Event correlation problems appear everywhere in information security and forensics: log analysis ("I'm seeing a lot of 404 errors from one range of IP addresses"), behavior detection ("That account may be compromised, he logged in twice from two different locations"), record linkage ("Is Jones, Robert the same as Bob Jones?"), and expert systems ("I have a system running Windows 7 Japanese Locale, with these hotfixes, what's my biggest security risk?", or from the other side, "What attacks should I try first?").
Despite the usefulness of event correlation, many security practitioners either ignore it or use ad hoc tools. This talk presents Giles, a compiler that creates event correlation engines. Its most interesting feature is that the output of Giles is a schema for a normal SQL database, and databases created using this schema are fully-fledged event correlation engines. This allows users to put an event correlation engine anywhere they could put a database (which is everywhere), and access it using any programming language that can access databases (which is all of them).