Interface having selectable, interactive views for evaluating potential network compromise
First Claim
1. A computerized method comprising:
- receiving event data associated with network activities by entities, wherein entities include devices, applications, and network users;
identifying instances of potential network compromise by applying machine learning models to the event data, wherein instances include threats and/or anomalies;
causing display, in a graphical user interface, of a user-selectable toggle to switch between a plurality of views, including at least one instances view comprising a listing of instances of potential network compromise and at least one entities view comprising a listing of the entities that participated in network activities that triggered determinations of potential network compromise, wherein each listed instance and entity is linked to a corresponding detailed view;
upon receiving, via the graphical user interface, a user'"'"'s selection of an instance, causing the graphical user interface to generate a detailed view comprising (i) additional data about the selected instance, including data identifying each entity associated with the selected instance, (ii) a prompt to take an action in response to the instance, and a prompt to tag the selected instance for future tracking;
upon receiving, via the graphical user interface and in response to the prompt, a user'"'"'s indication to take an action, providing feedback to a model training process thread to update the machine learning models for identifying future instances of potential network compromise; and
upon receiving a selection by a user of a tag, associating the tag with the selected instance such that the tag is included (i) in response to subsequent requests to generate the detailed view of the selected instance and (ii) in response to requests to generate the detailed view of a selected entity associated with the selected instance.
1 Assignment
0 Petitions
Accused Products
Abstract
A security platform employs a variety techniques and mechanisms to detect security related anomalies and threats in a computer network environment. The security platform is “big data” driven and employs machine learning to perform security analytics. The security platform performs user/entity behavioral analytics (UEBA) to detect the security related anomalies and threats, regardless of whether such anomalies/threats were previously known. The security platform can include both real-time and batch paths/modes for detecting anomalies and threats. By visually presenting analytical results scored with risk ratings and supporting evidence, the security platform enables network security administrators to respond to a detected anomaly or threat, and to take action promptly.
100 Citations
26 Claims
-
1. A computerized method comprising:
-
receiving event data associated with network activities by entities, wherein entities include devices, applications, and network users; identifying instances of potential network compromise by applying machine learning models to the event data, wherein instances include threats and/or anomalies; causing display, in a graphical user interface, of a user-selectable toggle to switch between a plurality of views, including at least one instances view comprising a listing of instances of potential network compromise and at least one entities view comprising a listing of the entities that participated in network activities that triggered determinations of potential network compromise, wherein each listed instance and entity is linked to a corresponding detailed view; upon receiving, via the graphical user interface, a user'"'"'s selection of an instance, causing the graphical user interface to generate a detailed view comprising (i) additional data about the selected instance, including data identifying each entity associated with the selected instance, (ii) a prompt to take an action in response to the instance, and a prompt to tag the selected instance for future tracking; upon receiving, via the graphical user interface and in response to the prompt, a user'"'"'s indication to take an action, providing feedback to a model training process thread to update the machine learning models for identifying future instances of potential network compromise; and upon receiving a selection by a user of a tag, associating the tag with the selected instance such that the tag is included (i) in response to subsequent requests to generate the detailed view of the selected instance and (ii) in response to requests to generate the detailed view of a selected entity associated with the selected instance. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15)
-
-
16. A non-transitory, computer-readable storage medium storing instructions, an execution of which in a computer system causes the computer system to perform operations comprising:
-
receiving event data associated with network activities by entities, wherein entities include devices, applications, and network users; identifying instances of potential network compromise by applying machine learning models to the event data, wherein instances include threats and/or anomalies; causing display, in a graphical user interface, of a user-selectable toggle to switch between a plurality of views, including at least one instances view comprising a listing of instances of potential network compromise and at least one entities view comprising a listing of the entities that participated in network activities that triggered determinations of potential network compromise, wherein each listed instance and entity is linked to a corresponding detailed view; upon receiving, via the graphical user interface, a user'"'"'s selection of an instance, causing the graphical user interface to generate a detailed view comprising (i) additional data about the selected instance, including data identifying each entity associated with the selected instance, (ii) a prompt to take an action in response to the instance, and a prompt to tag the selected instance for future tracking; upon receiving, via the graphical user interface and in response to the prompt, a user'"'"'s indication to take an action, providing feedback to a model training process thread to update the machine learning models for identifying future instances of potential network compromise; and upon receiving a selection by a user of a tag, associating the tag with the selected instance such that the tag is included (i) in response to subsequent requests to generate the detailed view of the selected instance and (ii) in response to requests to generate the detailed view of a selected entity associated with the selected instance. - View Dependent Claims (17, 18, 19, 20, 21)
-
-
22. A computer system comprising:
-
computer memory for storing machine data; and a processor for; receiving event data associated with network activities by entities, wherein entities include devices, applications, and/or network users; identifying instances of potential network compromise by applying machine learning models to the event data, wherein instances include threats and/or anomalies; causing display, in a graphical user interface, of a user-selectable toggle to switch between a plurality of views, including at least one instances view comprising a listing of instances of potential network compromise and at least one entities view comprising a listing of the entities that participated in network activities that triggered determinations of potential network compromise, wherein each listed instance and entity is linked to a corresponding detailed view; upon receiving, via the graphical user interface, a user'"'"'s selection of an instance, causing the graphical user interface to generate a detailed view comprising (i) additional data about the selected instance, including data identifying each entity associated with the selected instance, (ii) a prompt to take an action in response to the instance, and a prompt to tag the selected instance for future tracking; upon receiving, via the graphical user interface and in response to the prompt, a user'"'"'s indication to take an action, providing feedback to a model training process thread to update the machine learning models for identifying future instances of potential network compromise; and upon receiving a selection by a user of a tag, associating the tag with the selected instance such that the tag is included (i) in response to subsequent requests to generate the detailed view of the selected instance and (ii) in response to requests to generate the detailed view of a selected entity associated with the selected instance. - View Dependent Claims (23, 24, 25, 26)
-
Specification