Abstract: Methods, systems, and computer programs are presented for stitching a meta session with an underlying trail fragmented across multiple distributed sessions. One method includes receiving telemetry signals from entities in a session environment that includes at least one identity of a user engaged with applications via respective meta sessions. An underlying trail for each meta session is determined, where the underlying trail is fragmented across two or more sessions with two or more entities. For a first meta session with a first application for the identity of the user, several operations are performed, including correlating a signal hierarchy based on the telemetry signals; constructing, based on the correlated signal hierarchy, a session hierarchy underlying the first meta session distributed across the one or more entities; determining a posture of the first meta session based on the constructed session hierarchy; and enforcing a security policy based on the determined posture.
Abstract: Techniques are presented for detecting and remediating security events. One method includes ingesting signals and telemetry from various tools like Software as a Service (SaaS), Endpoint Detection and Response (EDR), Mobile Device Management (MDM), and Secure Access Service Edge (SASE). Live session graphs are created for users, mapping all application token sessions. The system collects data from multiple sources to construct detailed graphs that represent user sessions, application usage, device employment, and third-party application tokens. This helps identify both legitimate and suspicious sessions, reducing false positives and enhancing effectiveness. Session graphs are analyzed to detect security threats, identify suspicious activities, and determine appropriate responses. Further, remediation tools are provided to address security events manually or automatically through established policies.