Abstract: Event-triggered forensics capture technologies balance security incident data availability against data processing and storage costs. A forensic correlation engine receives basic status data of a monitored computing system. A forensic computing system detects a trigger event in the basic status data, and starts capturing extended status data per a corresponding capture specification. Captured data is submitted to a forensic analysis tool. Different trigger events may cause different data captures. A query specifying which data to capture from a live stream or from virtual machines may operate as a capture trigger start event. Extended status data capture activity may be stopped by a change in the basic status data being received, by a timeout, or by forensic analysis that finds no vulnerability or threat based on captured data. Data transfers and storage may be restricted to comply with privacy regulations or policies.

Abstract: Disclosed herein is a system for generating and displaying information useful to help a security analyst understand a scale and a root cause of a potential security issue associated with a resource. The resource can include a server, a storage device, a user device (e.g., a personal computer, a tablet computer, a smartphone, etc.), a virtual machine, networking equipment, etc. The resource may be one that is under control of an entity operating a security operations center. Additionally or alternatively, the resource may be one that is configured to be monitored by the security operations center. The information provides the security analyst with a broader context of the potential security issue based on relationships between the potential security issues and other security issues. Consequently, the information enables the security analyst to implement more efficient and effective actions to handle the potential security issue.

Abstract: Disclosed herein is a system for generating and displaying information useful to help a security analyst understand a scale and a root cause of a potential security issue associated with a resource. The resource can include a server, a storage device, a user device (e.g., a personal computer, a tablet computer, a smartphone, etc.), a virtual machine, networking equipment, etc. The resource may be one that is under control of an entity operating a security operations center. Additionally or alternatively, the resource may be one that is configured to be monitored by the security operations center. The information provides the security analyst with a broader context of the potential security issue based on relationships between the potential security issues and other security issues. Consequently, the information enables the security analyst to implement more efficient and effective actions to handle the potential security issue.