Techniques are disclosed for protecting a computer environment. The technique comprises providing an index; comparing a first event with the index; determining whether the first event is unusual; and determining whether a security incident associated with the first event has occurred.