Abstract: Methods, storage systems and computer program products implement embodiments of the present invention that include identifying a first autonomous system number (ASN) for a service hosted by a networked entity, and retrieving, from a log file, an entry corresponding to an access by a networked entity to the service and including an Internet Protocol (IP) address of the networked entity and an access token authorizing access to the service. A second ASN for the IP address is identified, and the second ASN is compared to the first ASN. Finally, an alert is generated for the access upon detecting the first ASN differing from the second ASN.

Abstract: A method, including receiving, from multiple sources, respective sets of incidents, and respective suspiciousness labels for the incidents. A set of rules are applied so as to assign training labels to respective incidents in a subset of the incidents in the received sets. For each given incident in the subset, the respective training label is compared to the respective suspiciousness label so as to compute a respective quality score for each given source. Any sources having respective label quality scores meeting a predefined criterion are identified, and a model for computing predicted labels is fit to the incidents received from the identified sources and the respective suspiciousness labels of the incidents. The model is applied to an additional incident received from one of the sources to compute a predicted label for the additional incident, and a notification of the additional incident is prioritized in response to the predicted label.

Abstract: A method, including collecting, by a security server, reports from multiple computing devices of events belonging to a set of specified event types occurring in execution of software processes on the devices, and collating the reports in the server to extract context information with respect to each of the events. Upon detecting an event occurring in execution of a process on a given device and matching one of the types, a software agent executing on the given device extracts, one or more features from the detected event, and conveys a query with respect to the detected event from the agent to the server. Upon receiving, from the server in response to the query, the context information with respect to the detected event, the agent decides to initiate a protective action on the given device based on the received context information and the one or more features extracted by the agent.

Abstract: A method, including receiving, from multiple sources, respective sets of incidents, and respective suspiciousness labels for the incidents. A set of rules are applied so as to assign training labels to respective incidents in a subset of the incidents in the received sets. For each given incident in the subset, the respective training label is compared to the respective suspiciousness label so as to compute a respective quality score for each given source. Any sources having respective label quality scores meeting a predefined criterion are identified, and a model for computing predicted labels is fit to the incidents received from the identified sources and the respective suspiciousness labels of the incidents. The model is applied to an additional incident received from one of the sources to compute a predicted label for the additional incident, and a notification of the additional incident is prioritized in response to the predicted label.