Fingerprinting entities based on activity in an information technology environment

The invention claimed is: 1. A computer implemented method comprising: accessing a set of events associated with activity by a plurality of entities in an information technology (IT) environment, wherein each event in the set of events includes a portion of raw machine data that reflects activity in the IT environment and that is produced by a component of the IT environment, wherein each event is associated with a timestamp extracted from the raw machine data; attributing an identity of a particular entity to at least some of the accessed set of events; determining a topology of the IT environment by processing at least some of the accessed set of events; generating a behavioral profile of the particular entity by processing at least some of the accessed set of events attributable to the particular entity; generating an entity relationship graph, the entity relationship graph indicative of relationships created based on activity between the particular entity and at least one other entity of the plurality of entities, wherein the entity relationship graph is generated based at least on the topology of the IT environment and the behavioral profile of the particular entity; wherein the entity relationship graph includes: a plurality of nodes representing the plurality of entities in the IT environment; and edges connecting the plurality of nodes, the edges representing relationships and activity between the plurality of nodes; wherein each edge includes a directionality that indicates a normal flow of communication between the entities represented by the nodes connected to the edge; and monitoring the entity relationship graph to detect an anomaly. 2. The method of claim 1 , wherein the anomaly is detected in response to detecting a change in the entity relationship graph. 3. The method of claim 1 , wherein the anomaly is detected in response to detecting a shift in the directionality of an edge in the entity relationship graph. 4. The method of claim 1 , wherein the anomaly is indicative of anomalous communication between the particular entity and the at least one other entity of the plurality of entities. 5. The method of claim 1 , wherein the anomaly is indicative of a web shell attack. 6. The method of claim 1 , further comprising: outputting, via a user interface, an indication of the detected anomaly to a user. 7. The method of claim 1 , wherein the anomaly is detected based on detecting that the directionality has changed in at least one edge. 8. The method of claim 1 , wherein the anomaly is detected in response to identifying a communication between entities that does not conform with a directionality of an edge connecting nodes associated with the entities. 9. The method of claim 1 , further comprising: updating the entity relationship graph as additional events are accessed and processed. 10. The method of claim 1 , wherein attributing the identity of the particular entity to at least some of the accessed set of events includes: associating an identifier to the particular entity, the identifier extracted from at least some of the set events; wherein the identifier includes any one or more of: a domain name, a uniform resource locater (URL), uniform resource identifier (URI), a unique identifier (UID), an Internet Protocol (IP) address, a Media Access Control (MAC) address, a device identification, or a user identification. 11. The method of claim 1 , wherein attributing the identity of the particular entity to at least some of the accessed set of events includes: extracting a plurality of identifiers from at least some of the accessed set of events; and associating the plurality of identifiers to the particular entity. 12. The method of claim 1 , wherein attributing the identity of the particular entity to at least some of the accessed set of events includes: updating an identity resolution state table in real time as the set of events are accessed, the identity resolution state table associating a plurality of identifiers to the particular entity, the plurality of identifiers extracted from at least some of the accessed set of events. 13. The method of claim 1 , wherein determining the topology of the IT environment by processing at least some of the accessed set of events includes: inferring logical relationships between the plurality of entities based on the activity by the plurality of entities. 14. The method of claim 1 , wherein determining the topology of the IT environment by processing at least some of the accessed set of events includes: determining a plurality entity classes based on the activity by the plurality of entities. 15. The method of claim 1 , wherein determining the topology of the IT environment by processing at least some of the accessed set of events includes: inferring a logical location of the particular entity in the IT environment based on activity by the particular entity; wherein the logical location of the particular entity is any one of the logical locations form a set of logical locations including: local area network (LAN); demilitarized zone (DMZ); wide area network (WAN); or external. 16. The method of claim 1 , wherein determining the topology of the IT environment by processing at least some of the accessed set of events includes: applying a topology label to an identifier referencing the particular entity, the topology label indicative of the location of the particular entity in the IT environment; wherein the logical location of the particular entity is any one of: local area network (LAN); demilitarized zone (DMZ); wide area network (WAN); or external. 17. The method of claim 1 , further comprising: updating the topology of the IT environment as additional events are accessed and processed. 18. The method of claim 1 , further comprising: outputting, via a user interface, information associated with the topology of the IT environment to a user. 19. The method of claim 1 , wherein generating the behavioral profile of the particular entity by processing at least some of the accessed set of events includes: associating the particular entity with one of a plurality of entity classes. 20. The method of claim 1 , wherein generating the behavioral profile of the particular entity by processing at least some of the accessed set of events includes: associating the particular entity with one of a plurality of entity classes; wherein the plurality of entity classes are predefined, user-defined, or defined based on processing of at least some of the events using supervised and/or unsupervised machine learning classification models. 21. The method of claim 1 , wherein generating the behavioral profile of the particular entity by processing at least some of the accessed set of events includes: generating an histogram based on activity by the particular entity; and comparing the histogram based on activity by the particular entity with a histogram based on activity by a plurality of entities associated with a particular class of entity; and associating the particular entity with the particular class of entities if, based on the comparison, a matching criterion is satisfied. 22. The method of claim 1 , wherein generating the behavioral profile of the particular entity by processing at least some of the accessed set of events includes: determining if the particular entity is operating as a client or a server relative to at least one other entity of the plurality of entities.