Abstract: Aspects of the disclosure are directed to systems, method, and computer-readable mediums for reducing the number of false positive alerts generated by a SIEM system by adjusting the set of rules the SIEM system uses to analyze attributes of the network traffic and/or system activities based on feedback from a SOAR system. Alert feedback may be received for a set of alerts generated in response to attributes triggering one or more rules. The alert feedback may indicate, for each alert of the set of alerts, whether the alert was a true positive alert or false positive alert. One or more conditions of the at least one rule may be adjusted based on the feedback.

Abstract: Transmission handling of analytics query response includes a search head, in a data intake and query system, receiving a query from an analytics system. The search head distributes at least a portion of the query to at least one indexer for processing the query. The at least one indexer transmits, bypassing the search head, and to the analytics system, events matching the query. The search head receives from the at least one indexer, data regarding the events, and sends the data regarding the events to the analytics system.

Abstract: A method includes receiving a search request to search a portion of a data store and splitting the search request into a plurality of sub-searches. The method also includes selecting a first bucket from a plurality of buckets based on the plurality of sub-searches split from the search request. Each bucket of the plurality of buckets is associated with a respective amount of available resources capable of executing a corresponding maximum number of sub-searches in parallel. The method also includes allocating a first execution set of sub-searches selected from the plurality of sub-searches to the selected first bucket. The method also includes executing, in parallel, each sub-search in the first execution set of sub-searches using the respective amount of available resources associated with the selected first bucket.

Abstract: According to an example, an autonomous normal and novel behavior sharing apparatus may receive one or more novel behavior baseline models and one or more normal behavior baseline models from a first entity for sharing with a second entity and a subset of other entities; share the received models with the second entity and a subset of other entities; receive one or more novel behavior baseline models and one or more normal behavior baseline models from other entities for sharing with the first entity and a subset of other entities; share the received models with the first entity and subset of other entities; receive effectiveness factor of the shared models from the entities that received these models; score the models based on effectiveness factor received from a plurality of entities; prioritize sharing of the models based on their score.

Abstract: According to an example, an autonomous novel behavior detection apparatus may receive network, user, application and device events; partition the network, user, device and application behavior events to plurality of partitions; extract features from the events based on fieldnames, type of data and type of values stored in the corresponding fields in an unsupervised manner; transform the data in the events from all data types to numerical values; normalize the data in the events; utilize training neural networks to learn the network, user, device and application behavior from the events; evaluate network, user, device and application events for novel behavior events using evaluation models; learn the novel behaviors using a plurality of neural networks, filter out novel behavior events that are similar to learned novel behaviors, identify novel behaviors and summarize novel behaviors into meaningful aggregation of novel behaviors.

Abstract: According to an example, an autonomous novel behavior detection apparatus may receive network, user, application and device events; partition the network, user, device and application behavior events to plurality of partitions; extract features from the events based on fieldnames, type of data and type of values stored in the corresponding fields in an unsupervised manner; transform the data in the events from all data types to numerical values; normalize the data in the events; utilize training neural networks to learn the network, user, device and application behavior from the events; evaluate network, user, device and application events for novel behavior events using evaluation models; learn the novel behaviors using a plurality of neural networks, filter out novel behavior events that are similar to learned novel behaviors, identify novel behaviors and summarize novel behaviors into meaningful aggregation of novel behaviors.

Abstract: Techniques are described for an IT and security operations application to automatically generate aggregate (or “bulk,” “group,” or “composite”) notable events by identifying notable events sharing common characteristics and aggregating the related notable events into a single aggregate notable event entity that can be displayed and operated upon. The IT and security operations application identifies related notable events based on notable events generated by a common correlation search, notable events having common event attributes, based on user-specified relatedness criteria, or other such criteria. Once identified, in some embodiments, the IT and security operations application displays, in notable event lists and other interfaces, a singular aggregate notable event to users representing each of the identified related notable events.

Abstract: Transmission handling of analytics query response includes a search head, in a data intake and query system, receiving a query from an analytics system. The search head distributes at least a portion of the query to at least one indexer for processing the query. The at least one indexer transmits, bypassing the search head, and to the analytics system, events matching the query. The search head receives from the at least one indexer, data regarding the events, and sends the data regarding the events to the analytics system.

Abstract: A system and method for displaying a number of real-time security events comprises a number of client devices and an administrator device communicatively coupled to the client devices. The administrator device may comprise a preferences module and an event rate adapter module communicatively coupled to the preferences module. The preferences module receives input describing how to display a number of security events on the screen of a graphical user interface the event rate adapter module displays a number of real-time scrolling security events for a relatively longer period of time than other security events.

Abstract: According to an example, pre-cognitive SIEM may include using trained classifiers to detect an anomaly in input events, and generating a predictive attack graph based on the detected anomaly in the input events. The predictive attack graph may provide an indication of different paths that can be taken from an asset that is related to the detected anomaly to compromise other selected assets in a network of the asset, and the other selected assets may be selected based on a ranking criterion and a complexity criterion. A rank list and a complexity list may be generated. The rank list, the complexity list, a depth of the predictive attack graph, and a weighted value may be used to generate a score that provides an indication of a number of assets that can be compromised and a difficulty of exploiting vulnerabilities related to services of the assets that can be compromised.

Abstract: According to an example, security indicator access determination may include determining a security indicator that is received from a first entity by a security indicator sharing platform for sharing with a second entity. A rule associated with identification of a third entity that has access to the security indicator may be analyzed. The third entity may be different from the second entity, and if the second entity belongs to a community, the third entity may not be in the community of the second entity. A determination may be made as to whether to identify the third entity based on the analysis of the rule. In response to a determination that the third entity is to be identified or not to be identified, the third entity may be identified to the first entity, or not identified to the first entity.

Abstract: Providing a targeted security alert can include collecting participant data from a plurality of participants within a threat exchange community, calculating, using a threat exchange server, a threat relevancy score of a participant among the plurality of participants within the threat exchange community using the collected participant data, and providing, from the threat exchange server to the participant, the targeted security alert based on the calculated threat relevancy score via a communication link within the threat exchange community.

Abstract: In response to determining that an event matches a condition of a rule, a given one of a plurality of computing nodes is selected to send the event, based on one or both of an attribute of the event and an identifier of the rule. Information of the event is sent to the given computing node to perform correlation of the event with another event.

Abstract: According to an example, conditional security indicator sharing may include analyzing a security indicator that is received from a first entity by a security indicator sharing platform for sharing with a second entity. A determination may be made as to whether to share the security indicator with a third entity based on a condition. In response to a determination that the security indicator is to be shared or not to be shared with the third entity based on the condition, the security indicator may be respectively shared with the third entity, or not shared with the third entity.

Abstract: According to an example, security indicator linkage determination may include parsing input data that is used to determine a plurality of sequences of steps that are involved in attacks. A linkage selected from temporal, spatial, and/or behavioral linkages may be applied to the parsed input data to determine the plurality of sequences of steps. A security indicator that is related to a potential attack may be received. The plurality of sequences of steps may be used to determine whether the security indicator matches a step in one of the plurality of sequences of steps. In response to a determination that the security indicator matches a step in one of the plurality of sequences of steps, linkage between the security indicator and another security indicator from the one of the plurality of sequences of steps that are involved in the attacks may be identified.

Abstract: According to an example, a confidence factor function may be applied to determine a confidence factor for a condition of a rule to correlate events. The confidence factor may be an approximation of whether an event or a set of events satisfies the condition in the rule. The confidence factor may be compared to a threshold to determine whether the condition is satisfied.

Abstract: Example embodiments disclosed herein relate to determining threat scores for threat observables. Information about multiple threat observables are received from providing entities. The information about the threat observables include at least one attribute about a respective threat associated with the threat observable. Threat scores are determined for the respective threat observables for multiple entities. In one example, a first score of a first one of the threat observables is determined and is different than a second score of the first threat observable for a second entity based on a treatment of the attribute(s).

Abstract: A device for providing hierarchical threat intelligence includes a non-transitory machine-readable storage medium storing instructions that cause the device to receive, a plurality of calculated threat scores for a plurality of threat management devices, wherein the threat scores are respectively associated with context information, determine a first threat scores for a first entity based on a first subset of the calculated threat scores, determine a second threat score for a second entity based on a second subset of the calculated threat scores, receive update information of one of the calculated threat scores of the first subset from a listener of the threat management devices, and update the first threat score based on the update information.

Abstract: Example embodiments disclosed herein relate to update a rating of threat submitters. Information is received of threat observables from threat submitters. Information about the threat observables is provided to one or more entities. Feedback about a threat observable is received from one of the entities. A rating of the threat submitter associated with the feedback is updated.

Abstract: Pattern discovery performed on event data may include selecting an initial set of parameters for the pattern discovery. The parameters may specify conditions for identifying a pattern in the event data. A pattern discovery run is executed on the event data based on the initial set of parameters, and a parameter may be adjusted based on the output of the pattern discovery run.