Managed security services (MSS) are able to provide a number of client machines with network security solutions based on the needs of the organization or network. To help manage client machines, an MSS provider may collect data on security events and analyze these events to understand how they correspond to a security incident. For example, multiple security-related events that happen on a machine within a single day may point to a malware infection on that machine.
Traditionally, MSS providers may group events into sets in order to identify specific incidents that require monitoring or remediation. However, there may be an overabundance of security-related data, which may be difficult for a client to understand. For example, an organization with a large number of devices may have many security incidents, and presenting information about each incident could cause information overload for users without providing useful context about the state of security for the organization. Furthermore, incidents are often categorized using predetermined metrics, such as a rule-based approach. In some cases, new security issues may not fall under these existing categories, and incidents may not be accurately classified. Therefore, a better method of examining security events is needed in order to understand the security behaviors of client systems. Accordingly, the instant disclosure identifies and addresses a need for additional and improved systems and methods for managing computer security of client computing machines.