Intrusion detection systems are used by an enterprise to detect and identify unauthorized or unwanted use (commonly called an attack) of the enterprise's computer network, which normally comprises a large number of nodes and network operations centers. In general, these enterprise intrusion detection systems detect events using sensors or other intrusion detection devices. The system then scans the incoming event data according to rules designed to detect specific patterns in network traffic, audit trails, and other data sources to detect malicious activity. The event data is normally displayed on an event display interface that allows an operator to apply filters to modify the level of data displayed. The event data interface, however, does not allow the operator to create new rules for correlating events. The creation of new rules must typically be done at a separate interface—the correlation rule design interface. This second interface requires the operator to first design the rule and then test the rule against a replay of old data. This trial and error method of rule building typically requires the operator to have a technical understanding of the underlying rule structure.