2.3.4 Post-Processing

During post-processing of detection results, Behavior Detection prepares the detection results for presentation to users. Preparation of the results depends upon the following processes:

• Match Scoring: Computes a ranking for scenario matches indicating a degree of risk associated with the detected event or behavior.
• Alert Creation: Packages the scenario matches as units of work (that is, events), potentially grouping similar matches together, for disposition by end users. This is applicable when multiple matches with distinct scores are grouped into a single event.
• Alert Scoring: Ranks the events (including each match within the events) to indicate the degree of risk associated with the detected event or behavior.
• Highlight Generation: Generates highlights for events that appear in the event list in the behavior detection subsystem and stores them in the database.
• Historical Data Copy: Identifies the records against which the current batch's scenario runs generated events and copies them to archive tables. This allows for the display of a snapshot of information as of the time the event behavior was detected.
• Alert Correlation: Uncovers relationships among events by correlating events to business entities and subsequently correlating events to each other based on these business entities. The relationships are discovered based on configurable correlation rule sets.