System and method associated with expedient detection and reconstruction of cyber events in a compact scenario representation using provenance tags and customizable policy

What is claimed is: 1. A system for detecting a cyber-attack and reconstructing events associated with a cyber-attack campaign in a victim system environment, the system comprising: a memory configured to store instructions; and a processing device coupled to the memory, the processing device executing a real-time attack scenario reconstruction application with the instructions stored in memory, wherein the application is configured to: receive an audit data stream associated with cyber events; identify trustworthiness values in a portion of data associated with the cyber events; assign provenance tags to the portion of the data based on the identified trustworthiness values; generate an initial visual representation based on the assigned provenance tags to the portion of the data; condense the initial visual representation based on a backward traversal of the initial visual representation in identifying a shortest path from a suspect process and/or file to an entry point process and/or file; and generate a scenario visual representation that specifies processes and/or files in the victim system environment having a higher likelihood, compared to other processes and/or files in the victim system environment, of contributing to the cyber events associated with the cyber-attack based on the identified shortest path. 2. The system as recited in claim 1 , wherein the system is further configured to condense the initial visual representation based on a forward traversal of the initial visual representation in identifying the shortest path from the suspect process and/or file to the entry point process and/or file. 3. The system as recited in claim 1 , wherein the system is further configured to generate a scenario visual representation that specifies processes and/or files in the victim system environment having a higher likelihood, compared to other processes and/or files in the victim system environment, of contributing to the cyber events associated with the cyber-attack based on multiple identified shortest paths. 4. The system as recited in claim 1 , wherein the provenance tags further comprise trustworthiness tags. 5. The system as recited in claim 1 , wherein the provenance tags further comprise confidentiality tags assigned to the portion of the data based on identified confidentiality values. 6. The system as recited in claim 1 , wherein the portion of the data comprises one or more of objects and subjects. 7. The system as recited in claim 6 , wherein the objects are referenced within events using an index into a per-subject table of object identifiers. 8. The system as recited in claim 1 , wherein the provenance tags are further assigned to the portion of the data based on identified sensitivity values. 9. A method for detecting a cyber-attack and reconstructing events associated with a cyber-attack campaign in a victim system environment, the method comprising: a processing device coupled to a memory that stores instructions, the processing device executing a real-time attack scenario reconstruction application with the instructions stored in memory, wherein the application is configured to perform the following operations: receiving an audit data stream associated with cyber events; identifying trustworthiness values in a portion of data associated with the cyber events; assigning provenance tags to the portion of the data based on the identified trustworthiness values; generating an initial visual representation based on the assigned provenance tags to the portion of the data; condensing the initial visual representation based on a backward traversal of the initial visual representation in identifying a shortest path from a suspect process and/or file to an entry point process and/or file; and generating a scenario visual representation that specifies processes and/or files in the victim system environment having a higher likelihood, compared to other processes and/or files in the victim system environment, of contributing to the cyber events associated with the cyber-attack based on the identified shortest path. 10. The method as recited in claim 9 , wherein the method further comprises condensing the initial visual representation based on a forward traversal of the initial visual representation in identifying the shortest path from the suspect process and/or file to the entry point process and/or file. 11. The method as recited in claim 9 , wherein the method further comprises generating a scenario visual representation that specifies processes and/or files in the victim system environment having a higher likelihood, compared to other processes and/or files in the victim system environment, of contributing to the cyber events associated with the cyber-attack based on multiple identified shortest paths. 12. The method as recited in claim 9 , wherein the provenance tags further comprise trustworthiness tags. 13. The method as recited in claim 9 , wherein the provenance tags further comprise confidentiality tags assigned to the portion of the data based on identified confidentiality values. 14. The method as recited in claim 9 , wherein the portion of the data comprises one or more of objects and subjects. 15. The method as recited in claim 14 , wherein the objects are referenced within events using an index into a per-subject table of object identifiers. 16. The method as recited in claim 9 , wherein the provenance tags are further assigned to the portion of the data based on identified sensitivity values. 17. A non-transitory computer-readable medium storing instructions that, when executed by a real-time attack scenario reconstruction processing device, performs operations that include: receiving an audit data stream associated with cyber events associated with a cyber-attack in a victim system environment; identifying trustworthiness values in a portion of data associated with the cyber events; assigning provenance tags to the portion of the data based on the identified trustworthiness values; generating an initial visual representation based on the assigned provenance tags to the portion of the data; condensing the initial visual representation based on a backward traversal of the initial visual representation in identifying a shortest path from a suspect process and/or file to an entry point process and/or file; and generating a scenario visual representation that specifies processes and/or files in the victim system environment having a higher likelihood, compared to other processes and/or files in the victim system environment, of contributing to the cyber events associated with the cyber-attack based on the identified shortest path. 18. The computer readable medium as recited in claim 17 , wherein the operations further comprise condensing the initial visual representation based on a forward traversal of the initial visual representation in identifying the shortest path from the suspect process and/or file to the entry point process and/or file. 19. The computer readable medium as recited in claim 17 , wherein the operations further comprise generating a scenario visual representation that specifies processes and/or files in the victim system environment having a higher likelihood, compared to other processes and/or files in the victim system environment, of contributing to the cyber events associated with the cyber-attack based on multiple identified shortest paths. 20. The computer readable medium as recited in claim 17 , wherein the provenance tags further comprise trustworthines