| CPC H04L 63/1433 (2013.01) [G06F 21/554 (2013.01); H04L 41/0681 (2013.01); H04L 63/0263 (2013.01); H04L 63/1425 (2013.01); H04L 63/20 (2013.01); H04L 63/0218 (2013.01); H04L 63/145 (2013.01)] | 18 Claims |
|
1. A method, comprising:
causing display of a plurality of graphical controls on each of a plurality of displays that enable a user to define a plurality of attributes of a customizable threat rule, the plurality of graphical controls including:
an entity type graphical control usable to define a computer network entity attribute that specifies a type of a computer network entity of a computer network,
an anomaly pattern graphical control usable to define an anomaly pattern attribute,
a time period graphical control usable to define a time period for processing anomalies, and
an action graphical control usable to specify a remedial or mitigative action to perform in response to an anomaly that satisfies the plurality of attributes of the customizable threat rule;
wherein the user can navigate between respective displays of the plurality of displays;
generating the customizable threat rule based on the attributes defined by user selections on the plurality of displays, wherein generating the customizable threat rule includes:
customizing the computer network entity attribute that specifies the type of computer network entity in response to selection by the user of a type of computer network entity from among a displayed set of selectable types of computer network entities using the entity type graphical control, wherein the displayed set of selectable types of computer network entities includes a user entity type, a device entity type and a session entity type;
customizing the anomaly pattern attribute in response to an interaction by the user with the anomaly pattern graphical control, the anomaly pattern graphical control being selected based on the selection of the type of computer network entity, and the anomaly pattern attribute defining a detectable variation from an expected pattern of behavior associated with the type of computer network entity;
customizing the time period for processing anomalies in response to an interaction by the user with the time period graphical control; and
customizing the remedial or mitigative action in response to an interaction by the user with the action graphical control;
receiving, at a security platform, input indicating detection, based on an anomaly model, of a detected anomaly on the computer network;
in response to receiving the input, processing the detected anomaly by the security platform using the customizable threat rule; and
performing the customized remedial or mitigative action in response to the detected anomaly when the detected anomaly is associated with an entity that satisfies the customized computer network entity attribute of the customizable threat rule, the detected anomaly satisfies the customized anomaly pattern attribute of the customizable threat rule, and the detected anomaly is detected during the customized time period for processing anomalies of the customizable threat rule.
|