Abstract: Automatically investigating security incidents and generating security incident reports using a Large Language Model (LLM). A computerized system receives an incoming Security Alert Message pertaining to a possible security-related incident. The system automatically feeds into the LLM at least: the content of the Security Alert Message; the metadata of the Security Alert Message; context information describing a security domain; and organization context information pertaining to users and machines of that organization. The system automatically prompts the LLM to automatically investigate the Security Alert Message and to automatically generate a detailed Incident Report pertaining to the Security Alert Message.

Abstract: Automatic detection and handling of security-related anomalies by utilizing machine learning and a large language model (LLM). A computerized method for detecting and handling security threats in an organizational network of an organization includes: (a) collecting event data that pertain to organizational users, organizational devices, and organizational resources of the organizational network; (b) constructing user profiles, device profiles, and resource profiles; (c) constructing Organizational Context information that pertains to organizational users, organizational devices, and organizational resources; (d) constructing a time-series of events, enriched with the Organizational Context information; (e) analyzing the time-series of events using a Machine Learning process that detects an anomalous event, and automatically generating an alert message pertaining to and describing the anomalous event.

Abstract: A threat intelligence system utilising language models to generate queries for external threat intelligence systems, receive and filter responses, and generate alerts and reports using further language models.

Abstract: A computing system is disclosed that utilises a large language to provide scalar indications of characteristics of a document, and a decision-making system to take decisions regarding handling of that document in view of the scalar indications. In one embodiment, one or more computer readable storage media storing program instructions and one or more processors which, in response to executing the program instructions, are configured to: receive a document; extract textual data from the document; request a large language model to provide a scalar indication for each of a plurality of features of the textual data; and utilise a decision system to produce an output based on at least the scalar indications.

Abstract: A computerized system receives an original prompt that a querying user sends to a Large Language Model (LLM) that is operably connected to organizational data sources of an organization. Instead of executing the original prompt by the LLM, the system obtains user-related organizational context that pertains to characteristics of the querying user, obtains data-related organizational context that pertains to data from which the LLM is expected to obtain information for responding to the original query, and obtains pre-defined organizational policy rules, that indicate which type of users are authorized to access which type of organizational data. Based on the obtained data, the system modifies the original prompt into an adapted prompt. The system sends the adapted prompt, and not the original prompt, to the LLM for processing. The system obtains LLM-generated output from the LLM in response to the adapted prompt, and provides that LLM-generated output to the querying user.

Abstract: Automated multi-phase investigation of security incident alerts using a Large Language Model (LLM) with converging dialogue. A computerized system receives a Security Alert Message pertaining to a possible security-related incident pertaining to an organization. The system automatically evaluates whether the Security Alert Message is either (I) a False Positive security alert message or (II) a True Positive security alert message, by performing an iterative multi-phase converging process in which the LLM evaluates at least: (i) the content of that Security Alert Message, and (ii) the meta-data of that Security Alert Message, and (iii) organizational context that is related to that Security Alert Message. An iterative process is performed by the LLM, which utilizes an Agent Module to fetch additional context information from organizational sources. The LLM re-updates the Risk Score and re-evaluates the Risk Score until convergence to a decision.

Abstract: A system and method for dynamically refining access rules for governing control of access by multiple users to data elements or services (DEOSs) stored in or accessed through at least one access controllable network element (ACONE), including collecting initial permissions to the DEOSs, receiving and periodically updating notifications of actual access events of the multiple users to the DEOSs, generating initial user groups for the multiple users, generating for each of the initial user groups, based at least partially on the notifications of actual access events, a list of users who have accessed at least one of the DEOSs, based at least partially on the lists, generating modified user groups, based at least partially on the modified user groups, generating modified permissions, and based on the modified permissions, updating the initial permissions to the DEOSs, thereby enabling only the users in particular modified user groups to access particular DEOSs.

Abstract: Disclosed is a system and method for discovering and security unknown devices in a computer network. Audit logs of hardware devices (e.g., servers and edge devices) within the computer network are mined for discovery of other unknown connecting devices that are not currently in a monitoring database associated with a security monitoring system. For each detected unknown device, the system determines a type of the unknown device, adds the unknown device to the monitoring database, and performs a data protection action selected for the type of the unknown device.

Abstract: A method for automatic management of user permissions in an organization including automatically grouping users into a plurality of user clusters based on at least one similarity between users in each user cluster, for each user cluster, automatically generating a set of cluster user permissions, the set of cluster user permissions including user permissions belonging to users in the cluster and actively used by at least one user in the cluster and for each user cluster, automatically modifying user permissions of each user in each cluster in accordance with the set of cluster user permissions.

Abstract: A threat intelligence system utilising language models to generate queries for external threat intelligence systems, receive and filter responses, and generate alerts and reports using further language models.

Abstract: A system for automatically monitoring efficacy of security controls in a computer network, including a probe engine configurable with at least one set of rules relating to access permissions to data in the computer network, at least one security probe forming part of the probe engine and operative to automatically place, at at least one storage location within the computer network and with access permissions that are non-compliant with the at least one set of rules, simulated data corresponding to the data in the computer network and attempt to access the simulated data following the placement thereof, using access privileges satisfying the non-compliant access permissions, and a security monitoring and reporting module operative to provide a user sensible output indicating at least whether the attempt to access the simulated data was successful and, if so, reporting mitigating activities by the security controls in response to the successful attempt.

Abstract: Automated multi-phase investigation of security incident alerts using a Large Language Model (LLM) with converging dialogue. A computerized system receives a Security Alert Message pertaining to a possible security-related incident pertaining to an organization. The system automatically evaluates whether the Security Alert Message is either (I) a False Positive security alert message or (II) a True Positive security alert message, by performing an iterative multi-phase converging process in which the LLM evaluates at least: (i) the content of that Security Alert Message, and (ii) the meta-data of that Security Alert Message, and (iii) organizational context that is related to that Security Alert Message. An iterative process is performed by the LLM, which utilizes an Agent Module to fetch additional context information from organizational sources. The LLM re-updates the Risk Score and re-evaluates the Risk Score until convergence to a decision.

Abstract: Automatically investigating security incidents and generating security incident reports using a Large Language Model (LLM). A computerized system receives an incoming Security Alert Message pertaining to a possible security-related incident. The system automatically feeds into the LLM at least: the content of the Security Alert Message; the metadata of the Security Alert Message; context information describing a security domain; and organization context information pertaining to users and machines of that organization. The system automatically prompts the LLM to automatically investigate the Security Alert Message and to automatically generate a detailed Incident Report pertaining to the Security Alert Message.

Abstract: Improved email security and prevention of phishing attacks using a Large Language Model (LLM) engine. A computerized method includes evaluating whether a digital message received at a Protected Entity is malicious or legitimate, by performing: (a) obtaining extracted data from documents and data repositories of the Protected Entity; feeding the extracted data into an LLM engine; and constructing an Organizational Context Index having vectors of LLM-generated embeddings that describe relations and roles of members and objects of the Protected Entity; (b) prompting the LLM to evaluate whether the digital message is malicious or legitimate, based on LLM analysis of a query envelope that includes at least: (i) content of the digital message, and (ii) meta-data of the digital message, and (iii) a set of LLM-based embeddings from the Organizational Context Index that pertain to that digital message.

Abstract: Device, system, and method for automatically detecting and classifying personally identifiable information (PII) in documents and files. A method includes performing a deterministic rule-based search, in a plurality of stored documents, for PII data-items. If the deterministic rule-based search indicates that a particular document is more likely than not to contain a PII data-items then the method includes: extracting a textual snippet from the particular document, wherein the textual snippets surrounds the PII data-item; adding the textual snippet and the particular document to one or more training datasets utilized for training a Large Language Model (LLM) configured to find PII data-items in documents for Named Entity Recognition (NER) in those documents.

Abstract: A system and method for dynamically refining access rules for governing control of access by multiple users to data elements or services (DEOSs) stored in or accessed through at least one access controllable network element (ACONE), including collecting initial permissions to the DEOSs, receiving and periodically updating notifications of actual access events of the multiple users to the DEOSs, generating initial user groups for the multiple users, generating for each of the initial user groups, based at least partially on the notifications of actual access events, a list of users who have accessed at least one of the DEOSs, based at least partially on the lists, generating modified user groups, based at least partially on the modified user groups, generating modified permissions, and based on the modified permissions, updating the initial permissions to the DEOSs, thereby enabling only the users in particular modified user groups to access particular DEOSs.

Abstract: A method for automatic management of user permissions in an organization including automatically grouping users into a plurality of user clusters based on at least one similarity between users in each user cluster, for each user cluster, automatically generating a set of cluster user permissions, the set of cluster user permissions including user permissions belonging to users in the cluster and actively used by at least one user in the cluster and for each user cluster, automatically modifying user permissions of each user in each cluster in accordance with the set of cluster user permissions.

Abstract: A system for automatically monitoring efficacy of security controls in a computer network, including a probe engine configurable with at least one set of rules relating to access permissions to data in the computer network, at least one security probe forming part of the probe engine and operative to automatically place, at at least one storage location within the computer network and with access permissions that are non-compliant with the at least one set of rules, simulated data corresponding to the data in the computer network and attempt to access the simulated data following the placement thereof, using access privileges satisfying the non-compliant access permissions, and a security monitoring and reporting module operative to provide a user sensible output indicating at least whether the attempt to access the simulated data was successful and, if so, reporting mitigating activities by the security controls in response to the successful attempt.

Abstract: Embodiments for disaster recovery (DR) configuration management. An orchestration mechanism is used to automate a deployment and/or a configuring of two or more storage clusters for DR by arranging, in one step, a mirroring session between the two or more storage clusters. The two or more storage clusters are existing clusters, and the orchestration mechanism locates each of the existing storage clusters and establishes the mirroring session between the two.

Abstract: A mechanism is provided in a data processing system comprising at least one processor and at least one memory, the at least one memory comprising instructions that are executed by the at least one processor and configure the at least one processor to implement a device context device driver for forced detaching of an application from mapped devices. The device context device driver receives a command to detach an application, wherein the command specifies a process descriptor associated with the application. The device context device driver identifies a plurality of matching device context entries in a list of open device contexts maintained by the device context device driver that match the process descriptor. The device context device driver marks the plurality of matching device context entries as detached. The device context device driver invalidates mapped memory areas associated with the plurality of matching device context entries.