Splunk Inc.
Enabling user definition of anomaly action rules in a network security system

Abstract:

The disclosed embodiments include a method performed by a computer system. The method includes receiving first user input defining a filter of an anomaly action rule, the filter defining at least one of an attribute of an anomaly or an attribute of a computer network entity. The method also includes receiving second user input defining an action of the anomaly action rule. The method further includes generating the anomaly action rule based on the first user input and the second user input, wherein the anomaly action rule causes performance of the action upon detecting an anomaly on the computer network that satisfies the anomaly action rule.