Timeline displays of network security investigation events
First Claim
1. A method comprising:
- receiving a selection of one or more first events stored by a data intake and query system for inclusion in a timeline view, each first event of the one or more first events corresponding to a computer network security event;
receiving a selection of one or more second events stored by the data intake and query system for inclusion in the timeline view, each second event of the one or more second events corresponding to one or more actions taken by a user to investigate a network security incident;
generating the timeline view including a plurality of event identifiers, the plurality of event identifiers including (a) at least one first event identifier corresponding to an event from the first events, and (b) at least one second event identifier corresponding to an event from the second events;
wherein each event identifier of the plurality of event identifiers is configured for display at a location on the timeline view based on a timestamp associated with a respective event; and
causing display of the timeline view.
2 Assignments
0 Petitions
Accused Products
Abstract
Techniques and mechanisms are disclosed that enable network security analysts and other users to efficiently conduct network security investigations and to produce useful representations of investigation results. As used herein, a network security investigation generally refers to an analysis by an analyst (or team of analysts) of one or more detected network events that may pose internal and/or external threats to a computer network under management. A network security application provides various interfaces that enable users to create investigation timelines, where the investigation timelines display a collection of events related to a particular network security investigation. A network security application further provides functionality to monitor and log user interactions with the network security application, where particular logged user interactions may also be added to one or more investigation timelines.
120 Citations
30 Claims
-
1. A method comprising:
-
receiving a selection of one or more first events stored by a data intake and query system for inclusion in a timeline view, each first event of the one or more first events corresponding to a computer network security event; receiving a selection of one or more second events stored by the data intake and query system for inclusion in the timeline view, each second event of the one or more second events corresponding to one or more actions taken by a user to investigate a network security incident; generating the timeline view including a plurality of event identifiers, the plurality of event identifiers including (a) at least one first event identifier corresponding to an event from the first events, and (b) at least one second event identifier corresponding to an event from the second events; wherein each event identifier of the plurality of event identifiers is configured for display at a location on the timeline view based on a timestamp associated with a respective event; and causing display of the timeline view. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16)
-
-
17. One or more non-transitory computer-readable storage media, storing instructions, which when executed by one or more processors cause performance of:
-
receiving a selection of one or more first events stored by a data intake and query system for inclusion in a timeline view, each first event of the one or more first events corresponding to a computer network security event; receiving a selection of one or more second events stored by the data intake and query system for inclusion in the timeline view, each second event of the one or more second events corresponding to one or more actions taken by a user to investigate a network security incident; generating the timeline view including a plurality of event identifiers, the plurality of event identifiers including (a) at least one first event identifier corresponding to an event from the first events, and (b) at least one second event identifier corresponding to an event from the second events; wherein each event identifier of the plurality of event identifiers is configured for display at a location on the timeline view based on a timestamp associated with a respective event; and causing display of the timeline view. - View Dependent Claims (18, 19, 20, 21, 22, 23, 24, 25, 26)
-
-
27. An apparatus, comprising:
-
an event identification subsystem, implemented at least partially in hardware, that receives a selection of one or more first events stored by a data intake and query system for inclusion in a timeline view, each first event of the one or more first events corresponding to a computer network security event; wherein the event identification subsystem further receives a selection of one or more second events stored by the data intake and query system for inclusion in the timeline view, each second event of the one or more second events corresponding to one or more actions taken by a user to investigate a network security incident; a timeline view generation subsystem, implemented at least partially in hardware, that generates the timeline view including a plurality of event identifiers, the plurality of event identifiers including (a) at least one first event identifier corresponding to an event from the first events, and (b) at least one second event identifier corresponding to an event from the second events; wherein each event identifier of the plurality of event identifiers is configured for display at a location on the timeline view based on a timestamp associated with a respective event; and a display subsystem, implemented at least partially in hardware, that causes display of the timeline view. - View Dependent Claims (28, 29, 30)
-
Specification