A security management system, such as a security information and event management (SIEM) system, provide a computing environment that enables real-time analysis of security-related events generated based computing activity. A SIEM system may also provide analytical tools having a range of functions including trend analysis, event identification, and alerting.
Despite having an implemented SIEM system, enterprises continue to battle a host of security vulnerabilities in their information technology (IT) systems as distributed computing systems are rapidly adopted and expanded by the enterprises. With an expansion of distributed computing systems comes additional security issues due to the addition of the new components and the communications between these components. Such changes may introduce new challenges for monitoring and analyzing security events based on activity occurring in the distributed computing systems.
Often, a user of a SIEM system may be presented with large amounts of data relating to security events occurring in the system. Left with a difficult task of sorting through the data to identify significant, or noteworthy events, the user faces an additional challenge of indicating or flagging events to be distinguished from each other. The user may desire to exclude events of little relevance or alternatively may wish to flag events of importance such as those relating to potential security threats. It may be useful for an analyst to be provided with a tool that, besides presenting information related to events, enables the analyst to filter such events to efficiently identify important events, such as those related to a security threat.