Detection of security incidents with low confidence security events

What is claimed is: 1 . A method, comprising: aggregating a collection of security events received from logs from one or more devices; evaluating the collection of security events based on a confidence score assigned to each distinct type of security event, wherein the confidence for each distinct type of security event indicates a likelihood that a security incident has occurred; determining, based on the confidence scores, at least one threshold for determining when to report an occurrence of a security incident from the collection of security events; and upon determining that at least one security event of the collection has crossed the at least one threshold, reporting the occurrence of the security incident to an analyst. 2 . The method of claim 1 , wherein, upon determining that the at least one security event of the collection has crossed the at least one threshold, the method further comprising: identifying the at least one security event associated with the security incident; generating a set of evidence comprising a list of at least one another security event associated with the at least one security event to justify the reporting of the security incident to the analyst, wherein the another security event has been observed to co-occur with any of the at least one security event within a predefined time period; and reporting the at least one security event and the set of evidence to the analyst. 3 . The method of claim 2 , further comprising: determining information regarding one or more criteria used to generate the set of evidence, wherein the one or more criteria comprises at least one of the confidence scores or one or more metrics used to determine the thresholds; reporting the information of the one or more criteria to the analyst; and providing a mechanism that allows the analyst to expose the set of evidence for one or more of the confidence scores. 4 . The method of claim 2 , further comprising: upon receiving feedback from an analyst, modifying at least one of the thresholds or the set of evidence, based on a type of the analyst feedback, wherein the type of analyst feedback indicates at least one of no response from the analyst, an indication that the security incident is a false-positive, or at least one change in the set of evidence. 5 . The method of claim 4 , further comprising determining that no response from the analyst indicates that the security incident is marked false-positive, and wherein modifying at least one of the thresholds or the set of evidence comprises adjusting the set of threshold values. 6 . The method of claim 4 , wherein upon determining the type of analyst feedback indicates at least one change in the set of evidence: determining the at least one change is based on the one or more criteria used to generate the set of evidence, and wherein modifying at least one of the thresholds or the set of evidence comprises automatically re-computing the confidence scores based on the updated set of evidence. 7 . The method of claim 3 , wherein the mechanism allows the analyst to select at least one of the another security event to indicate the another security event does not belong in the set of evidence. 8 . The method of claim 7 , wherein upon receiving an indication that one of the another security events does not belong in the set of evidence, the method further comprising: analyzing an estimated effect of removing the indicated another security event on the reporting of security incidents to the analyst; and determining, based on the analysis, whether to remove the indicated another security event from the set of evidence. 9 . The method of claim 8 , further comprising removing the indicated another security event from the set of evidence if the analysis indicates at least one of a decrease in a number of false-positive security incidents reported to the analyst or an increase in a number of reported security incidents that are resolved by the analyst. 10 . The method of claim 8 , further comprising not removing the indicated another security event from the set of evidence if the analysis indicates at least one of an increase in a number of false positive security incidents reported to the analyst or a decrease in a number of reported security incidents that are resolved by the analyst. 11 . The method of claim 2 , wherein the list is sorted by decreasing frequency of the at least one another security event, wherein the list further describes each of the at least one another security event by name and describes a percentage of time the at least one another security event co-occurred with any of the security events within the time period relative to a total number of occurrences of the security event with any another security event. 12 . The method of claim 2 , wherein the another security event indicates at least one of an infection, vulnerability, or attack. 13 . A computer-readable storage medium storing instructions, which, when executed on a processor, perform an operation, the operation comprising: aggregating a collection of security events received from logs from one or more devices; evaluating the collection of security events based on a confidence score assigned to each distinct type of security event, wherein the confidence for each distinct type of security event indicates a likelihood that a security incident has occurred; determining, based on the confidence scores, at least one threshold for determining when to report an occurrence of a security incident from the collection of security events; and upon determining that at least one security event of the collection has crossed the at least one threshold, reporting the occurrence of the security incident to an analyst. 14 . The computer-readable storage medium of claim 13 , wherein, upon determining that the at least one security event of the collection has crossed the at least one threshold, the operation further comprising: identifying the at least one security event associated with the security incident; generating a set of evidence comprising a list of at least one another security event associated with the at least one security event to justify the reporting of the security incident to the analyst, wherein the another security event has been observed to co-occur with any of the at least one security event within a predefined time period; and reporting the at least one security event and the set of evidence to the analyst. 15 . The computer-readable storage medium of claim 14 , further comprising: determining information regarding one or more criteria used to generate the set of evidence, wherein the one or more criteria comprises at least one of the confidence scores or one or more metrics used to determine the thresholds; reporting the information of the one or more criteria to the analyst; and providing a mechanism that allows the analyst to expose the set of evidence for one or more of the confidence scores. 16 . The computer-readable storage medium of claim 15 , wherein the mechanism allows the analyst to select at least one of the another security event to indicate the another security event does not belong in the set of evidence. 17 . The computer-readable storage medium of claim 16 , wherein upon receiving an indication that one of the another security events does not belong in the set of evidence, the method further comprising: analyzing an estimated effect of removing the indicated another security event on the reporting of security incidents to the analyst; and determining, based on the analysis, w