主权项 |
1. A method, comprising:
accessing, by one or more processing devices, a set of events, wherein each event in the set of events is associated with a time stamp and includes a portion of machine data indicative of performance or operation of an information technology environment; accessing an object-scoring rule that (i) includes a search query that determines when events meet a triggering condition; (ii) identifies an object representing a component of the information technology environment, an application running in the information technology environment, or a person using a component in the information technology environment, and (iii) specifies a numerical contribution to a score for the object, the numerical contribution to be applied to the score based at least on part on a determination that the triggering condition is met; executing the search query of the object-scoring rule against the set of events to determine if the triggering condition of the object-scoring rule is met; based on determining that the triggering condition is met, generating a record of the numerical contribution specified in the object-scoring rule, the record associating the numerical contribution with a time indicator and indicating the object whose score should be affected by the contribution; identifying, using one or more records of numerical contributions, a set of numerical contributions having associated time indicators falling within a defined time period; and calculating the score for the object based on the set of numerical contributions, wherein the score indicates at least one of: an indication of a security risk posed by the component or person that the object represents, an indication of performance of the component of the information technology environment that the object represents, or an indication of performance of the application that the object represents. |