Abstract: An illustrative method includes generating a logical graph by performing a clustering operation with respect to log data associated with one or more machines, the clustering operation performed using a first clustering criteria and causing the logical graph to initially include a first set of nodes generated in accordance with relationship requirements of an underlying model and a first set of edges representing communication between nodes included in the first set of nodes; and reclustering, using a second clustering criteria, the logical graph to include, in place of the first set of nodes, a second set of nodes generated while maintaining the relationship requirements of the underlying model and a second set of edges representing communication between nodes included in the second set of nodes.

Abstract: An illustrative method includes determining that a first user login session and a second user login session have a parent-child relationship that indicates that a particular user is associated with both the first and second user login sessions and linking first user login activity performed during the first user login session and second user login activity performed during the second user login session to the user.

Abstract: A logical graph is generated using at least a portion of log data received from a set of agents executing on one or more nodes in one or more data centers. The logical graph is augmented using data obtained from one or more agents executing in containerized environments, including by representing communications between pods within the logical graph. The augmented logical graph is used to detect an anomaly.

Abstract: In some embodiments, a data platform receives information associated with activities within a network environment, generates a logical graph based on the information, stores data representative of the logical graph in a database, receives, in response to a user interaction with an interface of the data platform, a request to filter the information, in response to the request generates a query using a graph-based schema, and performs the generated query against the database.

Abstract: A data platform receives data associated with activities in an environment, generates a logical graph using at least a portion of the received data, at least in part by clustering multiple nodes into a node of the logical graph based at least in part on behaviors in the network environment, and provides data representing a portion of the logical graph to a computer, the data representing the portion of the logical graph configured to be processed by the computer to display a visualization of the portion of the logical graph. The data platform may provide the data to the computer in response to receiving a query from the computer. The data platform may use the logical graph to detect an anomaly in the environment.

Abstract: A frame is received at an agent. The frame is analyzed to determine that the frame is associated with a first known pod. IP information is reported to a backend process. The backend process is configured to stitch the IP information with other IP information reported by one or more additional agents to identify a second pod.

Abstract: Log data associated with at least one user session in a network environment associated with an original user is received. A logical graph is generated using at least a portion of the received log data. One example of such a logical graph is a privilege change graph that models privilege changes between processes. Another example of such a logical graph is a user login graph that models machines with which the original user interacts. Another example of such a logical graph is a machine-server graph that clusters machines into nodes based on resources executing on the machine. The generated logical graph is used to detect an anomaly.

Abstract: Activities within a network environment are monitored (e.g., using agents). At least a portion of the monitored activities are used to generate a logical graph model. The generated logical graph model is used to determine an anomaly. The detected anomaly is recorded and can be used to generate an alert.

Abstract: In some embodiments, a request to filter information associated with activities within a network environment is received in response to a user interaction with a graph that comprises a plurality of nodes. At least one node included in the graph is associated with an activity within a network environment. As one example, the request to filter is triggered by a user interaction with a visual representation of at least a portion of the graph. As another example, the request to filter is triggered by a user interaction with a query field. In response to receiving the filter request, a query is generated based on a join using a query service.

Abstract: Log data associated with an environment that includes containers is received. An example of such an environment is one managed by Kubernetes. A logical graph is generated using at least a portion of the received log data. The logical graph is used to detect an anomaly. In response to the anomaly being detected, the anomaly is recorded.

Abstract: An agent executes in user space on a machine and monitors for network connections. In response to detecting an initiation of a network connection, data associated with a process associated with the network connection is collected, e.g., by the agent. At least a portion of the collected process data is reported to an external node. The reported information can be used to detect anomalies in a network environment.

Abstract: A logical graph is generated using at least a portion of log data received from a set of agents executing on one or more nodes in one or more data centers. The logical graph is generated at least in part by clustering a first set of nodes using a first clustering criteria. The logical graph is augmented at least in part by performing a reclustering operation using a second clustering criteria.

Abstract: A frame is received at an agent. The frame is analyzed to determine that the frame is associated with a first known pod. IP information is reported to a backend process. The backend process is configured to stitch the IP information with other IP information reported by one or more additional agents to identify a second pod.

Abstract: A logical graph is generated using at least a portion of log data received from a set of agents executing on one or more nodes in one or more data centers. The logical graph is augmented using data obtained from one or more agents executing in containerized environments, including by representing communications between pods within the logical graph. The augmented logical graph is used to detect an anomaly.

Abstract: A request to filter information associated with activities within a network environment is received in response to a user interaction with a graph that comprises a plurality of nodes. At least one node included in the graph is associated with an activity within a network environment. As one example, the request to filter is triggered by a user interaction with a visual representation of at least a portion of the graph. As another example, the request to filter is triggered by a user interaction with a query field. In response to receiving the filter request, a query is generated based on an implicit join using a query service.

Abstract: Activities within a network environment are monitored (e.g., using agents). At least a portion of the monitored activities are used to generate a logical graph model. The generated logical graph model is used to determine an anomaly. The detected anomaly is recorded and can be used to generate an alert.

Abstract: First information associated with a first user login activity is received, as is second information associated with a second user login activity. A determination is made, using the received first and second information, that the first user login activity and second user login activity have a parent-child relationship. The first user login activity and the second user login activity are linked to at least one user and a process.

Abstract: An agent executes in user space on a machine and monitors for network connections. In response to detecting an initiation of a network connection, data associated with a process associated with the network connection is collected, e.g., by the agent. At least a portion of the collected process data is reported to an external node. The reported information is used to detect anomalies in a network environment.

Abstract: Log data associated with at least one user session in a network environment associated with an original user is received. A logical graph is generated using at least a portion of the received log data. One example of such a logical graph is a privilege change graph that models privilege changes between processes. Another example of such a logical graph is a user login graph that models machines with which the original user interacts. Another example of such a logical graph is a machine-server graph that clusters machines into nodes based on resources executing on the machine. The generated logical graph is used to detect an anomaly.

Abstract: Log data associated with an environment that includes containers is received. An example of such an environment is one managed by Kubernetes. A logical graph is generated using at least a portion of the received log data. The logical graph is used to detect an anomaly. In response to the anomaly being detected, the anomaly is recorded.