Incident chains and processes
At the next level, the system looks at multiple incidents that together highlight a story. Chain-like cases are a sequence of incidents from the same source that highlight is as illustrated in fig. 2:
This sequence of incidents constitutes a case that can be characterized as a chain. The context provided by previous incidents highlight the intention of the subsequent incidents, a data theft attempt in this case.
Other cases involve incidents that were created as part of a process, such as a sequence of events generated by an individual, a group of users or a machine that is used to achieve a certain goal or related to a certain theme, legitimate or illegitimate. Notable examples for such processes are business processes, in particular broken business processes where sensitive data is rendered unprotected, and deliberate data theft activity.