The method of claim 1, further comprising: outputting, via a user interface, an indication of the detected anomaly to a user.Ĩ. The method of claim 1, wherein monitoring the entity relationship graph includes: focusing monitoring on a portion of the entity relationship graph associated with a particular logical location in the topology of the IT environment.ħ.
The method of claim 1, wherein the anomaly is indicative of a web shell attack.Ħ. The method of claim 1, wherein the anomaly is indicative of anomalous communication between a particular entity of the plurality of entities and the at least one other entity of the plurality of entities.ĥ. The method of claim 1, wherein the anomaly is detected in response to detecting a shift in the directionality of an edge in the entity relationship graph.Ĥ. The method of claim 1, wherein the anomaly is detected in response to detecting a change in the entity relationship graph.ģ.
A computer implemented method comprising: accessing a set of events associated with activity by a plurality of entities in an information technology (IT) environment, wherein each event in the set of events includes a portion of raw machine data that reflects activity in the IT environment and that is produced by a component of the IT environment, wherein each event is associated with a timestamp extracted from the raw machine data determining a topology of the IT environment by processing at least some of the accessed set of events generating an entity relationship graph based on the topology of the IT environment wherein the entity relationship graph includes: a plurality of nodes representative of the plurality of entities in the IT environment and edges connecting the plurality of nodes, the edges representing relationships and activity between entities represented by the plurality of nodes wherein each edge includes a directionality that indicates a normal flow of communication between the entities represented by the nodes connected to the edge and monitoring the entity relationship graph to detect an anomaly.Ģ. The entity relationship graph can then be monitored to detect anomalous activity.ġ. This baseline information can be represented in the entity relationship graph in the form of directionality applied to the edges. In some embodiments, baselines are established by monitoring the activity between entities. This information is then used to generate an entity relationship graph that includes nodes representing the entities in the IT environment and edges connecting the nodes representing interaction relationships between the entities. In an embodiment, a plurality of events reflecting activity by a plurality of entities in an IT environment are processed to resolve the identities of the entities, discover how the entities fit within a topology of the IT environment, and determine what the entities are. Techniques are described for analyzing data regarding activity in an IT environment to determine information regarding the entities associated with the activity and using the information to detect anomalous activity that may be indicative of malicious activity.