Abstract: Methods, systems, and computer storage media for providing observation stream data of security incidents using an observation stream engine in a security management system. An observation stream framework supports continuously generating and presenting observation stream data that facilitates developing a working hypothesis of an active security incident. The observation stream framework can also include observation stream query-types that can be selected for running queries against a plurality of security data sources. In operation, an observation stream query is accessed. The observation stream query is a user-generated observation stream query associated with an observation stream query-type. The observation stream query-type comprises parameters for querying a plurality of security data sources and dynamic tracking of a security incident. The observation stream query is executed and observation stream data is generated.

Abstract: Disclosed herein is a system for facilitating fast and intuitive investigations of security incidents by responding to physical gestures performed by security analysts within a virtual scene. A query triggers an alert for detecting security incidents that occur with respect to computing resources. Following the alert, the security analyst dons a Near-Eye-Display (NED) device and is presented with a virtual scene having control elements representing various data sets and/or data analysis operations relevant to a security incident. The security analyst investigates the security incident by performing hand motions to “grab-and-drag” control elements representing data sets. The security analyst may also perform hand motions to “tap on” control elements that represents a data analysis operation. Responsive to the hand motions, the system performs data analysis operations and displays a result within the virtual scene.

Abstract: Disclosed herein is a system for facilitating fast and intuitive investigations of security incidents by responding to physical gestures performed by security analysts within a virtual scene. A query triggers an alert for detecting security incidents that occur with respect to computing resources. Following the alert, the security analyst dons a Near-Eye-Display (NED) device and is presented with a virtual scene having control elements representing various data sets and/or data analysis operations relevant to a security incident. The security analyst investigates the security incident by performing hand motions to “grab-and-drag” control elements representing data sets. The security analyst may also perform hand motions to “tap on” control elements that represents a data analysis operation. Responsive to the hand motions, the system performs data analysis operations and displays a result within the virtual scene.

Abstract: The storage of events of multiple types in a queriable table. The queriable table has at least one common column that corresponds to a field that is common across events regardless of event type. The queriable table also has at least one field-varying column that corresponds to a type-dependent field that depends on event type. The queriable table is populated using multiple events. For instance, the event could be at least some log events that are received from multiple computing systems. The population occurs by assigning each event to a row of the queriable table. The common column is populated with values taken the same common field across event types. On the other hand, the field-varying column is populated with values of different fields from those events depending on the event type.

Abstract: The storage of events of multiple types in a queriable table. The queriable table has at least one common column that corresponds to a field that is common across events regardless of event type. The queriable table also has at least one field-varying column that corresponds to a type-dependent field that depends on event type. The queriable table is populated using multiple events. For instance, the event could be at least some log events that are received from multiple computing systems. The population occurs by assigning each event to a row of the queriable table. The common column is populated with values taken the same common field across event types. On the other hand, the field-varying column is populated with values of different fields from those events depending on the event type.