| 主权项 |
1. A method comprising:
processing multiple items of log data derived from one or more data sources associated with an enterprise network, wherein said multiple items of log data pertain to multiple instances of activity within the enterprise network over a specified period of time attributed to a given device, and wherein said processing comprises normalizing said multiple items of log data by normalizing a timestamp associated with each respective one of the multiple items of log data to a common time zone via application of a correction function to the timestamp associated with each respective one of the multiple items of log data; creating a model based on said multiple items of processed log data, wherein said model comprises a temporal pattern of activity within the enterprise network associated with the given device; generating an alert upon detecting an instance of activity within the enterprise network associated with the given device that is (i) inconsistent with the temporal pattern of the model and (ii) in violation of one or more security parameters; assigning a risk score to the alert based on one or more risk factors, wherein each respective one of the one or more risk factors has a discrete weight applied thereto; prioritizing the alert over one or more additional alerts based on the risk score; and outputting the alert and the one or more additional alerts sequentially in an order matching said prioritizing; wherein said processing, said creating, said generating, said assigning, said prioritizing, and said outputting are carried out by at least one computing device. |
