Abstract: The disclosure focuses on using a risk inheritance system to actively prevent unauthorized and compromising activity within a cloud computing system by causing user risk scores to be inherited across downstream cloud entities within the cloud computing system. The risk inheritance system ensures that users with risky user risk scores are unable to circumvent the security measures of the cloud computing system through propagation events. For instance, the risk inheritance system assigns user risk scores to be inherited from a cloud entity of a user to another cloud entity, including other users and service principals, based on detecting the user initiating a propagation event. This way, the risk inheritance system improves the efficiency of the cloud computing system by ensuring that cloud entities are assigned accurate user risk scores.

Abstract: Malicious activity detection is enabled for cloud computing platforms. A first log comprising a record of a first control plane operation executed by a cloud application associated with an entity is obtained. A plurality of second logs, each comprising a record of a respective second control plane operation executed in association with the entity, is obtained. A first property set is generated based on the first log and a second property set is generated based on the plurality of second logs. A malicious activity score indicative of a degree to which the first control plane operation is anomalous with respect to the entity is determined based on the first property set and the second property set. A determination that the first control plane operation potentially corresponds to malicious activity is made based on the malicious activity score and a security alert is generated.

Abstract: Systems and techniques for reduction of security detection false positives are described herein. Suspicious activity data is obtained for an operation. Operation data is obtained for the operation. It is determined that the operation is related to a parent operation that has not triggered an alert. The operation is cleared from the suspicious activity data.

Abstract: A recovery instruction pertaining to a resource is detected. The recovery instruction is matched with a delete instruction that caused the resource to enter a soft-deleted. A mismatch between a first user account associated with the recovery instruction and a second user account associated with the delete instruction is determined. A mitigation action is performed based on determining the mismatch between the first user account and the second user account.

Abstract: Some embodiments provide attacker-focused granular disruption functionality to detect and defend against cyberattacks. An embodiment observes that a user account or a user session has executed one or more precursor events but has not executed an incrimination action. The incrimination action is more likely, by at least a specified amount, to be performed by an attacker-driven account or session than by a non-attacker-driven account or session. Performance of the incrimination action is preemptively blocked, without disabling the account or session. The block is focused on the incrimination action, and in some scenarios the embodiment also blocks performance of similar actions. After an attempt by the account or session to perform the blocked incrimination action, larger blocks on activity are enforced, up to and including disablement, because the attempt indicates strongly that the account or session is driven by an attacker.

Abstract: The disclosure focuses on using a risk inheritance system to actively prevent unauthorized and compromising activity within a cloud computing system by causing user risk scores to be inherited across downstream cloud entities within the cloud computing system. The risk inheritance system ensures that users with risky user risk scores are unable to circumvent the security measures of the cloud computing system through propagation events. For instance, the risk inheritance system assigns user risk scores to be inherited from a cloud entity of a user to another cloud entity, including other users and service principals, based on detecting the user initiating a propagation event. This way, the risk inheritance system improves the efficiency of the cloud computing system by ensuring that cloud entities are assigned accurate user risk scores.

Abstract: The disclosure focuses on using a context-based insight system to determine security incident reports that include security incident insights and remediation actions based on various combinations of security alerts in cloud computing systems. The context-based insight system uses a security alert generative language model (GLM) to generate security incident reports based on correlated security alerts within a security incident and the attack-type contexts of those security alerts. By using the security alert GLM guided by attack-type contexts to generate security incident reports, the context-based insight system provides understandable text narratives that provide clear and accurate insights into security incidents including remediation actions to address the security incidents as a whole rather than just reporting individual security alerts of the security incident.

Abstract: Malicious service provider activity detection is enabled. A first log is obtained. The first log comprises a record of a first control plane operation executed on behalf of a first entity. A service provider associated with the execution of the first control plane operation is identified. The service provider has privileges to execute control plane operations on behalf of the first entity. A first malicious activity score is determined based at least on the service provider. The first malicious activity score is indicative of a degree to which the first control plane operation is anomalous with respect to the first entity. A determination that the first control plane operation potentially corresponds to malicious activity is made based at least on the determined first malicious activity score. Responsive to determining that the first control plane operation potentially corresponds to malicious activity, a security alert is generated.

Abstract: Malicious activity detection is enabled for cloud computing platforms. A first log comprising a record of a first control plane operation executed by a cloud application associated with an entity is obtained. A plurality of second logs, each comprising a record of a respective second control plane operation executed in association with the entity, is obtained. A first property set is generated based on the first log and a second property set is generated based on the plurality of second logs. A malicious activity score indicative of a degree to which the first control plane operation is anomalous with respect to the entity is determined based on the first property set and the second property set. A determination that the first control plane operation potentially corresponds to malicious activity is made based on the malicious activity score and a security alert is generated.

Abstract: Methods, systems, and computer storage media for providing security incident management using a latent-context alert correlation engine in a security management system. Security incident management is provided using the latent-context alert correlation engine that is operationally integrated into the security management system. In operation, first security data of a first alert and second security data of a second alert are accessed. The first alert and the second alert do not share a common entity identifiable in a security graph. Using the first security data and the second security data, a determination is made that the first alert is connected to the second alert based on a latent-context connection. The latent-context connection is a known attack path connection that indirectly connects alerts. Based on determining that the first alert is connected to the second alert, a security incident is generated for the alert. A notification comprising the security incident is communicated.

Abstract: Systems and techniques for reduction of security detection false positives are described herein. Suspicious activity data is obtained for an operation. Operation data is obtained for the operation. It is determined that the operation is related to a parent operation that has not triggered an alert. The operation is cleared from the suspicious activity data.

Abstract: A recovery instruction pertaining to a resource is detected. The recovery instruction is matched with a delete instruction that caused the resource to enter a soft-deleted. A mismatch between a first user account associated with the recovery instruction and a second user account associated with the delete instruction is determined. A mitigation action is performed based on determining the mismatch between the first user account and the second user account.