Monitoring security events is an essential but challenging task. Enterprises run large numbers of applications on a variety of platforms. Some applications are monolithic and run on isolated machines such as mainframes. Others are highly distributed systems that rely on a complex web of services invoking each other in difficult to anticipate patterns. These applications generate substantial amounts of log data that are often difficult to integrate. For example, a relatively benign event, like an administrator login on an application server, may not warrant attention; however, if that event is quickly followed by calls to a data access APIs on a application outside that admin’s responsibility, then that should trigger an alarm. Balancing the need for comprehensive alerting and the obvious desire to minimize false positives (a.k.a. false alarms) is difficult.