Abstract: Detecting threats in a network are provided. A network security monitor obtains records for entities that access a network. The records include attributes associated with the entities. The network security monitor generates clusters from the records using a matching process. The network security monitor classifies a first cluster as a threat cluster. The network security monitor receives, subsequent to generating the plurality of clusters, a record from an entity that access the network. The network security monitor assigns the record to the first cluster using the matching process. The network security monitor detects, responsive to assigning the record to the first cluster, a threat associated with the entity.

Abstract: Systems and method of the present disclosure are directed to a network security monitor. The monitor can receive logs of a second computer network indicative of a status of the second computer network determined by a monitoring agent executing on the second computer network. The monitor can generate indexed logs from the logs based on log format. The monitor can retrieving a list of threat indicators from a database based on a schema from a plurality of threat indicators received from a plurality of heterogeneous repositories via the first computer network. The monitor can compare the list of threat indicators with the indexed logs. The monitor can generate a report based on the comparing to identify a threat.