CORRELATING EVENT LOGS TO IDENTIFY A POTENTIAL SECURITY BREACH

摘要

Systems and techniques for displaying timelines of event logs are described. A software application may identify event logs associated with an identifier, such as an IP address of a network element or a username. The software application may group the identified event logs based on specified criteria. The software application may determine multiple sessions in which an individual session includes a group of event logs arranged along a timeline. Sessions associated with a same network element may be displayed with a same magnitude. Sessions associated with different network elements may be displayed with different magnitudes. For example, a first timeline of event logs in a first session at a first network element may be displayed at a first height. A second timeline of event logs in a second session at a second network element may be displayed at a second height.

主权项

1. A computer-implemented method, comprising:
identifying, in an event log database, a plurality of event logs associated with an identifier and having corresponding timestamps that are within a specified time interval; grouping, by auditing software executed by one or more processors of a central server, the plurality of event logs based at least in part on one or more criteria to create one or more groups of events; determining, by the auditing software, a first session based on a group of events from the one or more groups of events, the group of events starting with a specified type of event; and displaying the first session as a first timeline of events, the first session associated with a first network element.