| 主权项 |
1. A method comprising:
identifying, from a set of entities to be monitored, a subset of the set of entities for additional monitoring; performing the additional monitoring by
accessing a scoring rule that defines a search query and a risk modifier, the risk modifier indicative of an amount by which to adjust a risk score of a particular entity when a triggering condition is satisfied;after said accessing the scoring rule, executing the search query against a plurality of events associated with the activity of the subset of set of entities, wherein the search query produces a search result pertaining to activity of the particular entity, wherein each event of the plurality of events is associated with a timestamp and includes machine data;determining whether the search result meets the triggering condition; andresponsive to determining that the search result meets the triggering condition, updating the risk score for the particular entity based on the risk modifier in the scoring rule, the risk score indicating a security threat associated with activity of the particular entity; and causing at least one of: display of an indication of the updated risk score, transmission of an indication of the updated risk score, or remedial action based on the updated risk score. |
