Abstract: Detecting compromised devices and user accounts within an online service via multi-signal analysis allows for fewer false positives and thus a more accurate allocation of computing resources and human analyst resources. Individual scopes of analysis, related to devices, accounts, or processes are specified and multiple behaviors over a period of time are analyzed to detect persistent (and slow acting) threats as well as brute force (and fast acting) threats. Analysts are alerted to individually affected scopes suspected of being compromised and may address them accordingly.

Abstract: Systems, devices, and methods of an automatic attack testing framework for the security testing of an operational service are disclosed. In an example, such systems, devices, and methods may include operations that: deploy command instructions and a payload for a bot process to a computing device located within a target infrastructure, with the command instructions being selected based on criteria to test a security feature in the target infrastructure with an automated attack action in the bot process, and with the bot process being executed on the computing device and being started with use of the command instructions and the payload; communicate with the computing device to control the automated attack action within the target infrastructure, such that the automated attack action is performed within the bot process; and obtain results of the automated attack action performed within the bot process from the computing device.

Abstract: Detecting compromised devices and user accounts within an online service via multi-signal analysis allows for fewer false positives and thus a more accurate allocation of computing resources and human analyst resources. Individual scopes of analysis, related to devices, accounts, or processes are specified and multiple behaviors over a period of time are analyzed to detect persistent (and slow acting) threats as well as brute force (and fast acting) threats. Analysts are alerted to individually affected scopes suspected of being compromised and may address them accordingly.

Abstract: Detecting compromised devices and user accounts within an online service via multi-signal analysis allows for fewer false positives and thus a more accurate allocation of computing resources and human analyst resources. Individual scopes of analysis, related to devices, accounts, or processes are specified and multiple behaviors over a period of time are analyzed to detect persistent (and slow acting) threats as well as brute force (and fast acting) threats. Analysts are alerted to individually affected scopes suspected of being compromised and may address them accordingly.

Abstract: Outage detection in a cloud based service is provided using usage data based error signals. Usage data is collected from component of the cloud based service or client devices of the cloud based service based on customer actions on the cloud based service. The usage data is aggregated and normalized to generate an error signal from errors generated from a component of the cloud based service. An outage is detected from the error signal. An alert that includes information associated with the outage and one or more customers impacted by the outage is generated.

Abstract: Systems, devices, and methods of an automatic attack testing framework for the security testing of an operational service are disclosed. In an example, such systems, devices, and methods may include operations that: deploy command instructions and a payload for a bot process to a computing device located within a target infrastructure, with the command instructions being selected based on criteria to test a security feature in the target infrastructure with an automated attack action in the bot process, and with the bot process being executed on the computing device and being started with use of the command instructions and the payload; communicate with the computing device to control the automated attack action within the target infrastructure, such that the automated attack action is performed within the bot process; and obtain results of the automated attack action performed within the bot process from the computing device.

Abstract: Detecting compromised devices and user accounts within an online service via multi-signal analysis allows for fewer false positives and thus a more accurate allocation of computing resources and human analyst resources. Individual scopes of analysis, related to devices, accounts, or processes are specified and multiple behaviors over a period of time are analyzed to detect persistent (and slow acting) threats as well as brute force (and fast acting) threats. Analysts are alerted to individually affected scopes suspected of being compromised and may address them accordingly.

Abstract: Data is validated as it travels through the different nodes of a data pipeline. Instead of having to wait to validate the data when the data reaches an end of the data pipeline, each node in the pipeline may validate the data. Different methods may be used to validate the data. For example, each node may determine metadata about the received data and/or the transformed data. This metadata may be used to determine if the node is receiving the same amount of data as it usually receives, whether the data is in a same format, and the like. A timing of the data through one or more of the nodes may also be used in determining when the data is valid. When a problem is detected at any of the nodes in the pipeline, a report may be sent to one or more users.

Abstract: A failure analysis of a cloud based service is provided using synthetic measurements of the cloud based service. The synthetic measurements associated with a customer experience is executed on the cloud based service to determine a health of the cloud based service. The synthetic measurements simulate the customer experience which includes a use scenario of a customer of the cloud based service. Failures associated with the health of the cloud based service are aggregated, where the failures are detected from the synthetic measurements. A distribution is generated from the failures. The distribution is presented to a stakeholder.

Abstract: Visual tools are provided for failure analysis in distributed systems. Errors from synthetic measurements and usage data associated with a cloud based service are aggregated by a management application. The errors are processed to create a distribution that segments the errors based on components of the cloud based service. A failed component that generates a subset of the errors associated with a failure is highlighted. The failed component is one of the components of the cloud based service. The distribution is provided in a visualization to identify the failure by emphasizing the failed component with a failure information in proximity to the failed component.

Abstract: Outage detection in a cloud based service is provided using synthetic measurements and anonymized usage data of the cloud based service. Synthetic measurements and usage data are processed through a shared aggregator to generate aggregated data. The synthetic measurements and the usage data are analyzed through a decision tree to correlate an outage based on the synthetic measurements and the usage data. A confidence value is assigned to the outage. An alert is generated that includes information associated with the outage and the confidence value.

Abstract: Usability of a cloud based service is recovered from a system failure. A customer transaction associated with the customer experience is executed to simulate the customer experience in the cloud based service. A failure associated with a subsystem the cloud based service is detected from an output of the customer transaction. A recovery action is determined to be associated with the failure. The recovery action is executed on the subsystem and monitored to determine a success status.

Abstract: Anomalous activity is detected using event information that is received from accounts from within an online service. Generally, anomalous activity is detected by comparing a baseline profile that includes past event information for accounts of the online service with a recent profile that includes recent event information for the accounts. Anomalous activity is detected when the recent profile shows that one or more events are occurring more frequently as compared to the occurrence of the event the associated baseline profile. The events that are recorded and used in the anomaly detection may include all or a portion of events that are monitored by the online service. One or more reports may also be automatically generated and provided to one or more users to show activity that may be considered anomalous activity.

Abstract: Outage detection in a cloud based service is provided using usage data based error signals. Usage data is collected from component of the cloud based service or client devices of the cloud based service based on customer actions on the cloud based service. The usage data is aggregated and normalized to generate an error signal from errors generated from a component of the cloud based service. An outage is detected from the error signal. An alert that includes information associated with the outage and one or more customers impacted by the outage is generated.

Abstract: Visual tools are provided for failure analysis in distributed systems. Errors from synthetic measurements and usage data associated with a cloud based service are aggregated by a management application. The errors are processed to create a distribution that segments the errors based on components of the cloud based service. A failed component that generates a subset of the errors associated with a failure is highlighted. The failed component is one of the components of the cloud based service. The distribution is provided in a visualization to identify the failure by emphasizing the failed component with a failure information in proximity to the failed component.

Abstract: A failure analysis of a cloud based service is provided using synthetic measurements of the cloud based service. The synthetic measurements associated with a customer experience is executed on the cloud based service to determine a health of the cloud based service. The synthetic measurements simulate the customer experience which includes a use scenario of a customer of the cloud based service. Failures associated with the health of the cloud based service are aggregated, where the failures are detected from the synthetic measurements. A distribution is generated from the failures. The distribution is presented to a stakeholder.

Abstract: Outage detection in a cloud based service is provided using synthetic measurements and anonymized usage data of the cloud based service. Synthetic measurements and usage data are processed through a shared aggregator to generate aggregated data. The synthetic measurements and the usage data are analyzed through a decision tree to correlate an outage based on the synthetic measurements and the usage data. A confidence value is assigned to the outage. An alert is generated that includes information associated with the outage and the confidence value.

Abstract: Usability of a cloud based service is recovered from a system failure. A customer transaction associated with the customer experience is executed to simulate the customer experience in the cloud based service. A failure associated with a subsystem the cloud based service is detected from an output of the customer transaction. A recovery action is determined to be associated with the failure. The recovery action is executed on the subsystem and monitored to determine a success status.

Abstract: Anomalous activity is detected using event information that is received from accounts from within an online service. Generally, anomalous activity is detected by comparing a baseline profile that includes past event information for accounts of the online service with a recent profile that includes recent event information for the accounts. Anomalous activity is detected when the recent profile shows that one or more events are occurring more frequently as compared to the occurrence of the event the associated baseline profile. The events that are recorded and used in the anomaly detection may include all or a portion of events that are monitored by the online service. One or more reports may also be automatically generated and provided to one or more users to show activity that may be considered anomalous activity.

Abstract: Data is validated as it travels through the different nodes of a data pipeline. Instead of having to wait to validate the data when the data reaches an end of the data pipeline, each node in the pipeline may validate the data. Different methods may be used to validate the data. For example, each node may determine metadata about the received data and/or the transformed data. This metadata may be used to determine if the node is receiving the same amount of data as it usually receives, whether the data is in a same format, and the like. A timing of the data through one or more of the nodes may also be used in determining when the data is valid. When a problem is detected at any of the nodes in the pipeline, a report may be sent to one or more users.