[Claim 1] An information processing apparatus comprising:
a candidate event derivation unit to derive, as a candidate event, an event predicted to occur in an information system including a plurality of system components, the event being a candidate for a monitoring target;
an attribute identification unit to derive, as a candidate system component, a system component involved in occurrence of the candidate event from among the plurality of system components, and identify an attribute of the candidate system component; and
a monitoring target decision unit to analyze the attribute of the candidate system component identified by the attribute identification unit, and decide whether or not the candidate event is to be the monitoring target. [Claim 2] The information processing apparatus according to claim 1,
wherein the candidate event derivation unit derives, as the candidate event, an event predicted to occur in the information system when the information system is attacked. [Claim 3] The information processing apparatus according to claim 2,
wherein the candidate event derivation unit derives, as the candidate event, an event predicted to occur in the information system subsequent to the attack symptom event when an attack symptom event being a symptom of the attack on the information system occurs. [Claim 4] The information processing apparatus according to claim 1,
wherein the monitoring target decision unit acquires an exclusion rule in which a condition for an event which is to be excluded from the monitoring target is defined using the attribute of the system component,

compares the attribute of the candidate system component identified by the attribute identification unit with the attribute of the system component defined in the exclusion rule, and when the attribute of the candidate system component coincides with the attribute of the system component defined in the exclusion rule, excludes the candidate event from the monitoring target. [Claim 5] The information processing apparatus according to claim 4,
wherein, when the attribute of the candidate system component does not coincide with the attribute of the system component defined in the exclusion rule, the monitoring target decision unit sets the candidate event to be the monitoring target. [Claim 6] The information processing apparatus according to claim 4,
wherein, when the exclusion rule is invalidated after excluding the candidate event from the monitoring target, the monitoring target decision unit sets the candidate event to be the monitoring target.
[Claim 7] The information processing apparatus according to claim 4, further comprising
a rule editing tool that edits the exclusion rule. [Claim 8] An information processing apparatus comprising:
a candidate event derivation unit to derive, as a candidate event, an event predicted to occur in an information system when the information system is attacked, and derive a candidate progress state being a progress state of the attack on the information system when the candidate event occurs;
an information storage unit to store candidate event definition information in which contents of the candidate event are indicated and candidate progress state information in which the candidate progress state is indicated;
a progress state detection unit to detect the progress state of the attack on the

information system; and
an information management unit to determine, when determination timing arrives, whether or not the candidate progress state indicated in the candidate progress state information coincides with a detected progress state which has been detected until the determination timing by the progress state detection unit, and when the candidate progress state coincides with the detected progress state, delete the candidate event definition information and the candidate progress state information from the information storage unit. [Claim 9] The information processing apparatus according to claim 8,
wherein, when an attack symptom event being a symptom of the attack on the information system occurs, the candidate event derivation unit derives, as the candidate event, the event predicted to occur in the information system subsequent to the attack symptom event. [Claim 10] The information processing apparatus according to claim 9,
wherein the candidate event derivation unit derives, as the candidate event, an event predicted occur in the information system when the information system including a plurality of system components is attacked, and
derives, as a candidate system component, a system component involved in occurrence of the candidate event from among the plurality of system components,
the information storage unit stores candidate system component information in which the candidate system component is indicated,
the progress state detection unit detects the progress state of the attack on the information system by relating it to any system component of the plurality of system components, and
the information management unit determines, when the determination timing

arrives, whether or not the candidate progress state indicated in the candidate progress state information coincides with the detected progress state which has been detected until the detection timing by the progress state detection unit, and whether or not the candidate system component indicated in the candidate system component information coincides with a detected system component has been detected until the determination timing by the progress state detection unit, and when the candidate progress state coincides with the detected progress state and the candidate system component coincides with the detected system component, deletes the candidate event definition information, the candidate progress state information, and the candidate system component information from the information storage unit. [Claim 11] An information processing method comprising:
deriving by a computer, as a candidate event, an event predicted to occur in an information system including a plurality of system components, the event being a candidate for a monitoring target;
deriving by the computer, as a candidate system component, a system component involved in occurrence of the candidate event from among the plurality of system components, and identifying an attribute of the candidate system component; and
analyzing by the computer, the attribute of the candidate system component, and deciding whether or not the candidate event is to be the monitoring target. [Claim 12] An information processing method comprising:
deriving by a computer, as a candidate event, an event predicted to occur in an information system when the information system is attacked, and deriving a candidate progress state being a progress state of the attack on the information system when the candidate event occurs;

storing to a storage apparatus by the computer, candidate event definition information in which contents of the candidate event are indicated and candidate progress state information in which the candidate progress state is indicated;
detecting by the computer, the progress state of the attack on the information system; and
determining by the computer, when determination timing arrives, whether or not the candidate progress state indicated in the candidate progress state information coincides with a detected progress state which has been detected until the determination timing, and when the candidate progress state coincides with the detected progress state, deleting the candidate event definition information and the candidate progress state information from the storage apparatus. [Claim 13] A program to cause a computer to execute:
candidate event deriving processing to derive, as a candidate event, an event predicted to occur in an information system including a plurality of system components, the event being a candidate for a monitoring target;
attribute identification processing to derive, as a candidate system component, a system component involved in occurrence of the candidate event from among the plurality of system components, and identify an attribute of the candidate system component; and
monitoring target decision processing to analyze the attribute of the candidate system component identified by the attribute identification processing, and decide whether or not the candidate event is to be the monitoring target. [Claim 14] A program to cause a computer to execute:
candidate event deriving processing to derive, as a candidate event, an event predicted to occur in an information system when the information system is attacked,

and derive a candidate progress state being a progress state of the attack on the information system when the candidate event occurs;
information storage processing to store to a storage apparatus candidate event definition information in which contents of the candidate event are indicated and candidate progress state information in which the candidate progress state is indicated;
progress state detection processing to detect the progress state of the attack on the information system; and
information management processing to determine, when determination timing arrives whether or not the candidate progress state indicated in the candidate progress state information coincides with a detected progress state which has been detected until the determination timing by the progress state detection processing, and when the candidate progress state coincides with the detected progress state, delete the candidate event definition information and the candidate progress state information from the storage apparatus.