Snapshot of a forensic investigation for enterprise threat detection

US 10,673,879 B2
Filed: 09/23/2016
Issued: 06/02/2020
Est. Priority Date: 09/23/2016
Status: Active Grant

First Claim

Patent Images

1. A computer-implemented method, comprising:

establishing an enterprise threat detection (ETD) forensic workspace according to a particular timeframe and permitting defining a selection of data types from available log data for an evaluation of events associated with one or more entities, wherein the forensic workspace is configured with functionality to define a filter path containing a series of filters to define a particular sub set of the available log data;

defining a chart illustrating a graphical distribution of a particular data type in the forensic workspace;

generating a snapshot associated with the chart, the snapshot saving a copy of all data necessary to re-create the chart into an associated snapshot object;

associating the snapshot with a snapshot page for containing the snapshot; and

saving the snapshot page within the ETD forensic workspace.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

An enterprise threat detection (ETD) forensic workspace is established according to a particular timeframe and permitting defining a selection of data types from available log data for an evaluation of events associated with one or more entities. A chart is defined illustrating a graphical distribution of a particular data type in the forensic workspace. A snapshot associated with the chart is generated, the snapshot saving a copy of all data necessary to re-create the chart into an associated snapshot object. The snapshot is associated with a snapshot page for containing the snapshot and the snapshot page is saved within the ETD forensic workspace.

197 Citations

20 Claims

1. A computer-implemented method, comprising:
- establishing an enterprise threat detection (ETD) forensic workspace according to a particular timeframe and permitting defining a selection of data types from available log data for an evaluation of events associated with one or more entities, wherein the forensic workspace is configured with functionality to define a filter path containing a series of filters to define a particular sub set of the available log data;
  
  defining a chart illustrating a graphical distribution of a particular data type in the forensic workspace;
  
  generating a snapshot associated with the chart, the snapshot saving a copy of all data necessary to re-create the chart into an associated snapshot object;
  
  associating the snapshot with a snapshot page for containing the snapshot; and
  
  saving the snapshot page within the ETD forensic workspace.
- View Dependent Claims (2, 3, 4, 5, 6, 7)
- - 2. The computer-implemented method of claim 1, wherein the chart includes a structured query language (SQL) SELECT statement for selecting events from the available log data and a user interface (UI) permitting interactive functionality with the chart.
  - 3. The computer-implemented method of claim 1, wherein the snapshot page is a data container that is persisted with a reference to the snapshot stored in a data store.
  - 4. The computer-implemented method of claim 1, wherein the data saved by the snapshot includes at least one of log data, environmental variables, environmental conditions, chart data, chart UI information, a selected path and filter data or functionality to search for the same configuration of the chart at a different timeframe.
  - 5. The computer-implemented method of claim 1, comprising configuring the snapshot object as immutable once the snapshot is generated.
  - 6. The computer-implemented method of claim 1, comprising:
    - loading the saved snapshot page within the ETD forensic workspace;
      
      retrieving data from the snapshot object of the snapshot associated with the saved snapshot page; and
      
      re-creating the chart on the snapshot page.
  - 7. The computer-implemented method of claim 1, comprising transferring the saved snapshot page to a third-party for collaborative analysis.

8. A non-transitory, computer-readable medium storing one or more instructions executable by a computer system to perform operations comprising:
- establishing an enterprise threat detection (ETD) forensic workspace according to a particular timeframe and permitting defining a selection of data types from available log data for an evaluation of events associated with one or more entities, wherein the forensic workspace is configured with functionality to define a filter path containing a series of filters to define a particular sub set of the available log data;
  
  defining a chart illustrating a graphical distribution of a particular data type in the forensic workspace;
  
  generating a snapshot associated with the chart, the snapshot saving a copy of all data necessary to re-create the chart into an associated snapshot object;
  
  associating the snapshot with a snapshot page for containing the snapshot; and
  
  saving the snapshot page within the ETD forensic workspace.
- View Dependent Claims (9, 10, 11, 12, 13, 14)
- - 9. The non-transitory, computer-readable medium of claim 8, wherein the chart includes a structured query language (SQL) SELECT statement for selecting events from the available log data and a user interface (UI) permitting interactive functionality with the chart.
  - 10. The non-transitory, computer-readable medium of claim 8, wherein the snapshot page is a data container that is persisted with a reference to the snapshot stored in a data store.
  - 11. The non-transitory, computer-readable medium of claim 8, wherein the data saved by the snapshot includes at least one of log data, environmental variables, environmental conditions, chart data, chart UI information, a selected path and filter data or functionality to search for the same configuration of the chart at a different timeframe.
  - 12. The non-transitory, computer-readable medium of claim 8, comprising one or more instructions to configure the snapshot object as immutable once the snapshot is generated.
  - 13. The non-transitory, computer-readable medium of claim 8, comprising one or more instructions to:
    - load the saved snapshot page within the ETD forensic workspace;
      
      retrieve data from the snapshot object of the snapshot associated with the saved snapshot page; and
      
      re-create the chart on the snapshot page.
  - 14. The non-transitory, computer-readable medium of claim 8, comprising one or more instructions to transfer the saved snapshot page to a third-party for collaborative analysis.

15. A computer-implemented system, comprising:
- a computer memory; and
  
  a hardware processor interoperably coupled with the computer memory and configured to perform operations comprising;
  
  establishing an enterprise threat detection (ETD) forensic workspace according to a particular timeframe and permitting defining a selection of data types from available log data for an evaluation of events associated with one or more entities, wherein the forensic workspace is configured with functionality to define a filter path containing a series of filters to define a particular subset of the available log data;
  
  defining a chart illustrating a graphical distribution of a particular data type in the forensic workspace;
  
  generating a snapshot associated with the chart, the snapshot saving a copy of all data necessary to re-create the chart into an associated snapshot object;
  
  associating the snapshot with a snapshot page for containing the snapshot; and
  
  saving the snapshot page within the ETD forensic workspace.
- View Dependent Claims (16, 17, 18, 19, 20)
- - 16. The computer-implemented system of claim 15, wherein the chart includes a structured query language (SQL) SELECT statement for selecting events from the available log data and a user interface (UI) permitting interactive functionality with the chart.
  - 17. The computer-implemented system of claim 15, wherein the snapshot page is a data container that is persisted with a reference to the snapshot stored in a data store.
  - 18. The computer-implemented system of claim 15, wherein the data saved by the snapshot is configured as immutable once the snapshot is generated and wherein the snapshot includes at least one of log data, environmental variables, environmental conditions, chart data, chart UI information, a selected path and filter data or functionality to search for the same configuration of the chart at a different timeframe.
  - 19. The computer-implemented system of claim 15, further configured to:
    - load the saved snapshot page within the ETD forensic workspace;
      
      retrieve data from the snapshot object of the snapshot associated with the saved snapshot page; and
      
      re-create the chart on the snapshot page.
  - 20. The computer-implemented system of claim 15, further configured to transfer the saved snapshot page to a third-party for collaborative analysis.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
SAP SE
Original Assignee
SAP SE
Inventors
Chrosziel, Florian, Hassforther, Jona, Kunz, Thomas, Mehta, Harish, Merkel, Rita, Nos, Kathrin, Peng, Wei-Guo, Pritzkau, Eugen, Rodeck, Marco, Seifert, Hartwig, Zhang, Nan, Menke, Thorsten, Dinkova, Hristina, Luo, Lin
Primary Examiner(s)
Gergiso, Techane

Application Number

US15/274,569
Publication Number

US 20180091535A1
Time in Patent Office

1,348 Days
Field of Search
US Class Current
CPC Class Codes

G06F 11/30   Monitoring

G06F 11/302   where the computing system ...

G06F 11/3051   Monitoring arrangements for...

G06F 11/323   Visualisation of programs o...

G06F 16/128   Details of file system snap...

G06F 16/248   Presentation of query results

G06F 21/00   Security arrangements for p...

G06F 2201/865   Monitoring of software

G06Q 10/0635   Risk analysis of enterprise...

H04L 63/1425   Traffic logging, e.g. anoma...

Snapshot of a forensic investigation for enterprise threat detection

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

197 Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Snapshot of a forensic investigation for enterprise threat detection

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

197 Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links