Detection components in a security system analyze networks and hosts to detect machines that have been compromised by malicious activity or that are vulnerable to such compromise. Such detections are expressed as alerts about the security state of machines, user accounts, or other system assets.
A security system may raise false alerts that may cause costly manual investigation. Such alerts may happen because the system incorrectly analyzed data, because various components of the system are too sensitive, because the system is not adapted for its particular environment, or for other reasons. Manual investigation and adjustment of the detection components may involve a lot of time and effort.
The subject matter claimed herein is not limited to embodiments that solve any disadvantages or that operate only in environments such as those described above. Rather, this background is only provided to illustrate one exemplary technology area where some embodiments described herein may be practiced.