Method and system for analysis of security events in a managed computer network

摘要

An event retrieval and analysis system compares counts of event data for a device to stored profile counts to determine if alerts should be triggered. Event data can be retrieved by a sensor. Rules for analyzing the event data can be retrieved based on the device. The event data is analyzed based on the rules to determine recordable events. Recordable events are organized into categories representing a type or severity of attack. Current event counts are calculated by summing the recordable events for each category. A normal profile is retrieved for the device and compared to the current event count. A percentage change trigger can be retrieved from a threshold matrix based on the current event count. The percentage increase of the current event count over the normal profile is calculated and compared to the percentage change trigger to determine if an alert is triggered by the analysis system.