MECHANISM TO AUGMENT IPS/SIEM EVIDENCE INFORMATION WITH PROCESS HISTORY SNAPSHOT AND APPLICATION WINDOW CAPTURE HISTORY

1. A method to augment a plurality of intrusion prevention software (IPS) or Security Information and Event Management software (STEM) evidence information, the method comprising:

• monitoring a plurality of processes associated with a computer system, wherein a length of time associated with the monitoring is determined according to an assigned weight associated with each process within the monitored plurality of processes, and wherein the assigned weight is pre-calculated and maintained in a table corresponding to a plurality of tracked processes;
  
  detecting, by an intrusion prevention software (IPS) or a Security Information and Event Management software (SIEM), a plurality of processes within the monitored plurality of processes that have network activity;
  
  in response to receiving an online notification of the detection of a plurality of processes within the monitored plurality of processes that have network activity by the IPS or SIEM, identifying the detected plurality of processes that have network activity;
  
  capturing the identified plurality of processes that have network activity, wherein the capturing comprises routinely taking a system snapshot of the identified plurality of system processes, and collecting a plurality of sequenced screen capture images associated with the identified plurality of system processes to create a first video;
  
  storing the identified captured plurality of processes that have network activity, wherein the storing the identified captured plurality of processes that have network activity comprises storing the captured plurality of system snapshots in a first cache;
  
  monitoring a plurality of selected programs associated with an operating system of the computer system;
  
  detecting, by the IPS or the SIEM, a plurality of selected programs within the monitored plurality of selected programs that have network activity;
  
  in response to receiving an online notification of the detection of a plurality of selected programs within the monitored plurality of selected programs that have network activity by the IPS or SIEM, identifying the detected plurality of selected programs that have network activity;
  
  capturing a plurality of screen capture images associated with the identified plurality of selected programs, wherein the capturing comprises collecting a plurality of sequenced screen capture images of processes associated with the identified plurality of selected programs to create a second video;
  
  storing the captured plurality of system process activity, wherein the storing the captured plurality of system process activity comprises storing the captured plurality of screen capture images in a second cache;
  
  in response to a request by the IPS or the SIEM, querying the first cache and the second cache, wherein the querying is based on a detected network attack;
  
  retrieving the stored first video and the stored second video, wherein the retrieved stored first video and the retrieved stored second video contain a plurality of network activity captured immediately prior to the detected network attack;
  
  attaching the retrieved first video and the retrieved second video together with a network packet capture dump and a plurality of IPS and SIEM events into a single Binary Large OBject (BLOB), wherein the single BLOB is a collection of binary data stored as a single entity in a database management system; and
  
  sending an electronic notification of the single BLOB to a management console associated with the computer system.