Abstract: Example systems and methods monitor a cloud compute environment. An example method includes an agent obtaining a data packet from an interface in the cloud compute environment, the data packet including a source address and a non-endpoint destination address; determining, based on the non-endpoint destination address and routing information for the data packet, an endpoint destination address associated with the non-endpoint destination address of the data packet; modifying the data packet by replacing the non-endpoint destination address with the endpoint destination address; and providing, based on the modified data packet, monitoring data to a data platform.

Abstract: Learning from similar cloud deployments, including: identifying, for at least a portion of a first cloud deployment, one or more additional cloud deployments to utilize for cross-customer learning; receiving information describing configurations associated with the additional cloud deployments; and identifying, based on the configurations, one or more configurations to adopt for the first cloud deployment.

Abstract: A frame is received at an agent. The frame is analyzed to determine that the frame is associated with a first known pod. IP information is reported to a backend process. The backend process is configured to stitch the IP information with other IP information reported by one or more additional agents to identify a second pod.

Abstract: A guided anomaly detection framework, including: gathering data describing activity associated with an anomaly detection framework monitoring a cloud deployment; generating, based on the data, a prompt describing one or more natural language inputs for a security workflow, wherein each of the one or more natural language inputs corresponds to a query for information related to the cloud deployment; and providing a selected natural language input to a natural language interface.

Abstract: Improving developer efficiency and application quality, including: collecting, for an executing application, information describing the usage of the application; identifying one or more unencountered conditions that the application is configured to handle; identifying one or more encountered conditions that the application is not configured to handle; and presenting information describing the unencountered conditions that the application is configured to handle and the encountered conditions that the application is not configured to handle.

Abstract: Dynamically generating monitoring tools for software applications, including: inspecting, using static code analysis, a non-executable representation of the application to identify one or more points in an application for monitoring; and for each of the one or more points in the application: generating a monitoring program; and inserting, into an executable representation of the application, the monitoring program at a location in the executable representation of the application that corresponds to the identified point in the application.

Abstract: Log data associated with at least one user session in a network environment associated with an original user is received. A logical graph is generated using at least a portion of the received log data. One example of such a logical graph is a privilege change graph that models privilege changes between processes. Another example of such a logical graph is a user login graph that models machines with which the original user interacts. Another example of such a logical graph is a machine-server graph that clusters machines into nodes based on resources executing on the machine. The generated logical graph is used to detect an anomaly.

Abstract: Activities within a network environment are monitored (e.g., using agents). At least a portion of the monitored activities are used to generate a logical graph model. The generated logical graph model is used to determine an anomaly. The detected anomaly is recorded and can be used to generate an alert.

Abstract: In some embodiments, a request to filter information associated with activities within a network environment is received in response to a user interaction with a graph that comprises a plurality of nodes. At least one node included in the graph is associated with an activity within a network environment. As one example, the request to filter is triggered by a user interaction with a visual representation of at least a portion of the graph. As another example, the request to filter is triggered by a user interaction with a query field. In response to receiving the filter request, a query is generated based on a join using a query service.

Abstract: Log data associated with an environment that includes containers is received. An example of such an environment is one managed by Kubernetes. A logical graph is generated using at least a portion of the received log data. The logical graph is used to detect an anomaly. In response to the anomaly being detected, the anomaly is recorded.

Abstract: An agent executes in user space on a machine and monitors for network connections. In response to detecting an initiation of a network connection, data associated with a process associated with the network connection is collected, e.g., by the agent. At least a portion of the collected process data is reported to an external node. The reported information can be used to detect anomalies in a network environment.

Abstract: Detecting deviations from typical user behavior, including: identifying a geographic location of a device that is associated with a user; determining device activity associated with the user; and detecting, based on a profile associated with the user, that the device activity associated with the user deviates from normal activity for the user.

Abstract: Configuring cloud deployments based on learnings obtained by monitoring other cloud deployments, including: determining normal behavior for one or more components in a first cloud deployment; determining normal behavior for one or more components in one or more other cloud deployments; and recommending, based on the normal behavior for one or more components in one or more other cloud deployments, a change to the first cloud deployment.

Abstract: A logical graph is generated using at least a portion of log data received from a set of agents executing on one or more nodes in one or more data centers. The logical graph is generated at least in part by clustering a first set of nodes using a first clustering criteria. The logical graph is augmented at least in part by performing a reclustering operation using a second clustering criteria.

Abstract: A frame is received at an agent. The frame is analyzed to determine that the frame is associated with a first known pod. IP information is reported to a backend process. The backend process is configured to stitch the IP information with other IP information reported by one or more additional agents to identify a second pod.

Abstract: A logical graph is generated using at least a portion of log data received from a set of agents executing on one or more nodes in one or more data centers. The logical graph is augmented using data obtained from one or more agents executing in containerized environments, including by representing communications between pods within the logical graph. The augmented logical graph is used to detect an anomaly.

Abstract: A request to filter information associated with activities within a network environment is received in response to a user interaction with a graph that comprises a plurality of nodes. At least one node included in the graph is associated with an activity within a network environment. As one example, the request to filter is triggered by a user interaction with a visual representation of at least a portion of the graph. As another example, the request to filter is triggered by a user interaction with a query field. In response to receiving the filter request, a query is generated based on an implicit join using a query service.

Abstract: Activities within a network environment are monitored (e.g., using agents). At least a portion of the monitored activities are used to generate a logical graph model. The generated logical graph model is used to determine an anomaly. The detected anomaly is recorded and can be used to generate an alert.

Abstract: First information associated with a first user login activity is received, as is second information associated with a second user login activity. A determination is made, using the received first and second information, that the first user login activity and second user login activity have a parent-child relationship. The first user login activity and the second user login activity are linked to at least one user and a process.

Abstract: An agent executes in user space on a machine and monitors for network connections. In response to detecting an initiation of a network connection, data associated with a process associated with the network connection is collected, e.g., by the agent. At least a portion of the collected process data is reported to an external node. The reported information is used to detect anomalies in a network environment.