Data investigation and visualization system

Inventors

FORSYTH, Kyle Nicolas • SANDERS, Mark Jason • KOROBOW, Adam Keith • MCCABE, Eric Richard • IVANCICH, Mychal William • Peters, David Michael • JENKINS, Cody Steven

Abstract

Data investigations are performed by querying a plurality of data sources. A system receives an investigation input and queries a plurality of data sources in accordance with the received input. The system receives, in response to the querying, response data from the plurality of data sources, and generates and stores a data structure representing relationships between the first investigation input and the first response data. The data structure may be in the form of a knowledge graph. The system may generate and display a visualization of the data structure. The system may generate and store a record of investigation steps used to generate the data structure, such that the investigation steps may be applied in future instances, for example using different inputs, to generate new data structures.

Core Innovation

The invention performs a data investigation by receiving, at a query controller of a first system, a first user input comprising a first investigation input with an indication of a first entity. The query controller automatically queries a first plurality of data sources in accordance with the first investigation input, receives first response data from the first plurality of data sources, and generates and stores a data investigation data structure representing relationships between the first investigation input and the first response data.

In the data investigation data structure, entities are represented as nodes and relationships between entities are represented as links between nodes. The generated data investigation data structure is transferred from the first system to a second system that is air-gapped from the first system and has a higher classification level.

The second system then queries a second plurality of data sources distinct from the first plurality of data sources in accordance with a second user input received at the second system. The second system receives second response data from the second plurality of data sources having the higher classification level than the first response data, and augments the data investigation data structure based on the second response data so that the data investigation data structure represents relationships between the second investigation input and the second response data having the higher classification level than the first response data.

Claims Coverage

The independent claims cover a multi-system, air-gapped workflow that automatically queries multiple data sources based on investigation inputs and builds/stores a relationship-based data investigation data structure that is later augmented after transfer to a higher-classification system. Across the independent claims, the main inventive features focus on automated query control, representing relationships as nodes and links in a stored data investigation data structure, transferring that structure to an air-gapped higher-classification second system, and augmenting the structure using additional, distinct higher-classification query results.

Together, the independent claims require generating and storing a relationship-representing data investigation data structure (entities as nodes and relationships as links), transferring it to an air-gapped higher-classification system, and then querying distinct data sources at that higher classification level to augment the same data investigation data structure with additional relationships.

Stated Advantages

Documented Applications

No documented applications found