Abstract: Methods, systems, and computer storage media for providing observation stream data of security incidents using an observation stream engine in a security management system. An observation stream framework supports continuously generating and presenting observation stream data that facilitates developing a working hypothesis of an active security incident. The observation stream framework can also include observation stream query-types that can be selected for running queries against a plurality of security data sources. In operation, an observation stream query is accessed. The observation stream query is a user-generated observation stream query associated with an observation stream query-type. The observation stream query-type comprises parameters for querying a plurality of security data sources and dynamic tracking of a security incident. The observation stream query is executed and observation stream data is generated.

Abstract: The handling of protocol exceptions for deterministic code that communicates with external component(s). A protocol exception host updates an execution state object associated with the deterministic code as the execution of the deterministic code proceeds. The component also detects whether a protocol exception has occurred that was caused by the deterministic code communicating using the protocol with an external component. If the component detects that such a protocol exception has occurred, the component handles the protocol exception. The component also determines whether the handled protocol exception has been successfully handled. If the exception is not successfully handled, the component stops the execution of the deterministic code such that the execution state object includes execution state of the deterministic code up to the stop. Accordingly, the execution state of the deterministic code up to the stop may be later used to resume execution of the deterministic code.

Abstract: Using a set of anomalies indicative of a malicious pattern of behavior collected from data to determine new alerts for anomalies included in subsequently collected data. A set of anomalies found in data collected from data sources is accessed. The set of anomalies is determined by a prior analysis to be indicative of a malicious pattern of behavior by entities associated with the set of anomalies. Data that is subsequently collected from the data sources is searched to determine if any of the data includes the set of anomalies. Alerts are generated for any of the subsequently collected data that includes the set of anomalies.

Abstract: According to examples, an apparatus may include a processor and a computer readable medium on which is stored machine readable instructions that may cause the processor to receive a query, in which the query may define an event pertaining to the apparatus to be identified and summarization instructions. The processor may also implement the query on tracked events pertaining to the apparatus to identify event data pertaining to the apparatus that matches the event defined in the query and summarize the identified event data according to the summarization instructions to generate summarized event data responsive to the query. The processor may further output the summarized event data.

Abstract: According to examples, an apparatus may include a processor and a computer readable medium on which is stored machine readable instructions that may cause the processor to receive a query, in which the query may define an event pertaining to the apparatus to be identified and summarization instructions. The processor may also implement the query on tracked events pertaining to the apparatus to identify event data pertaining to the apparatus that matches the event defined in the query and summarize the identified event data according to the summarization instructions to generate summarized event data responsive to the query. The processor may further output the summarized event data.

Abstract: Using a set of anomalies indicative of a malicious pattern of behavior collected from data to determine new alerts for anomalies included in subsequently collected data. A set of anomalies found in data collected from data sources is accessed. The set of anomalies is determined by a prior analysis to be indicative of a malicious pattern of behavior by entities associated with the set of anomalies. Data that is subsequently collected from the data sources is searched to determine if any of the data includes the set of anomalies. Alerts are generated for any of the subsequently collected data that includes the set of anomalies.

Abstract: The subject disclosure is directed towards processing a query corresponding to event data in a foreign representation. In order to produce results for the query, an event structure is defined for each requested event type. Information is automatically generated for configuring adapters to identify attribute data associated with the each requested event type and return the attribute data according to the event structure. These adapters search historical event data or real-time event data for the event-related data.

Abstract: Challenges associated with maintaining information about multiple instances of an activity are addressed. Separate database tables are maintained for data corresponding to active instances of an organization's activities and for data corresponding to inactive instances of an organization's activities. Multiple database tables can be maintained for data corresponding to inactive instances of an activity. In another aspect, data from the active instances table and one or more inactive instances tables are processed to generate combined analysis data.

Abstract: The present invention extends to methods, systems, and computer program products for monitoring distributed applications. Declarative application models are used. Operational data for a deployed application can be compared to an application intent expressed in a corresponding declarative application to provide more effective monitoring of application behavior. Application components can subscribe to an event fabric to receive configurations that indicate what events the application is to emit (i.e., publish into the event fabric) for monitoring. Thus, applications essentially subscribe to produce information (as opposed to subscribing to receive information). Monitoring can be dynamically adjusted in response to environment changes.

Abstract: To trace an activity through multiple components or applications that may be involved in the performance of the activity, an activity identifier can be generated and utilized by the various components or applications. Each can generate its own activity identifier to minimize changes to existing interfaces. When logging of events has been activated, each application or component can provide, to an event store, an indication of the activity identifier it is using for a given activity. If a preceding or subsequent component utilizes a different activity identifier for aspects of the same activity, a link between the two activity identifiers can be communicated to the event store. Subsequently, examination of the event store can filter out irrelevant entries based on the activity identifiers. A graph linking the various related activity identifiers can be created and only those events associated with activity identifiers not in the graph can be filtered out.

Abstract: A method of tracking execution of activities in a computing environment in which events in an activity are recorded along with an activity identifier uniquely identifying the activity and tying the events to the activity. To track interactions between activities, a correlation identifier may be generated and transferred between the interacting activities as part of the interaction. For each of the activities participating in the interaction, information on an event relating to the interaction is recorded along with the correlation identifier. The correlation identifier thus allows uniquely identifying each interaction which may be used to synchronize streams of events within the activities at points of their interaction. Activities may interact across any boundary, including a network.

Abstract: Instance data is transmitted for Payload/Milestone events and for Enable-Continuation events. Payload/Milestone event data contains information describing an instance and/or providing a time of one or more portions of the processing of an instance. Included in the Enable-Continuation event data is an identifier associated with an instance by a first application and an identifier associated with the same instance by another application. The identifiers are placed in a continuation data table which is used to index the appropriate record of an instance data table. Out-of-order data for an instance is hidden from view until sequentially prior data for the instance is received.

Abstract: To trace an activity through multiple components or applications that may be involved in the performance of the activity, an activity identifier can be generated and utilized by the various components or applications. Each can generate its own activity identifier to minimize changes to existing interfaces. When logging of events has been activated, each application or component can provide, to an event store, an indication of the activity identifier it is using for a given activity. If a preceding or subsequent component utilizes a different activity identifier for aspects of the same activity, a link between the two activity identifiers can be communicated to the event store. Subsequently, examination of the event store can filter out irrelevant entries based on the activity identifiers. A graph linking the various related activity identifiers can be created and only those events associated with activity identifiers not in the graph can be filtered out.

Abstract: The present invention extends to methods, systems, and computer program products for monitoring distributed applications. Declarative application models are used. Operational data for a deployed application can be compared to an application intent expressed in a corresponding declarative application to provide more effective monitoring of application behavior. Application components can subscribe to an event fabric to receive configurations that indicate what events the application is to emit (i.e., publish into the event fabric) for monitoring. Thus, applications essentially subscribe to produce information (as opposed to subscribing to receive information). Monitoring can be dynamically adjusted in response to environment changes.

Abstract: Multiple aggregation groups, which can be multiple partitions in an aggregated data table, are formed. Each group includes multiple aggregation records; each aggregation record includes an aggregation of values contained by a different subset of multiple database records. While an aggregation group is accessed by a single program thread during an aggregation group update transaction, no other threads are allowed to access that group. The aggregation groups are combined into a single table of aggregation records. Each of the multiple database records may correspond to an instance of an organizational activity and include a field having a value indicating the corresponding instance to be in one of several process states. Each aggregation group may further include time-sorted aggregation records, each time-sorted aggregation record containing an aggregation value for instances in one of the several process states during a time period associated with the time-sorted aggregation record.