Abstract: A computing system includes a processor and memory coupled to the processor and storing instructions that, when executed by the processor provide a user interface module. The user interface module is configured to generate a tracker definition user interface having a threat parameter selection user interface element configured to receive a selection of at least one threat parameter, the tracker definition user interface also having a threat value user interface element configured to receive input specifying a threat value to match for the specified at least one threat parameter. The processor is configured to save a tracker based on the selection of at least one threat parameter and the threat value, and wherein the processor is configured to access a threat data store and execute the tracker against the threat data store to provide a tracker result.

Abstract: A computing system includes a processor and memory coupled to the processor and storing instructions that, when executed by the processor provide a user interface module. The user interface module is configured to generate a tracker definition user interface having a threat parameter selection user interface element configured to receive a selection of at least one threat parameter, the tracker definition user interface also having a threat value user interface element configured to receive input specifying a threat value to match for the specified at least one threat parameter. The processor is configured to save a tracker based on the selection of at least one threat parameter and the threat value, and wherein the processor is configured to access a threat data store and execute the tracker against the threat data store to provide a tracker result.

Abstract: Malicious activity data is obtained, that is indicative of attempted attacks on a computing system. Clusters of targets are identified and it is determined whether the malicious activity preferentially targets one cluster of targets over other. Also, low prevalence attacks are identified and it is determined whether a low prevalence attack has a high concentration in one or more of the target clusters. If the malicious activity either preferentially targets a cluster, or a low prevalence attack has a high concentration in a cluster, then the attack is identified as a targeted attack, so that remediation steps can be taken.

Abstract: A computing system includes a processor and memory coupled to the processor and storing instructions that, when executed by the processor provide a user interface module. The user interface module is configured to generate a tracker definition user interface having a threat parameter selection user interface element configured to receive a selection of at least one threat parameter, the tracker definition user interface also having a threat value user interface element configured to receive input specifying a threat value to match for the specified at least one threat parameter. The processor is configured to save a tracker based on the selection of at least one threat parameter and the threat value, and wherein the processor is configured to access a threat data store and execute the tracker against the threat data store to provide a tracker result.

Abstract: Malicious activity data is obtained, that is indicative of attempted attacks on a computing system. Clusters of targets are identified and it is determined whether the malicious activity preferentially targets one cluster of targets over other. Also, low prevalence attacks are identified and it is determined whether a low prevalence attack has a high concentration in one or more of the target clusters. If the malicious activity either preferentially targets a cluster, or a low prevalence attack has a high concentration in a cluster, then the attack is identified as a targeted attack, so that remediation steps can be taken.

Abstract: Malicious activity data is obtained, that is indicative of attempted attacks on a computing system. Clusters of targets are identified and it is determined whether the malicious activity preferentially targets one cluster of targets over other. Also, low prevalence attacks are identified and it is determined whether a low prevalence attack has a high concentration in one or more of the target clusters. If the malicious activity either preferentially targets a cluster, or a low prevalence attack has a high concentration in a cluster, then the attack is identified as a targeted attack, so that remediation steps can be taken.

Abstract: Threat intelligence management is provided in a security and compliance environment. A threat explorer platform or module of a security and compliance service may detect, investigate, manage, and provide actionable insights for threats at an organizational level. Working with a data insights platform that collects different types of signals (metadata, documents, activities, etc.) and correlates in a multi-stage evaluation, the threat intelligence module may provide actionable visual information on potential threats, affected areas, and actionable insights derived from internal threat data and external information using contextual correlation of data within the data insight platform. User experience may be dynamically adjusted at multiple levels based on context and allow users to drill down arbitrarily deep.

Abstract: Malicious activity data is obtained, that is indicative of attempted attacks on a computing system. Clusters of targets are identified and it is determined whether the malicious activity preferentially targets one cluster of targets over other. Also, low prevalence attacks are identified and it is determined whether a low prevalence attack has a high concentration in one or more of the target clusters. If the malicious activity either preferentially targets a cluster, or a low prevalence attack has a high concentration in a cluster, then the attack is identified as a targeted attack, so that remediation steps can be taken.

Abstract: A computing system includes a processor and memory coupled to the processor and storing instructions that, when executed by the processor provide a user interface module. The user interface module is configured to generate a tracker definition user interface having a threat parameter selection user interface element configured to receive a selection of at least one threat parameter, the tracker definition user interface also having a threat value user interface element configured to receive input specifying a threat value to match for the specified at least one threat parameter. The processor is configured to save a tracker based on the selection of at least one threat parameter and the threat value, and wherein the processor is configured to access a threat data store and execute the tracker against the threat data store to provide a tracker result.

Abstract: Correlated signals associated with one or more of stored content, content metadata, and activities associated with the stored content of a tenant may be analyzed and alert(s) determined based on alert threshold(s) or broader “abnormal” pattern detection. Different recipients for different alerts or alert levels may be designated and the alert(s) transmitted to the designated recipients. Alerts may also be displayed through an alert management dashboard of a protection service. The alert(s) and the results of the analysis may also be provided to a policy engine for use in adjusting or creating rules within a policy, alert thresholds, and signal collection/analysis. Post-fact investigations may also be initiated upon alerts.

Abstract: Threat intelligence management is provided in a security and compliance environment. A threat explorer platform or module of a security and compliance service may detect, investigate, manage, and provide actionable insights for threats at an organizational level. Working with a data insights platform that collects different types of signals (metadata, documents, activities, etc.) and correlates in a multi-stage evaluation, the threat intelligence module may provide actionable visual information on potential threats, affected areas, and actionable insights derived from internal threat data and external information using contextual correlation of data within the data insight platform. User experience may be dynamically adjusted at multiple levels based on context and allow users to drill down arbitrarily deep.