Abstract: An example method includes accessing, by a data platform via a network, data from one or more cloud environments; identifying, by the data platform and in the data, first data associated with a first entity and a first data type and second data associated with a second entity and a second data type; mapping, by the data platform and based on the first entity and the first data type, the first data to a first data stream of a data streaming platform; mapping, by the data platform and based on the second entity and the second data type, the second data to a second data stream of the data streaming platform, the second data stream different from the first data stream of the data streaming platform; and generating, based on the first data stream, a graph representing activity associated with the first entity in the one or more cloud environments.

Abstract: Identifying encountered and unencountered conditions in software applications, including: collecting, for an executing application, information describing the usage of the application, including: receiving, from one or more tracepoints inserted into the application, a first portion of the information describing a state of the application during execution; identifying, based on the information, one or more unencountered conditions that the application is configured to handle; and presenting information describing the unencountered conditions that the application is configured to handle.

Abstract: Instruction-level threat assessment, including: identifying one or more probe insertion points in code of a package corresponding to one or more vulnerabilities of the package; inserting, into one or more instances of the package deployed in one or more hosts of a cloud deployment, one or more probes based on the one or more probe insertion points; and elevating a severity of a particular vulnerability in response to reaching a particular probe of the one or more probes.

Abstract: Integrating a natural language interface into an anomaly detection framework, including: detecting, by an anomaly detection framework, an occurrence of an event associated with one or more assets that are being monitored by an anomaly detection framework; generating, based on information associated with the detected event, one or more natural language inputs; and submitting, to a natural language interface, the one or more natural language inputs.

Abstract: Using static analysis for vulnerability detection, including: inspecting, using an underapproximate static code analysis, a non-executable representation of an application to identify one or more vulnerabilities in the application; and providing an indication of the one or more vulnerabilities, wherein the underapproximate static code analysis can include a taint analysis that is based on one or more of symbolic execution or incorrectness logic.

Abstract: An illustrative method includes determining that a first user login session and a second user login session have a parent-child relationship that indicates that a particular user is associated with both the first and second user login sessions and linking first user login activity performed during the first user login session and second user login activity performed during the second user login session to the user.

Abstract: An illustrative method includes generating a logical graph by performing a clustering operation with respect to log data associated with one or more machines, the clustering operation performed using a first clustering criteria and causing the logical graph to initially include a first set of nodes generated in accordance with relationship requirements of an underlying model and a first set of edges representing communication between nodes included in the first set of nodes; and reclustering, using a second clustering criteria, the logical graph to include, in place of the first set of nodes, a second set of nodes generated while maintaining the relationship requirements of the underlying model and a second set of edges representing communication between nodes included in the second set of nodes.

Abstract: An illustrative method includes accessing data representative of a first role associated with a set of permissions with respect to resources within the compute environment and specifying a group of identities assigned to the first role, determining that a first subgroup of one or more identities included the group of identities only uses a first subset of permissions included in the set of permissions to access the resources within the compute environment without using a second subset of permissions, and performing, based on the determining that the first subgroup of one or more identities only uses the first subset of permissions, an operation to reduce permissions usable by the one or more identities.

Abstract: Detecting anomalous behavior of a device, including: generating, using information describing historical activity associated with a user device, a trained model for detecting normal activity for the user device; gathering information describing current activity associated with the user device; and determining, by using the information describing current activity associated with the user device as input to the trained model, whether the user device has deviated from normal activity.

Abstract: Elastic privileges in a secure access service edge, including: identifying, based on one or more access policies, an application accessible to a user; determining, for the user, an access pattern of the application; and restricting, without modifying the one or more access policies, access to the application by the user based on the access pattern.

Abstract: A natural language interface for an anomaly detection framework, including: receiving a natural language input associated with a cloud deployment; generating a query corresponding to the natural language input by disambiguating at least a portion of the natural language input based on data describing activity associated with an anomaly detection framework monitoring the cloud deployment; and providing, based on a response to the query, a response to the natural language input.

Abstract: A logical graph is generated using at least a portion of log data received from a set of agents executing on one or more nodes in one or more data centers. The logical graph is augmented using data obtained from one or more agents executing in containerized environments, including by representing communications between pods within the logical graph. The augmented logical graph is used to detect an anomaly.

Abstract: Generating user-specific polygraphs for network activity, including: gathering information describing network activity associated with a user and generating, based on the information, a user-specific polygraph that includes one or more destinations associated with the network activity.

Abstract: Detecting deviations from typical user behavior, including: identifying a geographic location of a device that is associated with a user; determining device activity associated with the user; and detecting, based on a profile associated with the user, that the device activity associated with the user deviates from normal activity for the user.

Abstract: Detecting anomalous behavior of a device, including: generating, using information describing historical activity associated with a user device, a trained model for detecting normal activity for the user device; gathering information describing current activity associated with the user device; and determining, by using the information describing current activity associated with the user device as input to the trained model, whether the user device has deviated from normal activity.

Abstract: Configuring cloud deployments based on learnings obtained by monitoring other cloud deployments, including: determining normal behavior for one or more components in a first cloud deployment; determining normal behavior for one or more components in one or more other cloud deployments; and recommending, based on the normal behavior for one or more components in one or more other cloud deployments, a change to the first cloud deployment.

Abstract: In some embodiments, a data platform receives information associated with activities within a network environment, generates a logical graph based on the information, stores data representative of the logical graph in a database, receives, in response to a user interaction with an interface of the data platform, a request to filter the information, in response to the request generates a query using a graph-based schema, and performs the generated query against the database.

Abstract: Using real-time monitoring to inform static analysis, including: inspecting, using one or more static code analysis techniques, one or more components of a cloud deployment; detecting, using data gathered during the execution of the component in the cloud deployment, a condition; and modifying, based on the detected condition, the one or more static code analysis techniques.

Abstract: A data platform receives data associated with activities in an environment, generates a logical graph using at least a portion of the received data, at least in part by clustering multiple nodes into a node of the logical graph based at least in part on behaviors in the network environment, and provides data representing a portion of the logical graph to a computer, the data representing the portion of the logical graph configured to be processed by the computer to display a visualization of the portion of the logical graph. The data platform may provide the data to the computer in response to receiving a query from the computer. The data platform may use the logical graph to detect an anomaly in the environment.

Abstract: Providing a data lake-enabled security platform, including: storing security data associated with a customer in a data lake comprising a plurality of storage environments implemented in different cloud environments of a plurality of cloud environments; generating, based on a plurality of records in the security data, an abstracted security record describing one or more derived insights of the security data; and providing access to the abstracted security record to one or more users associated with the customer.