Abstract: An indication of a security alert and a context for the security alert is received. The context includes one or more entities related to the context and a timestamp for the security alert. Data sources for the one or more entities are searched during a time window around the timestamp. One or more anomaly detection models are executed to identify anomalies that are related to the security alert based on the context. Identified anomalies for investigation of the security alert are output.

Abstract: The automated creation of a dataflow graph of a standing query. Once the standing query dataflow graph is created, events may be flowed into the dataflow graph to execute the standing query. In execution, a store query is accessed. The store query is structured in accordance with a store query language. A syntax graph (such as an abstract syntax tree) of the store query may then be generated. Then, using the syntax graph and a set of rules of the store query language, the dataflow graph is automatically generated. This significant speeds up and makes more easy and efficient the conversion of a store query into a standing query.

Abstract: The automated creation of a dataflow graph of a standing query. Once the standing query dataflow graph is created, events may be flowed into the dataflow graph to execute the standing query. In execution, a store query is accessed. The store query is structured in accordance with a store query language. A syntax graph (such as an abstract syntax tree) of the store query may then be generated. Then, using the syntax graph and a set of rules of the store query language, the dataflow graph is automatically generated. This significant speeds up and makes more easy and efficient the conversion of a store query into a standing query.

Abstract: An indication of a security alert and a context for the security alert is received. The context includes one or more entities related to the context and a timestamp for the security alert. Data sources for the one or more entities are searched during a time window around the timestamp. One or more anomaly detection models are executed to identify anomalies that are related to the security alert based on the context. Identified anomalies for investigation of the security alert are output.

Abstract: Methods, systems, apparatuses, and computer program products are provided for evaluating security detections. A detection instance obtainer obtains detection instances from a pool, such as a security detections pool. The detection instances may be obtained for detections that meet a predetermined criterion, such as detections that have not been onboarded or rejected, or detections that have generated detection instances for a threshold time period. The detection may be onboarded or rejected automatically based on a volume thresholder and/or a detection performance evaluator. For instance, the volume thresholder may be configured to automatically onboard the detection if the volume of the detection instances is below a first threshold, and reject the detection if the volume is above a second threshold. The detection performance evaluator may be configured to onboard or reject the detection based on an efficacy of the detection (e.g., based on a true positive rate of the detection instances).

Abstract: Methods, systems, apparatuses, and computer program products are provided for evaluating security detections. A detection instance obtainer obtains detection instances from a pool, such as a security detections pool. The detection instances may be obtained for detections that meet a predetermined criterion, such as detections that have not been onboarded or rejected, or detections that have generated detection instances for a threshold time period. The detection may be onboarded or rejected automatically based on a volume thresholder and/or a detection performance evaluator. For instance, the volume thresholder may be configured to automatically onboard the detection if the volume of the detection instances is below a first threshold, and reject the detection if the volume is above a second threshold. The detection performance evaluator may be configured to onboard or reject the detection based on an efficacy of the detection (e.g., based on a true positive rate of the detection instances).

Abstract: The automated creation of a dataflow graph of a standing query. Once the standing query dataflow graph is created, events may be flowed into the dataflow graph to execute the standing query. In execution, a store query is accessed. The store query is structured in accordance with a store query language. A syntax graph (such as an abstract syntax tree) of the store query may then be generated. Then, using the syntax graph and a set of rules of the store query language, the dataflow graph is automatically generated. This significant speeds up and makes more easy and efficient the conversion of a store query into a standing query.