Abstract: A threat management facility receives data from a variety of sources such as compute instances within an enterprise network, cloud service providers supporting the enterprise network, and third-party data providers such as geolocation services. In order to facilitate prompt notification of potential risks, the threat management facility may incrementally update data for use in threat assessments as the data becomes available from these different sources, and create suitable alerts or notifications whenever the currently accumulated data provides an indication of threat meeting a predetermined threshold.

Abstract: A platform for threat investigation in an enterprise network receives threat data from managed endpoints, and is augmented with data from cloud computing platforms and other third-party resources. The resulting merged data set can be incrementally updated and used to automatically launch investigations at appropriate times.

Abstract: A threat management system stores an attack matrix characterizing tactics and techniques, and provides threat detection based on patterns of traversal of the attack matrix. Where the threat management system provides a data lake of security events and a query interface for using the data lake to investigate security issues, useful inferences may also be drawn by comparing query activity in the query interface with the patterns of traversal of the attack matrix, such as by using a malicious pattern of traversal to identify a concurrent chain of queries indicative of a threat, or by presenting separate threat scores to an analyst based on query activity and patterns of traversal.

Abstract: A platform for managing threat data integrates threat data from a variety of sources including internal threat data from instrumented compute instances associated with an enterprise network and threat data from one or more independent, external resources. Threat assessments are incrementally revised as this threat data is asynchronously received from various sources, and a threat intervention container is automatically created and presented to an investigator when a composite threat score for one or more of the compute instances meets a predetermined threshold.

Abstract: An asynchronous stream of security events is added to a data lake for enterprise security by identifying groups of related events related to a security threat, and creating rules to fold these related events into a single security event along with metadata. The folding rules may then be applied to security events in the event stream to compress data in the data lake and improve detection efficiency.