Cybersecurity analysts detect malicious activities using rules that process and correlate events from log files. Not every detection necessarily points to malicious activity; rather, a detection can prompt a cybersecurity analyst to drill down into the underlying events to determine if the detection indicates a true attack. The drilling-down of detections is difficult due to the large size of log files, large numbers of detection rules, and the large number of events per detection. This disclosure describes techniques to determine and to display all the events from all detections from any rule in near real-time. A first stage translates cybersecurity rules to parallelized database queries, finds detections, and finds references to a subset of the event samples. A second stage dereferences the event identifier and returns actual event samples. In a third stage, the cybersecurity analyst can execute a query to get all event samples associated with a given detection.

Creative Commons License

Creative Commons License
This work is licensed under a Creative Commons Attribution 4.0 License.