Abstract: Techniques for associating assets related to events detected in at least one computer network with respective assets in an asset catalog for the at least one computer network. The techniques comprising: obtaining information about an event related to a first asset, the information specifying computer network addressing information for the first asset; generating a signature of the first asset from the computer network addressing information using at least one trained machine learning model, wherein the signature comprises a numeric representation of the first asset; associating the first asset with at least one asset in the asset catalog using the signature and at least one signature of the at least one asset in the asset catalog, wherein the at least one signature was previously determined using the at least one trained machine learning model; and outputting information identifying the at least one asset with which the first asset was associated.

Abstract: Techniques for associating assets related to events detected in at least one computer network with respective assets in an asset catalog for the at least one computer network. The techniques include: while monitoring activity on the at least one computer network, obtaining information about an event related to a first asset, the information specifying computer network addressing information for the first asset; generating a signature of the first asset from the computer network addressing information; generating a hashed signature of the first asset by applying a locality sensitive hashing (LSH) technique to the signature; associating the first asset with at least one asset in the asset catalog using the hashed signature of the first asset and at least one hashed signature of the at least one asset in the asset catalog; and outputting information identifying the at least one asset with which the first asset was associated.

Abstract: Techniques for verifying correctness of associations between assets related to events detected in at least one computer network and assets in an asset catalog for the at least one computer network. The techniques include obtaining information specifying a first asset and a first set of assets with which the first asset was previously associated; generating a signature of the first asset from the computer network addressing information for the first asset; generating a hashed signature by applying a locality sensitive hashing (LSH) technique to the signature; associating the first asset with a second set of assets in the asset catalog using the hashed signature and at least one hashed signature of the at least one asset in the asset catalog; and when it is determined that the second set of includes the first set, outputting an indication that the first asset was correctly associated with the first set of assets.

Abstract: Systems and methods are disclosed to implement a bounded group by query system that computes approximate time-sliced statistics for groups of records in a dataset according to a group by query. In embodiments, a single pass scan of the dataset is performed to accumulate exact results for a maximum number of groups in a result grouping structure (RGS) and approximate results for additional groups in an approximate result grouping structure (ARGS). RGSs and ARGSs are accumulated by a set of accumulator nodes and provided to an aggregator node, which combines the received structures to generate exact or approximate statistical results for at least a subset of the groups in the dataset. Advantageously, the disclosed query system is able to produce approximate results for at least some of the groups in a single pass of the dataset using size-bounded data structures, without predetermining the actual number of groups in the dataset.

Abstract: Disclosed herein are methods, systems, and processes for probabilistically identifying anomalous levels of honeypot activity. A honeypot dataset associated with a honeypot network is received and a representative usage value is determined from the honeypot dataset. The representative usage value is identified as being associated with anomalous behavior if the representative usage value deviates from an expected probability distribution. A remediation operation is initiated in the honeypot network in response to the identification of the representative usage value as being associated with the anomalous behavior by virtue of the representative usage value deviating from the expected probability distribution.

Abstract: A modification to an applied ruleset intended for consumption by intrusion detection systems (IDSs) is detected. A service event that is configured to push the applied ruleset to a set of test network sensors associated with the IDSs is triggered. A service subscribed to the service event updates the set of test network sensors with the applied ruleset and designates a configuration version to the applied ruleset. A notification is received from the set of test network sensors that the applied ruleset has been tested and is ready for deployment to other network sensors and a request is received to deploy the applied ruleset to a set of network sensors. A determination is made whether the request includes the configuration version designated to the applied ruleset by the service. If the request includes the configuration version designated to the applied ruleset, the request to deploy the applied ruleset to the set of network sensors is authorized.

Abstract: A SQL database system is disclosed for reading and writing a non-SQL document store using SQL. The database system includes a SQL query engine configured to use different types of dynamically loadable connectors adapted to communicate with the non-SQL document store via its data access interface. The connectors may include a first connector that treats data within an individual document in the document store as multiple table rows, and a second connector that treats individual documents as individual table rows. In some embodiments, both types of document access modes may be implemented by a single multi-modal connector. In some embodiments, the connector may enable a table to be stored across multiple documents and provide the document identifier of the documents as an attribute of the table. Advantageously, by allowing multiple rows to be stored in individual documents, a table can be stored using less storage space and accessed more efficiently.

Abstract: Systems and methods for user training. The systems and methods involve deploying at least one static file on a computing resource controlled by an operator, transmitting a URL to a target user, receiving a request for the URL from the target user, transmitting the at least one static file to the target user for execution in a web browser of the user, and receiving data regarding the execution of the at least one static file.

Abstract: Disclosed herein are methods, systems, and processes for generating, configuring, and implementing a data collection and analytics (DCA) pipeline to optimize the identification of anomalous or vulnerable computing assets and/or anomalous or vulnerable computing asset behavior in cybersecurity computing environments. Raw data from an agent executing on a computing asset is received. A baseline profile or a gold image associated with the computing asset is also received. A difference or delta between the raw data and the baseline profile or the gold image is identified, and an output providing context relating to the difference is generated. The difference relates to a keyed property that is common between the raw data and the base profile or the gold image, and the difference is further filtered to reduce noise in the output.

Abstract: Approaches provide for securing an electronic environment. A threat analysis service can obtain data for devices, users, and threats from disparate sources and can correlate users to devices and threats to build an understanding of an electronic environment's operational, organizational, and security concerns in order to provide customized security strategies and remediations. Additionally, the threat analysis service can develop a model of an electronic environment's behavior by monitoring and analyzing various the data from the data sources. The model can be updated such that the threat analysis service can tailor its orchestration to complement existing operational processes.

Abstract: Disclosed herein are methods, systems, and processes for context-based identification of anomalous log data. Log data with multiple original logs is received at an anomalous log data identification system. A context associated training dataset is generated by splitting a string in a log into multiple split strings, generating a context association between each split string and a unique key that corresponds to the log, and generating an input/output (I/O) string data batch that includes I/O string data for each split string in the log by training each split string against every other split string in the log. A context-based anomalous log data identification model is then trained according to a machine learning technique using the I/O string data batch that includes a list of unique strings in the context associated training dataset.

Abstract: Systems and methods are disclosed to implement a chart recommendation system that recommends charts to users during a chart building process. In embodiments, when a new chart is being created, specified features of the chart are provided to a machine learned model such as a self-organizing map. The model will determine a previous chart that is the most similar to the new chart and recommend the previous chart to the user for recreation. In embodiments, newly created charts are added to a library and used to update the model. Charts that are highly popular or authored by expert users may be weighed more heavily during model updates, so that the model will be more influenced by these charts. Advantageously, the disclosed system allows novice users to easily find similar charts created by other users. Additionally, the disclosed system is able to automatically group similar charts without using human-defined classification rules.

Abstract: Disclosed herein are methods, systems, and processes for centralized containerized deployment of network traffic sensors to network sensor hosts for deep packet inspection (DPI) that supports various other cybersecurity operations. A network sensor package containing a pre-configured network sensor container is received by a network sensor host from a network sensor deployment server. Installation of the network sensor package on the network sensor host causes execution of the network sensor container that further causes deployment of an on-premise network sensor along with a network sensor management system, a DPI system, and an intrusion detection/prevention (IDS/IPS) system. The configurable on-premise network sensor is deployed on multiple operating system distributions of the network sensor host and generates actionable network metadata using DPI techniques for optimized log search and management and improved intrusion detection and response (IDR) operations.

Abstract: Routing log-based information between production servers and logging servers is disclosed. A log entry for a logging server is generated at a production server. A shard identifier is computed for a shard associated with the logging server based on application of a hashing algorithm to properties associated with the production server. The hashing algorithm and properties are selected to prevent or minimize the likelihood of computing of the same shard identifier by another production server for the same shard associated with the logging server. The log entry is transmitted to the shard associated with the logging server. A determination is made that the logging server has malfunctioned by detecting that the log entry transmitted to the shard is absent. In response, another shard identifier is computed for another shard of another logging server and a subsequent log entry from the production server is transmitted to the another shard of the another logging over. No load balancers are used by the routing system.

Abstract: An anomaly detection system is disclosed capable of reporting anomalous processes or hosts in a computer network using machine learning models trained using unsupervised training techniques. In embodiments, the system assigns observed processes to a set of process categories based on the file system path of the program executed by the process. The system extracts a feature vector for each process or host from the observation records and applies the machine learning models to the feature vectors to determine an outlier metric each process or host. The processes or hosts with the highest outlier metrics are reported as detected anomalies to be further examined by security analysts. In embodiments, the machine learnings models may be periodically retrained based on new observation records using unsupervised machine learning techniques. Accordingly, the system allows the models to learn from newly observed data without requiring the new data to be manually labeled by humans.

Abstract: Methods and systems for assessing a vulnerability of a network device. The systems and methods described herein combine data regarding locally discovered vulnerabilities and exposed services with data regarding what executables are provided by software installed on the network device.

Abstract: Methods and systems for reviewing software code. The methods involve detecting a change in source code associated with an application and determining an effect on the application of the detected change based at least in part on a context profile associated with application.

Abstract: Disclosed herein are methods, systems, and processes for centralized containerized deployment of network traffic sensors to network sensor hosts for deep packet inspection (DPI) that supports various other cybersecurity operations. A network sensor package containing a pre-configured network sensor container is received by a network sensor host from a network sensor deployment server. Installation of the network sensor package on the network sensor host causes execution of the network sensor container that further causes deployment of an on-premise network sensor along with a network sensor management system, a DPI system, and an intrusion detection/prevention (IDS/IPS) system. The configurable on-premise network sensor is deployed on multiple operating system distributions of the network sensor host and generates actionable network metadata using DPI techniques for optimized log search and management and improved intrusion detection and response (IDR) operations.

Abstract: New intrusion detection system (IDS) rules to be deployed on an IDS that generates alerts based on an applied ruleset are accessed. A trial window that includes incorporating the new IDS rules into a candidate list to enable summarization and filtering of the alerts is started and the applied ruleset that includes existing IDS rules is supplemented with the candidate list that includes the new IDS rules. The applied ruleset is transmitted to a network sensor associated with the IDS upon the supplementation and alerts generated based on network events implicated by both the existing IDS rules and the new IDS rules in the applied ruleset are received from the IDS. Upon completion of the trial window, a set of alerts generated only by the new IDS rules in the applied ruleset are designated as suppressed alerts and a set of new IDS rules is eliminated from the applied ruleset upon determining that the set of new IDS rules generate a subset of alerts that exceed an alert threshold.

Abstract: Disclosed herein are methods, systems, and processes to configure and facilitate selective and granular multi-customer support access in cloud-based cybersecurity computing environments. A request to authorize a multi-customer support account (MCSA) is received. Customer accounts that include an anchor tenant customer account and several secondary tenant customer accounts as well as a set of applications associated with the customer accounts are identified. The MCSA is configured to selectively access customer accounts and granularly access associated applications by being designated with a set of varying access limits for the anchor tenant customer account and another set of varying access limits for the secondary tenant customer accounts, each set of varying access limits being made applicable to various instances of applications associated with each of those customer accounts.