Currently, there is no easy way to view and inspect network data surrounding a suspicious network event. Typically, analysts correlate findings across multiple services to capture network data indicative of security threats which is a time-consuming task that can delay response. This disclosure describes techniques that enable rapid response to network threats by mirror-capturing a real-time window of network traffic; by using in-line or out-of-band analysis to detect network events; and, once an event is detected, by generating a packet-capture (pcap) file from the mirrored data to enable correlating between network events and the pcap file. Visibility into the captured traffic is obtained by providing, within the logging service, a pointer to the pcap file and by describing potential threats visually in terms of severity, time, category, direction, protocol, port, etc. Time and effort needed to cross-reference network logs against threat-hunting systems/databases to evaluate adversarial packets is reduced.

Creative Commons License

Creative Commons License
This work is licensed under a Creative Commons Attribution 4.0 License.