Post mortem analysis, also known as root-cause analysis, is the process by which an administrator or a security analyst determines the steps that led to a security breach in an enterprise. The goal is to understand the incident so that similar incidents can be detected and prevented in the future. This type of analysis requires access to detailed data that is relevant to the incident under investigation. However, it is often infeasible to collect all data at all times. Thus, today's enterprise security products typically collect only a subset of the available data in the enterprise. Such products generally collect data based on a static policy defined by the administrator or analyst. Consequently, the level of details that are collected is generally defined by the capacity of the collection system and not necessarily by the relevance of the data or the data source. Therefore, in many cases, the security analyst ends up with a huge amount of data, most of which is almost completely irrelevant.
This Background is provided to introduce a brief context for the Summary and Detailed Description that follows. This Background is not intended to be an aid in determining the scope of the claimed subject matter nor be viewed as limiting the claimed subject matter to implementations that solve any or all of the disadvantages or problems presented above.