Abstract: Techniques are described herein that are capable of detecting malicious obfuscation in a SQL statement based at least in part on an effect and/or processed version of the SQL statement. In a first example, a raw version of a SQL statement is compared to a processed version of the SQL statement. A determination is made that a command in the processed version is not included in the raw version. The raw version is detected to be malicious based at least in part on the determination. In a second example, a SQL statement is bound to an event that results from execution of the SQL statement. Textual content of the SQL statement and an effect of the event are compared. The SQL statement is detected to be malicious based at least in part on the effect of the event not being indicated by the textual content.

Abstract: The detection and alerting on malicious queries that are directed towards a data store. The detection is done by using syntax metrics of the query. This can be done without evaluating (or at least without retaining) the unmasked query. In order to detect a potentially malicious query, syntax metric(s) of that query are accessed. The syntax metric(s) are then fed into a model that is configured to predict maliciousness of the query based on the one or more syntax metrics. The output of the model then represents a prediction of maliciousness of the query. Based on the output of the model representing the predicted maliciousness, a computing entity associated with the data store is then alerted.

Abstract: An indication is received of a security alert. The indication is generated based on a detected anomaly in one of a data plane or a control plane of a computing environment. When the detected anomaly is in the data plane, the control plane is monitored for a subsequent anomaly in the control plane, and otherwise the data plane is monitored for a subsequent anomaly in the data plane. A correlation between the detected anomalies is determined. A notification of the security alert is sent when the correlation exceeds a predetermined threshold.

Abstract: A computing system is configured to train a machine-learning model for detecting suspicious network activities based on a training dataset. The training of the machine-learning model may be supervised or unsupervised training. The training dataset includes multiple strings. For each of the multiple strings, the computing system extracts one or more N-grams substrings, where N is a natural number that is equal to or greater than 2. The computing system then determines a probability of each N-grams substring that may occur in a string. When the machine-learning model is executed, it is configured to classify whether a given string contained in network communication is a random string. In response to classifying that the given string is a random string, an alert is generated at a particular computing system to which the network communication is directed.

Abstract: Disclosed herein is a system that implements a model for automatic discovery and identification of a person who is most relevant to handle a notification generated for a resource based on a triggered event. The model accesses an activity log for the resource to identify operations that are relevant to a type of the event. The operations are performed by different users (e.g., owners of the shared resource). The model then calculates an operation relevance score for each of the operations and a user relevance score for each of the different users. The user relevance scores are used to identify a most relevant person from the different users. Contact information for the most relevant person (e.g., name, email address, phone number) is added to the notification so that a person that first views the notification can efficiently forward the notification to the person best positioned to deal with the event.

Abstract: Disclosed herein is a system that implements a model for automatic discovery and identification of a person who is most relevant to handle a notification generated for a resource based on a triggered event. The model accesses an activity log for the resource to identify operations that are relevant to a type of the event. The operations are performed by different users (e.g., owners of the shared resource). The model then calculates an operation relevance score for each of the operations and a user relevance score for each of the different users. The user relevance scores are used to identify a most relevant person from the different users. Contact information for the most relevant person (e.g., name, email address, phone number) is added to the notification so that a person that first views the notification can efficiently forward the notification to the person best positioned to deal with the event.

Abstract: A firewall rule evaluation service scores firewall rules based on characteristics of logical objects that fall within ranges of Internet Protocol (IP) addresses corresponding to the firewall rules. Firewall rule scoring criteria may cause scores to be assigned to individual firewall rules based on an inverse relationship to quantities of discrete Autonomous Systems as well as aggregate numbers of and/or severity scores for threat intelligence flagged IP addresses granted access by individual firewall rules. The firewall rule evaluation service may further determine firewall rule recommendations for replacing firewall rules spanning multiple IP prefixes for different Autonomous Systems with more narrowly defined firewall rules that precisely encompass IP prefixes corresponding to single autonomous systems or multiple related Autonomous Systems (e.g., Autonomous Systems operated by a single trustworthy entity).

Abstract: A firewall rule evaluation service scores firewall rules based on characteristics of logical objects that fall within ranges of Internet Protocol (IP) addresses corresponding to the firewall rules. Firewall rule scoring criteria may cause scores to be assigned to individual firewall rules based on an inverse relationship to quantities of discrete Autonomous Systems as well as aggregate numbers of and/or severity scores for threat intelligence flagged IP addresses granted access by individual firewall rules. The firewall rule evaluation service may further determine firewall rule recommendations for replacing firewall rules spanning multiple IP prefixes for different Autonomous Systems with more narrowly defined firewall rules that precisely encompass IP prefixes corresponding to single autonomous systems or multiple related Autonomous Systems (e.g., Autonomous Systems operated by a single trustworthy entity).

Abstract: An indication is received of a security alert. The indication is generated based on a detected anomaly in one of a data plane or a control plane of a computing environment. When the detected anomaly is in the data plane, the control plane is monitored for a subsequent anomaly in the control plane, and otherwise the data plane is monitored for a subsequent anomaly in the data plane. A correlation between the detected anomalies is determined. A notification of the security alert is sent when the correlation exceeds a predetermined threshold.

Abstract: Disclosed herein is a system that implements a model for automatic discovery and identification of a person who is most relevant to handle a notification generated for a resource based on a triggered event. The model accesses an activity log for the resource to identify operations that are relevant to a type of the event. The operations are performed by different users (e.g., owners of the shared resource). The model then calculates an operation relevance score for each of the operations and a user relevance score for each of the different users. The user relevance scores are used to identify a most relevant person from the different users. Contact information for the most relevant person (e.g., name, email address, phone number) is added to the notification so that a person that first views the notification can efficiently forward the notification to the person best positioned to deal with the event.