A method of real-time processing of network events, wherein an event comprises a plurality of attributes. The method comprises maintaining counters, including counters indicating numbers of occurrences and co-occurrences of instances of specific attributes of received network events, maintaining a record of instances of specific attributes of recent events, receiving a first event, increasing respective counters based on the instances of attributes of the first event. The method further comprises calculating relation measure scores between a first instance of the first attribute of the first event and instances of the first attribute of events recently received. The relation measure score depends on a number of co-occurrences in which the first instance of the first attribute and a second instance of the first attribute were received within the measurement window, the total number of occurrences of the first instance and the total number of occurrences of the second instance. The method also comprises identifying a group of events as related based on their relation measure scores and creating incident information based on the identified group of events.