Abstract: An event can be analyzed for association with a security violation. Characters or other values of event data (e.g., command-line text) associated with the event can be provided sequentially to a trained representation mapping to determine respective representation vectors. Respective indicators can be determined by applying the vectors to a trained classifer. A token in the event data can be located based on the indicators. The event's can be determined to be associated with a security violation based on the token satisfying a token-security criterion. The representation mapping can be trained by adjusting model parameters so the trained representation predicts, based on a character of training command-line text, an immediately following character in the training command-line text. The classifier can be determined based on the trained representation mapping and classification training data indicating whether respective portions of training event data are associated with security violations.

Abstract: Event vectors can be determined for respective events based on respective command-line records and a trained representation mapping. Respective coordinate vectors can be determined, each having fewer elements than the respective event vector. Respective representations of at least some of the events can be presented via an electronic display at the respective coordinate vectors. A selection of a first representation can be received via a user interface. The events can be clustered based on the event vectors. A first cluster can be selected based on the selection. An indication of a tag can be received via the user interface. Each event of the first cluster can be associated with the tag. Some examples include transmitting a security command to cause a monitored computing device associated with an event in the first cluster to perform a mitigation action.

Abstract: An event can be associated with a monitored computing device and a command-line record. An event vector can be determined for each of a plurality of events based at least in part on at least a portion of the respective command-line record and on a trained representation mapping. A respective reduced event vector can be determined having fewer elements. The reduced event vectors can be clustered to determine cluster identifiers. A first event can be determined to be associated with a security violation based on a corresponding cluster identifier matching a cluster identifier of a second event that is associated with a security violation. In some examples, a cluster can include a relatively larger first group of events and a relatively smaller second group of events. That cluster can be determined to satisfy a criterion based on the numbers of events in at least one of the groups.

Abstract: An event can be analyzed for association with a security violation. Characters or other values of event data (e.g., command-line text) associated with the event can be provided sequentially to a trained representation mapping to determine respective representation vectors. Respective indicators can be determined by applying the vectors to a trained classifer. A token in the event data can be located based on the indicators. The event's can be determined to be associated with a security violation based on the token satisfying a token-security criterion. The representation mapping can be trained by adjusting model parameters so the trained representation predicts, based on a character of training command-line text, an immediately following character in the training command-line text. The classifier can be determined based on the trained representation mapping and classification training data indicating whether respective portions of training event data are associated with security violations.

Abstract: An event can be associated with a monitored computing device and a command-line record. An event vector can be determined for each of a plurality of events based at least in part on at least a portion of the respective command-line record and on a trained representation mapping. A respective reduced event vector can be determined having fewer elements. The reduced event vectors can be clustered to determine cluster identifiers. A first event can be determined to be associated with a security violation based on a corresponding cluster identifier matching a cluster identifier of a second event that is associated with a security violation. In some examples, a cluster can include a relatively larger first group of events and a relatively smaller second group of events. That cluster can be determined to satisfy a criterion based on the numbers of events in at least one of the groups.

Abstract: Event vectors can be determined for respective events based on respective command-line records and a trained representation mapping. Respective coordinate vectors can be determined, each having fewer elements than the respective event vector. Respective representations of at least some of the events can be presented via an electronic display at the respective coordinate vectors. A selection of a first representation can be received via a user interface. The events can be clustered based on the event vectors. A first cluster can be selected based on the selection. An indication of a tag can be received via the user interface. Each event of the first cluster can be associated with the tag. Some examples include transmitting a security command to cause a monitored computing device associated with an event in the first cluster to perform a mitigation action.