Abstract: Persistent storage may be arranged to store sets of configuration data respectively corresponding to applications. One or more processors of a computational instance may be configured to: receive, from a data source, a set of configuration data corresponding to an application deployable on a network related to the computational instance, wherein the set of configuration data defines components, packages, and environments, wherein the packages include one or more of the components, and wherein the environments include one or more of the packages; write, to the persistent storage, a representation of the set of configuration data; look up one or more policies applicable to the set of configuration data; and validate, by a policy engine, the set of configuration data by applying the one or more policies to the set of configuration data.

Abstract: Systems and methods are disclosed for computing network operations. For example, methods may include receiving, at a computing device located within a private network, a message sent from a server located outside of the private network, the message including an observable; invoking, within the private network, a search of data associated with the private network to obtain a search result that includes data matching the observable; aggregating, within the private network, data from the search result that matches the observable to obtain a report that includes an indication of the observable, a count of occurrences of the observable, and identification of one or more components associated with the observable; and transmitting the report to the server.

Abstract: This disclosure provides techniques for pooling and searching network security events reported by multiple sources. As information representing a security event is received from one source, it is searched against a central or distributed database representing events reported from multiple, diverse sources (e.g., different client networks). Either the search or correlated results can be filtered and/or routed according at least one characteristic associated with the networks, for example, to limit correlation to events reported by what are presumed to be similarly situated networks. The disclosed techniques facilitate faster identification of high-relevancy security event information, and thereby help facilitate faster threat identification and mitigation. Various techniques can be implemented as standalone software (e.g., for use by a private network) or for a central pooling and/or query service. This disclosure also provides different examples of actions that can be taken in response to search results.

Abstract: Systems and methods are disclosed for obtaining network security threat information and mitigating threats to improve computing network operations. For example, methods may include receiving a message from a central instance; from outside of a private network, invoking a search of data associated with the private network, wherein the search is based on the message and the search is performed by an agent device within the private network; receiving a search result of the search from the agent device; transmitting the search result to the central instance, wherein the central instance is configured to generate network security threat information based in part on the search result and share the network security threat information with a plurality of customer instances that are associated with a group of customers; and receiving an alert message from the central instance, wherein the alert message includes information that identifies a network security threat.

Abstract: Persistent storage may be arranged to store sets of configuration data respectively corresponding to applications. One or more processors of a computational instance may be configured to: receive, from a data source, a set of configuration data corresponding to an application deployable on a network related to the computational instance, wherein the set of configuration data defines components, packages, and environments, wherein the packages include one or more of the components, and wherein the environments include one or more of the packages; write, to the persistent storage, a representation of the set of configuration data; look up one or more policies applicable to the set of configuration data; and validate, by a policy engine, the set of configuration data by applying the one or more policies to the set of configuration data.

Abstract: Systems and methods are disclosed for computer network threat assessment. For example, methods may include receiving from client networks respective threat data and storing the respective threat data in a security event database; maintaining affiliations for groups of the client networks; detecting correlation between a network threat and one of the groups; identifying an indicator associated with the network threat, and, dependent on the affiliation for the group, identifying a client network and generating a message, which conveys an alert to the client network, comprising the indicator; responsive to the message, receiving, from the client network, a report of detected correlation between the indicator and security event data maintained by the client network; and updating the security event database responsive to the report of detected correlation.

Abstract: A system may include persistent storage containing representations of configuration items discovered in a managed network, where the configuration items include computing devices and software applications installed on the computing devices. One or more processors may be configured to: (i) obtain results of a vulnerability analysis performed on a software application, where the results indicate that the software application exhibits a vulnerability, (i) determine a count of computing devices on which the software application is installed, (iii) calculate a security threat score for the vulnerability, where the security threat score is based on a severity factor of the vulnerability and the count of computing devices, (iv) provide, to a first entity, a first indication of the software application and the vulnerability, and (v) provide, to a second entity, a second indication of the software application, the vulnerability, and the security threat score.

Abstract: A system may include persistent storage containing representations of configuration items discovered in a managed network, where the configuration items include computing devices and software applications installed on the computing devices. One or more processors may be configured to: (i) obtain results of a vulnerability analysis performed on a software application, where the results indicate that the software application exhibits a vulnerability, (i) determine a count of computing devices on which the software application is installed, (iii) calculate a security threat score for the vulnerability, where the security threat score is based on a severity factor of the vulnerability and the count of computing devices, (iv) provide, to a first entity, a first indication of the software application and the vulnerability, and (v) provide, to a second entity, a second indication of the software application, the vulnerability, and the security threat score.

Abstract: Systems and methods are disclosed for computing network operations. For example, methods may include receiving, at a computing device located within a private network, a message sent from a server located outside of the private network, the message including an observable; invoking, within the private network, a search of data associated with the private network to obtain a search result that includes data matching the observable; aggregating, within the private network, data from the search result that matches the observable to obtain a report that includes an indication of the observable, a count of occurrences of the observable, and identification of one or more components associated with the observable; and transmitting the report to the server.

Abstract: Systems and methods are disclosed for computing network operations. For example, methods may include receiving, at a computing device located within a private network, a message sent from a server located outside of the private network, the message including an observable; invoking, within the private network, a search of data associated with the private network to obtain a search result that includes data matching the observable; aggregating, within the private network, data from the search result that matches the observable to obtain a report that includes an indication of the observable, a count of occurrences of the observable, and identification of one or more components associated with the observable; and transmitting the report to the server.

Abstract: This disclosure provides techniques for pooling and searching network security events reported by multiple sources. As information representing a security event is received from one source, it is searched against a central or distributed database representing events reported from multiple, diverse sources (e.g., different client networks). Either the search or correlated results can be filtered and/or routed according at least one characteristic associated with the networks, for example, to limit correlation to events reported by what are presumed to be similarly situated networks. The disclosed techniques facilitate faster identification of high-relevancy security event information, and thereby help facilitate faster threat identification and mitigation. Various techniques can be implemented as standalone software (e.g., for use by a private network) or for a central pooling and/or query service. This disclosure also provides different examples of actions that can be taken in response to search results.

Abstract: Systems and methods for automatically grouping vulnerabilities into vulnerability groups are provided. Vulnerabilities are received in the vulnerability response system and are automatically grouped into one or more vulnerability groups based upon grouping fields defined in a vulnerability group rule.

Abstract: A system may include persistent storage containing representations of configuration items discovered in a managed network, where the configuration items include computing devices and software applications installed on the computing devices. One or more processors may be configured to: (i) obtain results of a vulnerability analysis performed on a software application, where the results indicate that the software application exhibits a vulnerability, (i) determine a count of computing devices on which the software application is installed, (iii) calculate a security threat score for the vulnerability, where the security threat score is based on a severity factor of the vulnerability and the count of computing devices, (iv) provide, to a first entity, a first indication of the software application and the vulnerability, and (v) provide, to a second entity, a second indication of the software application, the vulnerability, and the security threat score.

Abstract: Providing are incident response techniques useful for personas with a variety of experience levels are described. The incident response techniques include a graphical user interface (GUI) for providing a variety of different views for different personas. The graphical user interface may provide a landing page for providing a queue of risk-score prioritized incidents, an incident playbook for providing default or customizable instructions for resolving a particular incident to lesser-experienced personas, an explore container for facilitating efficient navigation of data associated with a particular incident by more-experienced personas, and an activity stream container for providing an overview of activities that have been performed with regard to a particular incident to more-experienced or supervising personas. The explore container may also be integrated with tools for performing actions with the data without leaving the graphical user interface.

Abstract: This disclosure provides techniques for pooling and searching network security events reported by multiple sources. As information representing a security event is received from one source, it is searched against a central or distributed database representing events reported from multiple, diverse sources (e.g., different client networks). Either the search or correlated results can be filtered and/or routed according at least one characteristic associated with the networks, for example, to limit correlation to events reported by what are presumed to be similarly situated networks. The disclosed techniques facilitate faster identification of high-relevancy security event information, and thereby help facilitate faster threat identification and mitigation. Various techniques can be implemented as standalone software (e.g., for use by a private network) or for a central pooling and/or query service. This disclosure also provides different examples of actions that can be taken in response to search results.

Abstract: Systems and methods are disclosed for computer network threat assessment. For example, methods may include receiving from client networks respective threat data and storing the respective threat data in a security event database; maintaining affiliations for groups of the client networks; detecting correlation between a network threat and one of the groups; identifying an indicator associated with the network threat, and, dependent on the affiliation for the group, identifying a client network and generating a message, which conveys an alert to the client network, comprising the indicator; responsive to the message, receiving, from the client network, a report of detected correlation between the indicator and security event data maintained by the client network; and updating the security event database responsive to the report of detected correlation.

Abstract: Systems and methods are disclosed for computer network threat assessment. For example, methods may include receiving from client networks respective threat data and storing the respective threat data in a security event database; maintaining affiliations for groups of the client networks; detecting correlation between a network threat and one of the groups; identifying an indicator associated with the network threat, and, dependent on the affiliation for the group, identifying a client network and generating a message, which conveys an alert to the client network, comprising the indicator; responsive to the message, receiving, from the client network, a report of detected correlation between the indicator and security event data maintained by the client network; and updating the security event database responsive to the report of detected correlation.

Abstract: This disclosure provides techniques for pooling and searching network security events reported by multiple sources. As information representing a security event is received from one source, it is searched against a central or distributed database representing events reported from multiple, diverse sources (e.g., different client networks). Either the search or correlated results can be filtered and/or routed according at least one characteristic associated with the networks, for example, to limit correlation to events reported by what are presumed to be similarly situated networks. The disclosed techniques facilitate faster identification of high-relevancy security event information, and thereby help facilitate faster threat identification and mitigation. Various techniques can be implemented as standalone software (e.g., for use by a private network) or for a central pooling and/or query service. This disclosure also provides different examples of actions that can be taken in response to search results.

Abstract: Systems and methods are disclosed for obtaining network security threat information and mitigating threats to improve computing network operations. For example, methods may include receiving a message from a central instance; from outside of a private network, invoking a search of data associated with the private network, wherein the search is based on the message and the search is performed by an agent device within the private network; receiving a search result of the search from the agent device; transmitting the search result to the central instance, wherein the central instance is configured to generate network security threat information based in part on the search result and share the network security threat information with a plurality of customer instances that are associated with a group of customers; and receiving an alert message from the central instance, wherein the alert message includes information that identifies a network security threat.

Abstract: Systems and methods are disclosed for computing network operations. For example, methods may include receiving, at a computing device located within a private network, a message sent from a server located outside of the private network, the message including an observable; invoking, within the private network, a search of data associated with the private network to obtain a search result that includes data matching the observable; aggregating, within the private network, data from the search result that matches the observable to obtain a report that includes an indication of the observable, a count of occurrences of the observable, and identification of one or more components associated with the observable; and transmitting the report to the server.