Abstract: Providing are incident response techniques useful for personas with a variety of experience levels are described. The incident response techniques include a graphical user interface (GUI) for providing a variety of different views for different personas. The graphical user interface may provide a landing page for providing a queue of risk-score prioritized incidents, an incident playbook for providing default or customizable instructions for resolving a particular incident to lesser-experienced personas, an explore container for facilitating efficient navigation of data associated with a particular incident by more-experienced personas, and an activity stream container for providing an overview of activities that have been performed with regard to a particular incident to more-experienced or supervising personas. The explore container may also be integrated with tools for performing actions with the data without leaving the graphical user interface.

Abstract: Systems and methods are disclosed for computing network operations. For example, methods may include receiving, at a computing device located within a private network, a message sent from a server located outside of the private network, the message including an observable; invoking, within the private network, a search of data associated with the private network to obtain a search result that includes data matching the observable; aggregating, within the private network, data from the search result that matches the observable to obtain a report that includes an indication of the observable, a count of occurrences of the observable, and identification of one or more components associated with the observable; and transmitting the report to the server.

Abstract: Systems and methods for automatically grouping vulnerabilities into vulnerability groups are provided. Vulnerabilities are received in the vulnerability response system and are automatically grouped into one or more vulnerability groups based upon grouping fields defined in a vulnerability group rule.

Abstract: This disclosure provides techniques for pooling and searching network security events reported by multiple sources. As information representing a security event is received from one source, it is searched against a central or distributed database representing events reported from multiple, diverse sources (e.g., different client networks). Either the search or correlated results can be filtered and/or routed according at least one characteristic associated with the networks, for example, to limit correlation to events reported by what are presumed to be similarly situated networks. The disclosed techniques facilitate faster identification of high-relevancy security event information, and thereby help facilitate faster threat identification and mitigation. Various techniques can be implemented as standalone software (e.g., for use by a private network) or for a central pooling and/or query service. This disclosure also provides different examples of actions that can be taken in response to search results.

Abstract: Systems and methods are disclosed for obtaining network security threat information and mitigating threats to improve computing network operations. For example, methods may include receiving a message from a central instance; from outside of a private network, invoking a search of data associated with the private network, wherein the search is based on the message and the search is performed by an agent device within the private network; receiving a search result of the search from the agent device; transmitting the search result to the central instance, wherein the central instance is configured to generate network security threat information based in part on the search result and share the network security threat information with a plurality of customer instances that are associated with a group of customers; and receiving an alert message from the central instance, wherein the alert message includes information that identifies a network security threat.

Abstract: Systems and methods are disclosed for computing network operations. For example, methods may include receiving, at a computing device located within a private network, a message sent from a server located outside of the private network, the message including an observable; invoking, within the private network, a search of data associated with the private network to obtain a search result that includes data matching the observable; aggregating, within the private network, data from the search result that matches the observable to obtain a report that includes an indication of the observable, a count of occurrences of the observable, and identification of one or more components associated with the observable; and transmitting the report to the server.

Abstract: This disclosure provides techniques for pooling and searching network security events reported by multiple sources. As information representing a security event is received from one source, it is searched against a central or distributed database representing events reported from multiple, diverse sources (e.g., different client networks). Either the search or correlated results can be filtered and/or routed according at least one characteristic associated with the networks, for example, to limit correlation to events reported by what are presumed to be similarly situated networks. The disclosed techniques facilitate faster identification of high-relevancy security event information, and thereby help facilitate faster threat identification and mitigation. Various techniques can be implemented as standalone software (e.g., for use by a private network) or for a central pooling and/or query service. This disclosure also provides different examples of actions that can be taken in response to search results.

Abstract: This disclosure provides techniques for pooling and searching network security events reported by multiple sources. As information representing a security event is received from one source, it is searched against a central or distributed database representing events reported from multiple, diverse sources (e.g., different client networks). Either the search or correlated results can be filtered and/or routed according at least one characteristic associated with the networks, for example, to limit correlation to events reported by what are presumed to be similarly situated networks. The disclosed techniques facilitate faster identification of high-relevancy security event information, and thereby help facilitate faster threat identification and mitigation. Various techniques can be implemented as standalone software (e.g., for use by a private network) or for a central pooling and/or query service. This disclosure also provides different examples of actions that can be taken in response to search results.

Abstract: This disclosure provides techniques for pooling and searching network security events reported by multiple sources. As information representing a security event is received from one source, it is searched against a central or distributed database representing events reported from multiple, diverse sources (e.g., different client networks). Either the search or correlated results can be filtered and/or routed according at least one characteristic associated with the networks, for example, to limit correlation to events reported by what are presumed to be similarly situated networks. The disclosed techniques facilitate faster identification of high-relevancy security event information, and thereby help facilitate faster threat identification and mitigation. Various techniques can be implemented as standalone software (e.g., for use by a private network) or for a central pooling and/or query service. This disclosure also provides different examples of actions that can be taken in response to search results.

Abstract: Systems and methods are disclosed for computer network threat assessment. For example, methods may include receiving from client networks respective threat data and storing the respective threat data in a security event database; maintaining affiliations for groups of the client networks; detecting correlation between a network threat and one of the groups; identifying an indicator associated with the network threat, and, dependent on the affiliation for the group, identifying a client network and generating a message, which conveys an alert to the client network, comprising the indicator; responsive to the message, receiving, from the client network, a report of detected correlation between the indicator and security event data maintained by the client network; and updating the security event database responsive to the report of detected correlation.

Abstract: This disclosure provides techniques for pooling and searching network security events reported by multiple sources. As information representing a security event is received from one source, it is searched against a central or distributed database representing events reported from multiple, diverse sources (e.g., different client networks). Either the search or correlated results can be filtered and/or routed according at least one characteristic associated with the networks, for example, to limit correlation to events reported by what are presumed to be similarly situated networks. The disclosed techniques facilitate faster identification of high-relevancy security event information, and thereby help facilitate faster threat identification and mitigation. Various techniques can be implemented as standalone software (e.g., for use by a private network) or for a central pooling and/or query service. This disclosure also provides different examples of actions that can be taken in response to search results.