Abstract: Methods, systems, and computer storage media for providing security incident management using a security graph layering engine in a security management system. Security incident management is provided using the security graph layering engine that include multi-layer security graph that supports querying a security graph using a multi-layer representation of data associated with security graph. In operation, a security graph associated with a plurality of security resources in a cloud environment is accessed. Based on accessing the security graph, a multi-layer security graph is generated. The multi-layer security graph is a multi-layer representation of the security. The multi-layer security graph is deployed. A security query associated with the multi-layer security graph is accessed. The security query is executed based on the multi-layer security graph, executing the security query generates a query result.

Abstract: According to examples, an apparatus may include a processor and a memory on which is stored machine-readable instructions that when executed by the processor, may cause the processor to determine that an entity was granted an anomalous role assignment to a managed environment. The processor may also, based on the determination that the role assignment of the entity is anomalous, identify at least one indicator associated with the role assignment, determine an indicator value corresponding to the identified at least one indicator, and determine whether the indicator value exceeds a predefined threshold value. The processor may, based on a determination that the indicator value exceeds the predefined threshold value, output an alert indicating that the role assignment is suspicious.

Abstract: Multiple variate anomaly detection against multiple scopes of the requested resource. Even if one of the variates patterns is sensitive to physical location of the requestor and/or the resource, not all of the variates of the access pattern will be. Furthermore, even if one of the scopes of the resource is sensitive to physical location of the resource, not all scopes will be. Thus, the use of multiple variates of the access pattern and multiple scopes of the anomaly detection allows for better estimates of anomaly detection to be made, even when the source of the access request is virtualized and/or the location of the resource is virtualized.

Abstract: Conditionally initiating a security measure in response to an estimated increase in risk imposed related to a particular user of a computing network. The risk is determined using a rolling time window. Accordingly, sudden increases in risk are quickly detected, allowing security measures to be taken quickly within that computing network. Thus, improper infiltration into a computing network is less likely to escalate or move laterally to other users or resources within the computing network. Furthermore, the security measure may be automatically initiated using settings pre-configured by the entity. Thus, the security measures go no further than what the entity instructed, thereby minimizing risk of overreaching with the security measure.

Abstract: Multiple variate anomaly detection against multiple scopes of the requested resource. Even if one of the variates patterns is sensitive to physical location of the requestor and/or the resource, not all of the variates of the access pattern will be. Furthermore, even if one of the scopes of the resource is sensitive to physical location of the resource, not all scopes will be. Thus, the use of multiple variates of the access pattern and multiple scopes of the anomaly detection allows for better estimates of anomaly detection to be made, even when the source of the access request is virtualized and/or the location of the resource is virtualized.

Abstract: According to examples, an apparatus may include a processor and a memory on which is stored machine-readable instructions that when executed by the processor, may cause the processor to determine baseline behaviors from collected data. The processor may also detect that an anomalous event has occurred and may determine at least one feature of the anomalous event that caused the event to be determined to be anomalous. The processor may further identify, from the determined baseline behaviors, a set of baseline behaviors corresponding to the determined at least one feature. The processor may still further generate a message to include an indication that the anomalous event has been detected and the identified set of baseline behaviors and may output the generated message.

Abstract: According to examples, an apparatus may include a processor and a memory on which are stored machine-readable instructions that, when executed by the processor, may cause the processor to receive tabular data of a data source and extract a characteristic of a column based on the received tabular data The processor may determine, through application of modeling, a recommended column type from a predefined table format based on the extracted characteristic of the column. The recommended column type may have at least a predetermined level of match to the extracted characteristic of the column. The processor may assign the recommended column type as a type of the column in the received tabular data to normalize the received tabular data to the predefined table format.

Abstract: According to examples, an apparatus may include a processor and a memory on which is stored machine-readable instructions that when executed by the processor, may cause the processor to identify a timing at which a user activity occurred and may apply an anomaly detection model on the identified timing at which the user activity occurred, in which the anomaly detection model is to output a risk score corresponding to a deviation of the timing at which the user activity occurred from timings at which the user normally performs user activities. The processor may also determine whether the timing at which the user activity occurred is anomalous based on the risk score and, based on a determination that the timing at which the user activity occurred is anomalous, may output an alert regarding the anomalous timing of the user activity occurrence.

Abstract: Conditionally initiating a security measure in response to an estimated increase in risk imposed related to a particular user of a computing network. The risk is determined using a rolling time window. Accordingly, sudden increases in risk are quickly detected, allowing security measures to be taken quickly within that computing network. Thus, improper infiltration into a computing network is less likely to escalate or move laterally to other users or resources within the computing network. Furthermore, the security measure may be automatically initiated using settings pre-configured by the entity. Thus, the security measures go no further than what the entity instructed, thereby minimizing risk of overreaching with the security measure.

Abstract: A system to detect an abnormally permissive role definition, which can include an abnormally permissive custom role definition, and take action is described. The system receives a role definition for a security principal over a scope of resources in which the role definition includes a built-in role and a custom role. Permissions of the role definition and a creation event of the role definition are analyzed. A security score based on the role definition and creation event for the scope of resources is determined. An action is taken based on the security score and the creation event analysis.

Abstract: According to examples, an apparatus may include a processor and a memory on which is stored machine-readable instructions that when executed by the processor, may cause the processor to determine that an entity was granted an anomalous role assignment to a managed environment. The processor may also, based on the determination that the role assignment of the entity is anomalous, identify at least one indicator associated with the role assignment, determine an indicator value corresponding to the identified at least one indicator, and determine whether the indicator value exceeds a predefined threshold value. The processor may, based on a determination that the indicator value exceeds the predefined threshold value, output an alert indicating that the role assignment is suspicious.