| CPC G06F 21/552 (2013.01) [G06F 21/577 (2013.01); G06F 2221/034 (2013.01)] | 14 Claims |
|
1. A method, performed by one or more processors, comprising:
receiving a plurality of system event records;
processing the plurality of system event records using a set of event detectors to determine that a suspicious system event associated with a first system has occurred;
determining, for each of a plurality of properties associated with the suspicious system event, a corresponding plurality of property values, wherein the plurality of properties include one or more event properties associated with the suspicious system event, properties of the first system, or vulnerability properties associated with the first system;
sending, to a client device, the determined plurality of property values associated with the suspicious system event, wherein the plurality of property values are displayed on a user interface comprising a plurality of user interface elements corresponding to the plurality of properties;
receiving, from the client device, user input of one or more user interface elements indicating a selected one or more property values of the plurality of property values associated with the suspicious system event;
in response to receiving the one or more property values selected by user input, initiating generation of one or more new event detectors based on the one or more property values selected by user input; and
adding the one or more new event detectors to the set of event detectors.
|