Abstract: Core entities are each defined as a subset of base entities that satisfy one or more core entity connection relationships. Base stories are each defined as a subset of core entities that satisfy one or more story connection relationships. A risk score of each core entity is calculated based on previously calculated risk scores of the base entities. A risk score of each base story is calculated based on the calculated risk score of each core entity of the base story. Selected base stories are extended with external content to generate corresponding extended stories.

Abstract: Core entities are each defined as a subset of base entities that satisfy one or more core entity connection relationships. Base stories are each defined as a subset of core entities that satisfy one or more story connection relationships. A risk score of each core entity is calculated based on previously calculated risk scores of the base entities. A risk score of each base story is calculated based on the calculated risk score of each core entity of the base story. Selected base stories are extended with external content to generate corresponding extended stories.

Abstract: A system and method is described for providing custom predictive models for detecting electronic security threats within an enterprise computer network. The custom models may be defined in a declarative language. The custom models, along with native models, may be combined together to provide custom machine learning (ML) use cases.

Abstract: A system and method are provided that store electronic data describing events that have occurred in a computing system, index the electronic data to create indexed data records; and store the indexed data records in computer memory as part of a flat data structure.

Abstract: The systems and methods described herein, given a population of entities each with associated information technology (IT) security risk scores, computes an aggregate risk score which quantifies the overall risk of the population. The method works for any arbitrary population of any size, and of any combination of different entity types and results in normalized risk scores for the arbitrary population (i.e. in the [0,1] range, regardless of population size or makeup). Since the risk scores are normalized, it affords comparison across different arbitrary entity populations having different combinations of entity types (e.g. users, servers, and printers). The aggregation technique allows for sensitivity to small numbers of high risk entities, which is a highly desirable characteristic for risk-based applications, and allows for sensitivity to different entity types or other relevant factors such as higher risk users, different threat types.

Abstract: Sensitive data may be anonymized for use in user interfaces by applying a cryptographic hash function to the data. The hashed value may be broken into hash tokens and the hash tokens converted to human readable tokens using a 1:1 conversion function. The human readable tokens can then be concatenated together to provide a human readable identifier of the sensitive data.

Abstract: A system and method is described for providing custom predictive models for detecting electronic security threats within an enterprise computer network. The custom models may be defined in a declarative language. The custom models, along with native models, may be combined together to provide custom machine learning (ML) use cases.

Abstract: The present invention provides a method of identifying aggregating and mathematically ranking security alert data having the steps of identifying a plurality of alerts, selecting a subset of the plurality alerts based on at least one preselected theme, applying a function to the subset of the plurality alerts to compute an aggregate risk score, the function based on at least one factor and prioritizing the aggregate risk score in a risk score list.

Abstract: The systems and methods described herein, given a population of entities each with associated information technology (IT) security risk scores, computes an aggregate risk score which quantifies the overall risk of the population. The method works for any arbitrary population of any size, and of any combination of different entity types and results in normalized risk scores for the arbitrary population (i.e. in the [0,1] range, regardless of population size or makeup). Since the risk scores are normalized, it affords comparison across different arbitrary entity populations having different combinations of entity types (e.g. users, servers, and printers). The aggregation technique allows for sensitivity to small numbers of high risk entities, which is a highly desirable characteristic for risk-based applications, and allows for sensitivity to different entity types or other relevant factors such as higher risk users, different threat types.

Abstract: Sensitive data may be anonymized for use in user interfaces by applying a cryptographic hash function to the data. The hashed value may be broken into hash tokens and the hash tokens converted to human readable tokens using a 1:1 conversion function. The human readable tokens can then be concatenated together to provide a human readable identifier of the sensitive data.

Abstract: The present invention provides a method of identifying aggregating and mathematically ranking security alert data having the steps of identifying a plurality of alerts, selecting a subset of the plurality alerts based on at least one preselected theme, applying a function to the subset of the plurality alerts to compute an aggregate risk score, the function based on at least one factor and prioritizing the aggregate risk score in a risk score list.