Abstract: A methodology and related system operable to store a plurality of complex event processing (CEP) rules, the CEP rules being based on a plurality of events that are to be monitored. The CEP rules are pre-processed by, e.g., generating and storing a de-duplicated list of events from the plurality of events that are to be monitored. A received event from a received event stream is compared to events in the de-duplicated list of events and when a match between the received event (e.g., an event instance) and any one of the events in the de-duplicated list of events is detected, the received event (the event instance) is stored in an input repository. The plurality of CEP rules are then applied to the received event in the input repository, and any other previously stored events in the input repository.

Abstract: An improved technique involves providing a tool that connects standardized content bundles in order to carry out an arbitrarily complex investigation. An investigation server makes content bundles, which perform a standardized set of investigative actions based on a set of inputs, available to an investigation analyst. The investigation analyst selects particular content bundles based on a specified set of input parameters and a desired set of output parameters defining the investigation. The investigation analyst then connects the particular content bundles to form a single, complex workflow configured to produce the desired set of output parameters from the specified set of input parameters as a result of the investigation.

Abstract: There is disclosed techniques for generating alerts in an event management system which comprises event management device and risk assessment device. In one example, a method comprises the following steps. There is received data in an event management device related to events associated with an asset in a network environment. The received data is filtered in order to provide an input to risk assessment device. The filtered data is forwarded to risk assessment device. A score indicative of risk based on filtered data is determined in risk assessment device. The score is forwarded to event management device and received in event management device. A score chart is generated in the event management device. The score chart includes the score and enables the prioritization of threats based on their respective scores.

Abstract: A method is used in managing analysis of activity data. Activity data is analyzed for a security investigation by using a content bundle. The content bundle specifies a set of actions. The set of actions are performed based on a set of inputs provided to the content bundle. Results of analysis of the activity data is provided in a format based on a set of outputs configured for the content bundle.