Abstract: Malicious service provider activity detection is enabled. A first log is obtained. The first log comprises a record of a first control plane operation executed on behalf of a first entity. A service provider associated with the execution of the first control plane operation is identified. The service provider has privileges to execute control plane operations on behalf of the first entity. A first malicious activity score is determined based at least on the service provider. The first malicious activity score is indicative of a degree to which the first control plane operation is anomalous with respect to the first entity. A determination that the first control plane operation potentially corresponds to malicious activity is made based at least on the determined first malicious activity score. Responsive to determining that the first control plane operation potentially corresponds to malicious activity, a security alert is generated.

Abstract: Malicious activity detection is enabled for cloud computing platforms. A first log comprising a record of a first control plane operation executed by a cloud application associated with an entity is obtained. A plurality of second logs, each comprising a record of a respective second control plane operation executed in association with the entity, is obtained. A first property set is generated based on the first log and a second property set is generated based on the plurality of second logs. A malicious activity score indicative of a degree to which the first control plane operation is anomalous with respect to the entity is determined based on the first property set and the second property set. A determination that the first control plane operation potentially corresponds to malicious activity is made based on the malicious activity score and a security alert is generated.

Abstract: Methods, systems, and computer storage media for providing security incident management using a latent-context alert correlation engine in a security management system. Security incident management is provided using the latent-context alert correlation engine that is operationally integrated into the security management system. In operation, first security data of a first alert and second security data of a second alert are accessed. The first alert and the second alert do not share a common entity identifiable in a security graph. Using the first security data and the second security data, a determination is made that the first alert is connected to the second alert based on a latent-context connection. The latent-context connection is a known attack path connection that indirectly connects alerts. Based on determining that the first alert is connected to the second alert, a security incident is generated for the alert. A notification comprising the security incident is communicated.

Abstract: Systems and techniques for reduction of security detection false positives are described herein. Suspicious activity data is obtained for an operation. Operation data is obtained for the operation. It is determined that the operation is related to a parent operation that has not triggered an alert. The operation is cleared from the suspicious activity data.

Abstract: A recovery instruction pertaining to a resource is detected. The recovery instruction is matched with a delete instruction that caused the resource to enter a soft-deleted. A mismatch between a first user account associated with the recovery instruction and a second user account associated with the delete instruction is determined. A mitigation action is performed based on determining the mismatch between the first user account and the second user account.