Abstract: According to an example, a master node is to divide an event field in events into partitions including ordered contiguous blocks of values for the event field. Each partition may be assigned to a pair of cluster nodes. A partition map is determined from the partitions and may identify for each partition, the block of the event field values for the partition, a primary cluster node, and a failover cluster node for the primary cluster node.

Abstract: Example embodiments disclosed herein relate to distributed pattern discovery. A local frequent pattern tree or local frequent pattern trees can be merged. The merging can be based on activities or transactions associated with the local frequent pattern tree or trees.

Abstract: A session table includes one or more records, where each record represents a session. Session record information is stored in various fields, such as key fields, value fields, and timestamp fields. Session information is described as keys and values in order to support query/lookup operations. A session table is associated with a filter, which describes a set of keys that can be used for records in that table. A session table is populated using data contained in security information/events. Rules are created to identify events related to session information, extract the session information, and use the session information to modify a session table. A session table is partitioned so that the number of records in each session table partition is decreased. A session table is processed periodically so that active sessions are moved to the current partition.

Abstract: According to an example, security indicator linkage determination may include parsing input data that is used to determine a plurality of sequences of steps that are involved in attacks. A linkage selected from temporal, spatial, and/or behavioral linkages may be applied to the parsed input data to determine the plurality of sequences of steps. A security indicator that is related to a potential attack may be received. The plurality of sequences of steps may be used to determine whether the security indicator matches a step in one of the plurality of sequences of steps. In response to a determination that the security indicator matches a step in one of the plurality of sequences of steps, linkage between the security indicator and another security indicator from the one of the plurality of sequences of steps that are involved in the attacks may be identified.

Abstract: According to an example, security indicator access determination may include determining a security indicator that is received from a first entity by a security indicator sharing platform for sharing with a second entity. A rule associated with identification of a third entity that has access to the security indicator may be analyzed. The third entity may be different from the second entity, and if the second entity belongs to a community, the third entity may not be in the community of the second entity. A determination may be made as to whether to identify the third entity based on the analysis of the rule. In response to a determination that the third entity is to be identified or not to be identified, the third entity may be identified to the first entity, or not identified to the first entity.

Abstract: According to an example, conditional security indicator sharing may include analyzing a security indicator that is received from a first entity by a security indicator sharing platform for sharing with a second entity. A determination may be made as to whether to share the security indicator with a third entity based on a condition. In response to a determination that the security indicator is to be shared or not to be shared with the third entity based on the condition, the security indicator may be respectively shared with the third entity, or not shared with the third entity.

Abstract: Example embodiments disclosed herein relate to performing a remedial action based on the release of data. Threat information is received from multiple threat submitters. Data about the respective threat information is provided to a plurality of entities based on rules. It is determined that the data has been released outside of the entities. The remedial action is performed based on the release of the data.

Abstract: Example embodiments disclosed herein relate to update a rating of threat submitters. Information is received of threat observables from threat submitters. Information about the threat observables is provided to one or more entities. Feedback about a threat observable is received from one of the entities. A rating of the threat submitter associated with the feedback is updated.

Abstract: Systems and methods for evaluation of events are provided. A user-specific reference baseline comprising a set of temporally-ordered sequences of events. An event of a sequence of events in a current session is received. A determination is made as to whether the event at least partially matches the reference baseline using an attribute of the event and a temporal position of the event within the sequence of events in the current session.

Abstract: In response to determining that an event matches a condition of a rule, a given one of a plurality of computing nodes is selected to send the event, based on one or both of an attribute of the event and an identifier of the rule. Information of the event is sent to the given computing node to perform correlation of the event with another event.

Abstract: Systems and methods for distributed rule-based correlation of events are provided. A notification of a partial match of a distributed rule by an event of a first subset of events is received. The notification includes a set of properties of the event of the first subset of events. The distributed rule is evaluated using the set of properties of the event of the first subset of events and a set of properties of an event of a second subset of events. A complete match of the rule is determined based on the evaluation, and a correlation event is generated.

Abstract: According to an example, pre-cognitive SIEM may include using trained classifiers to detect an anomaly in input events, and generating a predictive attack graph based on the detected anomaly in the input events. The predictive attack graph may provide an indication of different paths that can be taken from an asset that is related to the detected anomaly to compromise other selected assets in a network of the asset, and the other selected assets may be selected based on a ranking criterion and a complexity criterion. A rank list and a complexity list may be generated. The rank list, the complexity list, a depth of the predictive attack graph, and a weighted value may be used to generate a score that provides an indication of a number of assets that can be compromised and a difficulty of exploiting vulnerabilities related to services of the assets that can be compromised.

Abstract: Example embodiments disclosed herein relate to determining threat scores for threat observables. Information about multiple threat observables are received from providing entities. The information about the threat observables include at least one attribute about a respective threat associated with the threat observable. Threat scores are determined for the respective threat observables for multiple entities. In one example, a first score of a first one of the threat observables is determined and is different than a second score of the first threat observable for a second entity based on a treatment of the attribute(s).

Abstract: Fields are determined for pattern discovery in event data. Cardinality and repetitiveness statistics are determined for fields of event data. A set of the fields are selected based on the cardinality and repetitiveness for the fields. The fields may be included in a pattern discovery profile.

Abstract: Systems, methods, and machine-readable and executable instructions are provided for attack notification. Attack notification can include receiving security-related data from a number of computing devices that are associated with a number of entities through a communication link and analyzing a first portion of the security-related data that is associated with a first entity from the number of entities to determine whether the first entity has experienced an attack. Attack notification can include analyzing a second portion of the security-related data that is associated with a second entity from the number of entities and the first portion of the security-related data that is associated with the first entity to determine whether the second entity is experiencing the attack. Attack notification can include notifying, through the communication link, the second entity that the second entity is experiencing the attack if it is determined that the second entity is experiencing the attack.

Abstract: A method and system for providing predictive analytics which include calculating forecast trend curves utilizing historical events, determining which of the forecast trend curves best fit the historical events to form a first best fit forecast trend curve, comparing predicted events from the first best fit forecast trend curve with real-time events, based on the real-time security events deviating from the first best fit forecast trend curve by a threshold amount, calculating additional forecast trend curves utilizing the real-time events, and determining which of the forecast trend curves and first best fit forecast trend curve best fits the real-time events to form a second best fit forecast trend curve.

Abstract: A network asset information management system (101) may include an asset determination and event prioritization module (105) to generate real-time asset information based on network activity involving an asset (102). A rules module (109) may include a set of rules for monitoring the network activity involving the asset. An information analysis module (110) may evaluate the real-time asset information and the rules to generate a notification (111) related to the asset. The rules may include rules for determining vulnerabilities and risks associated with the asset based on comparison of a level of traffic identified to or from an IP address related to the asset to a predetermined threshold. The notification may include a level of risk associated with the asset.

Abstract: Example embodiments disclosed herein relate to distributed pattern discovery. Single item itemsets are received. A new candidate item set is built for the respective single item itemsets if the respective single item itemsets are a new single item set or an item set size of a respective transaction set of the respective single item itemset is below a threshold. The new candidate item set and a respective transaction identifier is outputted to a set of nodes.

Abstract: A device for providing hierarchical threat intelligence includes a non-transitory machine-readable storage medium storing instructions that cause the device to receive, a plurality of calculated threat scores for a plurality of threat management devices, wherein the threat scores are respectively associated with context information, determine a first threat scores for a first entity based on a first subset of the calculated threat scores, determine a second threat score for a second entity based on a second subset of the calculated threat scores, receive update information of one of the calculated threat scores of the first subset from a listener of the threat management devices, and update the first threat score based on the update information.

Abstract: A network asset information management system (101) may include an asset determination and event prioritization module (105) to generate real-time asset information based on network activity involving an asset (102). A rules module (109) may include a set of rules for monitoring the network activity involving the asset. An information analysis module (110) may evaluate the real-time asset information and the rules to generate a notification (111) related to the asset. The rules may include rules for determining vulnerabilities and risks associated with the asset based on comparison of a level of traffic identified to or from an IP address related to the asset to a predetermined threshold. The notification may include a level of risk associated with the asset.