Abstract: Disclosed is a system for detecting security threats in a local network. A security analytics system collects data about entities in the local network. The raw data can be filtered to extract data fields from the raw data that are relevant to detecting security threats in the local network. The filtered data can be converted into structured data that formats the information in the filtered data. The structured data may be formatted based on a set of schema, and can be used to generate a set of features. The security analytics system can use the generated features to build machine-learned models of the behavior of entities in the local network. The security analytics system can use the machine-learned models to generate threat scores representing the likelihood a security threat is present. The security analytics system can provide an indication of the security threat to a user.

Abstract: Disclosed is a system for detecting security threats in a local network. A security analytics system collects data about entities in the local network. The security analytics system parses the raw data into data fields. The security analytics system identifies a subset of the data fields based on the relevance of the data fields to detecting security threats in the local network. The security analytics system generates filtered data containing the subset of data fields and generates structured data based on the filtered data. The security analytics system identifies relationships between the plurality of entities, generates a set of features based on the structured data and the identified relationships, and generates one or more threat scores based on the set of features. The security analytics system detects malicious behavior performed by an entity in the local network based on the generated threat scores.

Abstract: Disclosed is a system for detecting security threats in a local network. A security analytics system collects data about entities in the local network. The security analytics system identifies the entities in the raw data and determines a set of properties about each of the identified entities. The entity properties contain information about the entity and can be temporary or permanent properties about the entity. The security analytics system determines relationships between the identified entities and can be determined based on the entity properties for the identified properties. An entity graph is generated that describes the entity relationships, wherein the nodes of the entity graph represent entities and the edges of the entity graph represent entity relationships. The security analytics system provides a user interface to a user that contains the entity graph and the relationships described therein.

Abstract: Disclosed is a system for detecting security threats in a local network. A security analytics system collects data about entities in the local network. The raw data can be filtered to extract data fields from the raw data that are relevant to detecting security threats in the local network. The filtered data can be converted into structured data that formats the information in the filtered data. The structured data may be formatted based on a set of schema, and can be used to generate a set of features. The security analytics system can use the generated features to build machine-learned models of the behavior of entities in the local network. The security analytics system can use the machine-learned models to generate threat scores representing the likelihood a security threat is present. The security analytics system can provide an indication of the security threat to a user.

Abstract: Disclosed is a system for detecting security threats in a local network. A security analytics system collects data about entities in the local network. The security analytics system parses the raw data into data fields. The security analytics system identifies a subset of the data fields based on the relevance of the data fields to detecting security threats in the local network. The security analytics system generates filtered data containing the subset of data fields and generates structured data based on the filtered data. The security analytics system identifies relationships between the plurality of entities, generates a set of features based on the structured data and the identified relationships, and generates one or more threat scores based on the set of features. The security analytics system detects malicious behavior performed by an entity in the local network based on the generated threat scores.

Abstract: Disclosed is a system for detecting security threats in a local network. A security analytics system collects data about entities in the local network. The security analytics system identifies the entities in the raw data and determines a set of properties about each of the identified entities. The entity properties contain information about the entity and can be temporary or permanent properties about the entity. The security analytics system determines relationships between the identified entities and can be determined based on the entity properties for the identified properties. An entity graph is generated that describes the entity relationships, wherein the nodes of the entity graph represent entities and the edges of the entity graph represent entity relationships. The security analytics system provides a user interface to a user that contains the entity graph and the relationships described therein.

Abstract: The invention relates to a method for monitoring at least one message, each message being associated with an action generated by at least one element or user of an information system (1000), said message(s) being collected by at least one message collecting device of the IS. According to the invention, the method comprises the step of defining a plurality of reference event categories each associated with at least one reference action from an ontology based on an intention class that characterizes the purpose of each reference action, an activity type class that qualifies the nature of each reference action, a movement class that characterizes the means for implementing each reference action, a target class that characterizes the object of each reference action, and a gain class that characterizes the result of each reference action.

Abstract: The invention relates to a method for monitoring at least one message, each message being associated with an action generated by at least one element or user of an information system (1000), said message(s) being collected by at least one message collecting device of the IS. According to the invention, the method comprises the step of defining a plurality of reference event categories each associated with at least one reference action from an ontology based on an intention class that characterises the purpose of each reference action, an activity type class that qualifies the nature of each reference action, a movement class that characterises the means for implementing each reference action, a target class that characterises the object of each reference action, and a gain class that characterises the result of each reference action.