Abstract: Example methods disclosed herein to determine whether a first monitored device is compromised include determining a first entropy value for the first monitored device based on a first number of unique event identifiers included in log entries obtained for the first monitored device, the log entries associated with a first time window. Disclosed example methods also include determining a second entropy value for the first monitored device based on numbers of unique event identifiers included in corresponding groups of log entries obtained for respective ones of a plurality of monitored devices including the first monitored device, the groups of log entries associated with the first time window. Disclosed example methods further include determining whether the first monitored device is compromised based on the first entropy value and the second entropy value, and performing an action in response to a determination that the first monitored device is compromised.

Abstract: There is disclosed a system and method of detecting security threats for an enterprise, including: filtering a first set of endpoint metadata records to identify a subset of metadata records, wherein filtering includes identifying endpoint security metadata records that are uncommon in context of the enterprise; and designating the subset of metadata records as indicating a potential security threat including designating the subset of metadata records for human analysis.

Abstract: A computing apparatus to provide endpoint detect and response (EDR) filtering to an enterprise, including: a processor and memory; a network interface; a network protocol to communicatively couple to a data source via the network interface; and instructions encoded within the memory to provide an EDR filtering pipeline to receive an unfiltered EDR stream via the network interface, extract an EDR record from the EDR stream, and apply a hash to the EDR record to determine that the EDR record is uncommon in context of the enterprise; and a decorator module to decorate the EDR record for in-depth analysis.

Abstract: Example methods disclosed herein to determine whether a first monitored device is compromised include determining a first entropy value for the first monitored device based on a first number of unique event identifiers included in log entries obtained for the first monitored device, the log entries associated with a first time window. Disclosed example methods also include determining a second entropy value for the first monitored device based on numbers of unique event identifiers included in corresponding groups of log entries obtained for respective ones of a plurality of monitored devices including the first monitored device, the groups of log entries associated with the first time window. Disclosed example methods further include determining whether the first monitored device is compromised based on the first entropy value and the second entropy value, and performing an action in response to a determination that the first monitored device is compromised.

Abstract: Example methods disclosed herein to determine whether a first monitored device is compromised include determining a first entropy value for the first monitored device based on a first number of unique event identifiers included in log entries obtained for the first monitored device, the log entries associated with a first time window. Disclosed example methods also include determining a second entropy value for the first monitored device based on numbers of unique event identifiers included in corresponding groups of log entries obtained for respective ones of a plurality of monitored devices including the first monitored device, the groups of log entries associated with the first time window. Disclosed example methods further include determining whether the first monitored device is compromised based on the first entropy value and the second entropy value, and performing an action in response to a determination that the first monitored device is compromised.

Abstract: A computing apparatus to provide endpoint detect and response (EDR) filtering to an enterprise, including: a processor and memory; a network interface; a network protocol to communicatively couple to a data source via the network interface; and instructions encoded within the memory to provide an EDR filtering pipeline to receive an unfiltered EDR stream via the network interface, extract an EDR record from the EDR stream, and apply a hash to the EDR record to determine that the EDR record is uncommon in context of the enterprise; and a decorator module to decorate the EDR record for in-depth analysis.

Abstract: Example methods disclosed herein to determine whether a first monitored device is compromised include determining a first entropy value for the first monitored device based on a first number of unique event identifiers included in log entries obtained for the first monitored device, the log entries associated with a first time window. Disclosed example methods also include determining a second entropy value for the first monitored device based on numbers of unique event identifiers included in corresponding groups of log entries obtained for respective ones of a plurality of monitored devices including the first monitored device, the groups of log entries associated with the first time window. Disclosed example methods further include determining whether the first monitored device is compromised based on the first entropy value and the second entropy value, and performing an action in response to a determination that the first monitored device is compromised.

Abstract: Detecting a malware attack includes monitoring an event log of a first device, wherein the event log identifies events indicating that the first device is likely compromised, determining an expected rate of log entries during a time window, identifying that an actual rate of log entries during the time window satisfies a threshold, determining, in response to the identifying, that the first device is a compromised device, and performing an action in response to determining that the first device is a compromised device.

Abstract: Detecting a malware attack includes monitoring an event log of a first device, wherein the event log identifies events indicating that the first device is likely compromised, determining an expected rate of log entries during a time window, identifying that an actual rate of log entries during the time window satisfies a threshold, determining, in response to the identifying, that the first device is a compromised device, and performing an action in response to determining that the first device is a compromised device.