Abstract: Elastic privileges in a secure access service edge, including: identifying, based on one or more access policies, an application accessible to a user; determining, for the user, an access pattern of the application; and restricting, without modifying the one or more access policies, access to the application by the user based on the access pattern.

Abstract: A natural language interface for an anomaly detection framework, including: receiving a natural language input associated with a cloud deployment; generating a query corresponding to the natural language input by disambiguating at least a portion of the natural language input based on data describing activity associated with an anomaly detection framework monitoring the cloud deployment; and providing, based on a response to the query, a response to the natural language input.

Abstract: A logical graph is generated using at least a portion of log data received from a set of agents executing on one or more nodes in one or more data centers. The logical graph is augmented using data obtained from one or more agents executing in containerized environments, including by representing communications between pods within the logical graph. The augmented logical graph is used to detect an anomaly.

Abstract: Generating user-specific polygraphs for network activity, including: gathering information describing network activity associated with a user and generating, based on the information, a user-specific polygraph that includes one or more destinations associated with the network activity.

Abstract: Detecting deviations from typical user behavior, including: identifying a geographic location of a device that is associated with a user; determining device activity associated with the user; and detecting, based on a profile associated with the user, that the device activity associated with the user deviates from normal activity for the user.

Abstract: Detecting anomalous behavior of a device, including: generating, using information describing historical activity associated with a user device, a trained model for detecting normal activity for the user device; gathering information describing current activity associated with the user device; and determining, by using the information describing current activity associated with the user device as input to the trained model, whether the user device has deviated from normal activity.

Abstract: Configuring cloud deployments based on learnings obtained by monitoring other cloud deployments, including: determining normal behavior for one or more components in a first cloud deployment; determining normal behavior for one or more components in one or more other cloud deployments; and recommending, based on the normal behavior for one or more components in one or more other cloud deployments, a change to the first cloud deployment.

Abstract: In some embodiments, a data platform receives information associated with activities within a network environment, generates a logical graph based on the information, stores data representative of the logical graph in a database, receives, in response to a user interaction with an interface of the data platform, a request to filter the information, in response to the request generates a query using a graph-based schema, and performs the generated query against the database.

Abstract: Using real-time monitoring to inform static analysis, including: inspecting, using one or more static code analysis techniques, one or more components of a cloud deployment; detecting, using data gathered during the execution of the component in the cloud deployment, a condition; and modifying, based on the detected condition, the one or more static code analysis techniques.

Abstract: A data platform receives data associated with activities in an environment, generates a logical graph using at least a portion of the received data, at least in part by clustering multiple nodes into a node of the logical graph based at least in part on behaviors in the network environment, and provides data representing a portion of the logical graph to a computer, the data representing the portion of the logical graph configured to be processed by the computer to display a visualization of the portion of the logical graph. The data platform may provide the data to the computer in response to receiving a query from the computer. The data platform may use the logical graph to detect an anomaly in the environment.

Abstract: Providing a data lake-enabled security platform, including: storing security data associated with a customer in a data lake comprising a plurality of storage environments implemented in different cloud environments of a plurality of cloud environments; generating, based on a plurality of records in the security data, an abstracted security record describing one or more derived insights of the security data; and providing access to the abstracted security record to one or more users associated with the customer.

Abstract: Example systems and methods monitor a cloud compute environment. An example method includes an agent obtaining a data packet from an interface in the cloud compute environment, the data packet including a source address and a non-endpoint destination address; determining, based on the non-endpoint destination address and routing information for the data packet, an endpoint destination address associated with the non-endpoint destination address of the data packet; modifying the data packet by replacing the non-endpoint destination address with the endpoint destination address; and providing, based on the modified data packet, monitoring data to a data platform.

Abstract: Learning from similar cloud deployments, including: identifying, for at least a portion of a first cloud deployment, one or more additional cloud deployments to utilize for cross-customer learning; receiving information describing configurations associated with the additional cloud deployments; and identifying, based on the configurations, one or more configurations to adopt for the first cloud deployment.

Abstract: A frame is received at an agent. The frame is analyzed to determine that the frame is associated with a first known pod. IP information is reported to a backend process. The backend process is configured to stitch the IP information with other IP information reported by one or more additional agents to identify a second pod.

Abstract: A guided anomaly detection framework, including: gathering data describing activity associated with an anomaly detection framework monitoring a cloud deployment; generating, based on the data, a prompt describing one or more natural language inputs for a security workflow, wherein each of the one or more natural language inputs corresponds to a query for information related to the cloud deployment; and providing a selected natural language input to a natural language interface.

Abstract: Improving developer efficiency and application quality, including: collecting, for an executing application, information describing the usage of the application; identifying one or more unencountered conditions that the application is configured to handle; identifying one or more encountered conditions that the application is not configured to handle; and presenting information describing the unencountered conditions that the application is configured to handle and the encountered conditions that the application is not configured to handle.

Abstract: Dynamically generating monitoring tools for software applications, including: inspecting, using static code analysis, a non-executable representation of the application to identify one or more points in an application for monitoring; and for each of the one or more points in the application: generating a monitoring program; and inserting, into an executable representation of the application, the monitoring program at a location in the executable representation of the application that corresponds to the identified point in the application.

Abstract: Log data associated with at least one user session in a network environment associated with an original user is received. A logical graph is generated using at least a portion of the received log data. One example of such a logical graph is a privilege change graph that models privilege changes between processes. Another example of such a logical graph is a user login graph that models machines with which the original user interacts. Another example of such a logical graph is a machine-server graph that clusters machines into nodes based on resources executing on the machine. The generated logical graph is used to detect an anomaly.

Abstract: Activities within a network environment are monitored (e.g., using agents). At least a portion of the monitored activities are used to generate a logical graph model. The generated logical graph model is used to determine an anomaly. The detected anomaly is recorded and can be used to generate an alert.

Abstract: In some embodiments, a request to filter information associated with activities within a network environment is received in response to a user interaction with a graph that comprises a plurality of nodes. At least one node included in the graph is associated with an activity within a network environment. As one example, the request to filter is triggered by a user interaction with a visual representation of at least a portion of the graph. As another example, the request to filter is triggered by a user interaction with a query field. In response to receiving the filter request, a query is generated based on a join using a query service.