Security Information and Event Management (SIEM) systems are only able to support static analysis based on predefined event rules. Instead, a flexible user-programmable information triage approach is needed tha can process the volume, variety and velocity of all relevant internal and external data. Bonsai will provide security managers the ability to quickly craft data triage workflows using natural language expressions Bonsai will: + Guide the user to alternate between two broad categories of short natural language queries: ones that narrow collection and ones tha expand it. Alternating narrowing and expanding queries are naturally composable, and produce expressive sequences. + Translate into Language Integrated Query each natural language query in the sequence. LIQ was developed from strong mathematical foundations that guarantee composability, and can translate into most major databases, streaming data and unstructured data query frameworks We will demonstrate the value of Bonsai in relevant scenario such as a potential phishing attack. Bonsai will combine and triage textual sources (such as emails or webpages), structured sources such as networking logs and semistructured sources such as new threat information. To enhance commercialization potential, Bonsai will operate on the data in-situ, and will integrate its components using the http protocol and RESTful interfaces.
Keywords: Dynamic Network Monitoring, Dynamic Network Monitoring, Natural Language Query, Language Integrated Query
