Abstract: A system and method for implementing user and entity behavioral analytics (UEBA) in a cybersecurity analytics platform. An example method includes receiving, by one or more processing devices of a security analytics platform, security data associated with a specified entity; generating, based on at least a subset of the security data, one or more security signals associated with the specified entity and occurring within a specified time window; computing, for each security signal of the one or more security signals, a respective risk score associated with the specified time window; computing, by aggregating risk scores associated with the one or more security signals, a risk score associated with the specified entity for the specified time window; and modifying, based on an attribute of a security watchlist associated with the specified entity, the risk score of the specified entity.

Abstract: An identify resolution system performs actions comprises a set-up process and an identity resolution process that executes asynchronously with respect to the set-up process. the set-up process includes accessing machine data including a plurality of event data objects, each event data object of the plurality of event data objects including timestamped raw machine-generated data indicative of performance or operation of one or more entities in a computer network environment. The identity resolution process ascertains the identity of an entity associated with the computer network environment, based on the association data in the data store, wherein the identity of the entity is not expressed directly in the association data in the data store.

Abstract: A method comprises acquiring anomaly data including a plurality of anomalies detected from streaming data, wherein each of the anomalies relates to an entity on or associated with a computer network. The method determines a risk score of each of the anomalies, and adjusts the risk score of an anomaly according to a set of factors. The method further determines, for each of a plurality of sliding time windows of different lengths, an entity score of the entity in relation to the sliding time window, based on an aggregation of risk scores of all anomalies related to the entity that were detected within the sliding time window, where the entity score corresponds to a risk level associated with the entity. An action to prevent the entity from performing an operation can be determined and caused to occur based on the entity score.

Abstract: Security related anomalies in the data related to network entities are identified, and a risk score is assigned to each entity based on the anomalies. Visualization data is generated for a color-coded interactive visualization. Generating the visualization data includes assigning each entity to a separate polygon to be displayed concurrently on a display screen; selecting a size of each polygon to indicate one of: a number of security related anomalies associated with the entity, or a risk level assigned to the entity, where the risk level is based on the risk score of the entity, and selecting a color of each polygon to indicate the other one of: the number of security related anomalies associated with the entity, or the risk level assigned to the entity; and causing, the color-coded interactive visualization to be displayed on a display device based on the visualization data.

Abstract: An identify resolution system performs actions comprises a set-up process and an identity resolution process that executes asynchronously with respect to the set-up process. the set-up process includes accessing machine data including a plurality of event data objects, each event data object of the plurality of event data objects including timestamped raw machine-generated data indicative of performance or operation of one or more entities in a computer network environment. The identity resolution process ascertains the identity of an entity associated with the computer network environment, based on the association data in the data store, wherein the identity of the entity is not expressed directly in the association data in the data store.

Abstract: Security related anomalies in the data related to network entities are identified, and a risk score is assigned to each entity based on the anomalies. Visualization data is generated for a color-coded interactive visualization. Generating the visualization data includes assigning each entity to a separate polygon to be displayed concurrently on a display screen; selecting a size of each polygon to indicate one of: a number of security related anomalies associated with the entity, or a risk level assigned to the entity, where the risk level is based on the risk score of the entity, and selecting a color of each polygon to indicate the other one of: the number of security related anomalies associated with the entity, or the risk level assigned to the entity; and causing, the color-coded interactive visualization to be displayed on a display device based on the visualization data.

Abstract: A method comprises acquiring anomaly data including a plurality of anomalies detected from streaming data, wherein each of the anomalies relates to an entity on or associated with a computer network. The method determines a risk score of each of the anomalies, and adjusts the risk score of an anomaly according to a set of factors. The method further determines, for each of a plurality of sliding time windows of different lengths, an entity score of the entity in relation to the sliding time window, based on an aggregation of risk scores of all anomalies related to the entity that were detected within the sliding time window, where the entity score corresponds to a risk level associated with the entity. An action to prevent the entity from performing an operation can be determined and caused to occur based on the entity score.