of log entries corresponding to user actions involving one or more graphical user interfaces;
      
      causing display of a workflow log view displaying information describing one or more log entries of the plurality of log entries.
  - 4. The method of claim 1, wherein at least one event identifier of the plurality of event identifiers corresponds to a plurality of events from a set including the one or more first events and the one or more second events.
  - 5. The method of claim 1, further comprising:
    - receiving input to add a note to the timeline view; and
      
      in response to receiving the input to add the note to the timeline view, causing display of an identifier of the note at a particular location on the timeline view.
  - 6. The method of claim 1, further comprising:
    - receiving input to add a screenshot to the timeline view; and
      
      in response to receiving the input to add the screenshot to the timeline view, causing display of an identifier of the screenshot at a particular location on the timeline view.
  - 7. The method of claim 1, further comprising:
    - wherein access to the timeline view is granted to a first user;
      
      receiving input from the first user to grant a second user access to the timeline view; and
      
      granting the second user access to the timeline view.
  - 8. The method of claim 1, further comprising, in response to receiving input selecting a priority level, associating the priority level with the timeline view.
  - 9. The method of claim 1, further comprising:
    - receiving an indication of one or more actions taken by a user to investigate the network security incident associated with the timeline view; and
      
      in response to receiving the indication of the one or more actions, storing one or more log entries describing the one or more actions in a workflow log.
  - 10. The method of claim 1, further comprising:
    - receiving input selecting a particular event identifier from the plurality of event identifiers, the particular event identifier corresponding to a particular event from a set of events including the one or more first events and the one or more second events; and
      
      in response to receiving the selection of the particular event identifier, causing display of a detail view of the particular event.
  - 11. The method of claim 1, further comprising:
    - causing display of a detail view of a particular event, the detail view of the particular event including an identifier of a particular timeline view with which the particular event is associated;
      
      receiving input selecting the identifier of the particular timeline view; and
      
      in response to receiving the input selecting the indication of the timeline view, causing display of the particular timeline view, the particular timeline view displaying an event identifier of at least the particular event.
  - 12. The method of claim 1, wherein causing display of the timeline view includes overlaying the timeline view on a graphical user interface.
  - 13. The method of claim 1, further comprising:
    - wherein causing display of the timeline view includes causing displaying of a first graphical user interface including the timeline view;
      
      receiving input requesting display of a second graphical user interface that is different from the first graphical user interface; and
      
      causing display of the second graphical user interface including the same timeline view.
  - 14. The method of claim 1, further comprising creating a portable representation of the timeline view, the portable representation including instructions for displaying the timeline view.
  - 15. The method of claim 1, wherein the one or more first events and the one or more second events are selected by the user investigating the network security incident.
  - 16. The method of claim 1, wherein a first event of the one or more first events corresponds to a detected malware infection, a security access violation, or network traffic.

17. One or more non-transitory computer-readable storage media, storing instructions, which when executed by one or more processors cause performance of:
- receiving a selection of one or more first events stored by a data intake and query system for inclusion in a timeline view, each first event of the one or more first events corresponding to a computer network security event;
  
  receiving a selection of one or more second events stored by the data intake and query system for inclusion in the timeline view, each second event of the one or more second events corresponding to one or more actions taken by a user to investigate a network security incident;
  
  generating the timeline view including a plurality of event identifiers, the plurality of event identifiers including (a) at least one first event identifier corresponding to an event from the first events, and (b) at least one second event identifier corresponding to an event from the second events;
  
  wherein each event identifier of the plurality of event identifiers is configured for display at a location on the timeline view based on a timestamp associated with a respective event; and
  
  causing display of the timeline view.
- View Dependent Claims (18, 19, 20, 21, 22, 23, 24, 25, 26)
- - 18. The one or more non-transitory storage media of claim 17, wherein each second event of the one or more second events corresponds to an entry in a workflow log, the workflow log including a plurality of log entries corresponding to user actions involving one or more graphical user interfaces.
  - 19. The one or more non-transitory storage media of claim 17, wherein the instructions which, when executed by the one or more computing devices, further cause:
    - wherein each second event of the one or more second events corresponds to an entry in a workflow log, the workflow log including a plurality of log entries corresponding to user actions involving one or more graphical user interfaces;
      
      causing display of a workflow log view displaying information describing one or more log entries of the plurality of log entries.
  - 20. The one or more non-transitory storage media of claim 17, wherein at least one event identifier of the plurality of event identifiers corresponds to a plurality of events from a set including the one or more first events and the one or more second events.
  - 21. The one or more non-transitory storage media of claim 17, wherein the instructions which, when executed by the one or more computing devices, further cause:
    - receiving input to add a note to the timeline view; and
      
      in response to receiving the input to add the note to the timeline view, causing display of an identifier of the note at a particular location on the timeline view.
  - 22. The one or more non-transitory storage media of claim 17, wherein the instructions which, when executed by the one or more computing devices, further cause:
    - receiving input to add a screenshot to the timeline view; and
      
      in response to receiving the input to add the screenshot to the timeline view, causing display of an identifier of the screenshot at a particular location on the timeline view.
  - 23. The one or more non-transitory storage media of claim 17, wherein the instructions which, when executed by the one or more computing devices, further cause:
    - wherein access to the timeline view is granted to a first user;
      
      receiving input from the first user to grant a second user access to the timeline view; and
      
      granting the second user access to the timeline view.
  - 24. The one or more non-transitory storage media of claim 17, wherein the instructions which, when executed by the one or more computing devices, further cause:
    - receiving an indication of one or more actions taken by a user to investigate a network security incident associated with the timeline view; and
      
      in response to receiving the indication of the one or more actions, storing one or more log entries describing the one or more actions in a workflow log.
  - 25. The one or more non-transitory storage media of claim 17, wherein the instructions which, when executed by the one or more computing devices, further cause:
    - receiving input selecting a particular event identifier from the plurality of event identifiers, the particular event identifier corresponding to a particular event from a set of events including the one or more first events and the one or more second events; and
      
      in response to receiving the selection of the particular event identifier, causing display of a detail view of the particular event.
  - 26. The one or more non-transitory storage media of claim 17, wherein a first event of the one or more first events corresponds to a detected malware infection, a security access violation, or network traffic.

27. An apparatus, comprising:
- an event identification subsystem, implemented at least partially in hardware, that receives a selection of one or more first events stored by a data intake and query system for inclusion in a timeline view, each first event of the one or more first events corresponding to a computer network security event;
  
  wherein the event identification subsystem further receives a selection of one or more second events stored by the data intake and query system for inclusion in the timeline view, each second event of the one or more second events corresponding to one or more actions taken by a user to investigate a network security incident;
  
  a timeline view generation subsystem, implemented at least partially in hardware, that generates the timeline view including a plurality of event identifiers, the plurality of event identifiers including (a) at least one first event identifier corresponding to an event from the first events, and (b) at least one second event identifier corresponding to an event from the second events;
  
  wherein each event identifier of the plurality of event identifiers is configured for display at a location on the timeline view based on a timestamp associated with a respective event; and
  
  a display subsystem, implemented at least partially in hardware, that causes display of the timeline view.
- View Dependent Claims (28, 29, 30)
- - 28. The apparatus of claim 27, wherein each second event of the one or more second events corresponds to an entry in a workflow log, the workflow log including a plurality of log entries corresponding to user actions involving one or more graphical user interfaces.
  - 29. The apparatus of claim 27, wherein causing display of the timeline view includes overlaying the timeline view on a graphical user interface.
  - 30. The apparatus of claim 27, wherein a first event of the one or more first events corresponds to a detected malware infection, a security access violation, or network traffic.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Splunk Inc.
Original Assignee
Splunk Inc.
Inventors
Chauhan, Vijay, Noel, Cary, Yu, Wenhui, Murphey, Luke, Raitz, Alexander, Hazekamp, David
Primary Examiner(s)
McNally, Michael S

Application Number

US14/815,981
Time in Patent Office

493 Days
Field of Search

726/23
US Class Current

1/1
CPC Class Codes

G06F 16/2477   Temporal data queries

G06F 16/248   Presentation of query results

G06F 16/25   Integrating or interfacing ...

G06F 21/629   to features or functions of...

G06F 2221/2151   Time stamp

G06F 3/0484   for the control of specific...

G06F 40/169   Annotation, e.g. comment da...

H04L 43/026   using flow identification

H04L 43/06   Generation of reports

H04L 63/1425   Traffic logging, e.g. anoma...

Timeline displays of network security investigation events

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

120 Citations

30 Claims

Specification

Solutions

Use Cases

Quick Links

Timeline displays of network security investigation events

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

120 Citations

30 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links