Abstract: Systems and methods are disclosed for computing network operations. For example, methods may include receiving, at a computing device located within a private network, a message sent from a server located outside of the private network, the message including an observable; invoking, within the private network, a search of data associated with the private network to obtain a search result that includes data matching the observable; aggregating, within the private network, data from the search result that matches the observable to obtain a report that includes an indication of the observable, a count of occurrences of the observable, and identification of one or more components associated with the observable; and transmitting the report to the server.

Abstract: Systems and methods are disclosed for obtaining network security threat information and mitigating threats to improve computing network operations. For example, methods may include receiving a message from a central instance; from outside of a private network, invoking a search of data associated with the private network, wherein the search is based on the message and the search is performed by an agent device within the private network; receiving a search result of the search from the agent device; transmitting the search result to the central instance, wherein the central instance is configured to generate network security threat information based in part on the search result and share the network security threat information with a plurality of customer instances that are associated with a group of customers; and receiving an alert message from the central instance, wherein the alert message includes information that identifies a network security threat.

Abstract: A plurality of flow logs associated with a plurality of computing units are aggregated. For each flow event included in the plurality of flow logs a corresponding namespace with which the flow event is associated is determined including by determining a corresponding intermediary associated with the flow event. A network traffic map that visualizes network traffic between a plurality of namespaces is generated based in part on the determined intermediaries associated with the flow events.

Abstract: Systems and methods are disclosed for computing network operations. For example, methods may include receiving, at a computing device located within a private network, a message sent from a server located outside of the private network, the message including an observable; invoking, within the private network, a search of data associated with the private network to obtain a search result that includes data matching the observable; aggregating, within the private network, data from the search result that matches the observable to obtain a report that includes an indication of the observable, a count of occurrences of the observable, and identification of one or more components associated with the observable; and transmitting the report to the server.

Abstract: Systems and methods are disclosed for computing network operations. For example, methods may include receiving, at a computing device located within a private network, a message sent from a server located outside of the private network, the message including an observable; invoking, within the private network, a search of data associated with the private network to obtain a search result that includes data matching the observable; aggregating, within the private network, data from the search result that matches the observable to obtain a report that includes an indication of the observable, a count of occurrences of the observable, and identification of one or more components associated with the observable; and transmitting the report to the server.

Abstract: Systems and methods for automatically grouping vulnerabilities into vulnerability groups are provided. Vulnerabilities are received in the vulnerability response system and are automatically grouped into one or more vulnerability groups based upon grouping fields defined in a vulnerability group rule.

Abstract: An example embodiment may include a security enforcement point device disposed within a managed network and a security decision point device disposed within a computational instance of a remote network management platform. The security decision point device may be configured to: receive a message by way of the managed network; parse the message to identify observable indicators of one or more of the security threats, where the observable indicators include at least one of a network addresses, a hyperlink, or a representation of an attached file; remotely query a security threat database for the observable indicators; receive, from the security threat database, an indication that the observable indicators are associated with a particular security threat, and transmit, to the security enforcement point device, a command to update its associated security policy such that the particular security threat is mitigated.

Abstract: Systems and methods are disclosed for obtaining network security threat information and mitigating threats to improve computing network operations. For example, methods may include receiving a message from a central instance; from outside of a private network, invoking a search of data associated with the private network, wherein the search is based on the message and the search is performed by an agent device within the private network; receiving a search result of the search from the agent device; transmitting the search result to the central instance, wherein the central instance is configured to generate network security threat information based in part on the search result and share the network security threat information with a plurality of customer instances that are associated with a group of customers; and receiving an alert message from the central instance, wherein the alert message includes information that identifies a network security threat.

Abstract: An example embodiment may include a security enforcement point device disposed within a managed network and a security decision point device disposed within a computational instance of a remote network management platform. The security decision point device may be configured to: receive a message by way of the managed network; parse the message to identify observable indicators of one or more of the security threats, where the observable indicators include at least one of a network addresses, a hyperlink, or a representation of an attached file; remotely query a security threat database for the observable indicators; receive, from the security threat database, an indication that the observable indicators are associated with a particular security threat, and transmit, to the security enforcement point device, a command to update its associated security policy such that the particular security threat is mitigated.

Abstract: Systems and methods are disclosed for computing network operations. For example, methods may include receiving, at a computing device located within a private network, a message sent from a server located outside of the private network, the message including an observable; invoking, within the private network, a search of data associated with the private network to obtain a search result that includes data matching the observable; aggregating, within the private network, data from the search result that matches the observable to obtain a report that includes an indication of the observable, a count of occurrences of the observable, and identification of one or more components associated with the observable; and transmitting the report to the server.

Abstract: Systems and methods are disclosed for computing network operations. For example, methods may include receiving, at a computing device located within a private network, a message sent from a server located outside of the private network, the message including an observable; invoking, within the private network, a search of data associated with the private network to obtain a search result that includes data matching the observable; aggregating, within the private network, data from the search result that matches the observable to obtain a report that includes an indication of the observable, a count of occurrences of the observable, and identification of one or more components associated with the observable; and transmitting the report to the server.

Abstract: An example embodiment may include a security enforcement point device disposed within a managed network and a security decision point device disposed within a computational instance of a remote network management platform. The security decision point device may be configured to: receive a message by way of the managed network; parse the message to identify observable indicators of one or more of the security threats, where the observable indicators include at least one of a network addresses, a hyperlink, or a representation of an attached file; remotely query a security threat database for the observable indicators; receive, from the security threat database, an indication that the observable indicators are associated with a particular security threat, and transmit, to the security enforcement point device, a command to update its associated security policy such that the particular security threat is mitigated.

Abstract: An example embodiment may include a security enforcement point device disposed within a managed network and a security decision point device disposed within a computational instance of a remote network management platform. The security decision point device may be configured to: receive a message by way of the managed network; parse the message to identify observable indicators of one or more of the security threats, where the observable indicators include at least one of a network addresses, a hyperlink, or a representation of an attached file; remotely query a security threat database for the observable indicators; receive, from the security threat database, an indication that the observable indicators are associated with a particular security threat, and transmit, to the security enforcement point device, a command to update its associated security policy such that the particular security threat is mitigated.

Abstract: An example embodiment may include a security enforcement point device disposed within a managed network and a security decision point device disposed within a computational instance of a remote network management platform. The security decision point device may be configured to: receive a message by way of the managed network; parse the message to identify observable indicators of one or more of the security threats, where the observable indicators include at least one of a network addresses, a hyperlink, or a representation of an attached file; remotely query a security threat database for the observable indicators; receive, from the security threat database, an indication that the observable indicators are associated with a particular security threat, and transmit, to the security enforcement point device, a command to update its associated security policy such that the particular security threat is mitigated.

Abstract: Systems and methods are disclosed for obtaining network security threat information and mitigating threats to improve computing network operations. For example, methods may include receiving a message from a central instance; from outside of a private network, invoking a search of data associated with the private network, wherein the search is based on the message and the search is performed by an agent device within the private network; receiving a search result of the search from the agent device; transmitting the search result to the central instance, wherein the central instance is configured to generate network security threat information based in part on the search result and share the network security threat information with a plurality of customer instances that are associated with a group of customers; and receiving an alert message from the central instance, wherein the alert message includes information that identifies a network security threat.

Abstract: Systems and methods are disclosed for computing network operations. For example, methods may include receiving, at a computing device located within a private network, a message sent from a server located outside of the private network, the message including an observable; invoking, within the private network, a search of data associated with the private network to obtain a search result that includes data matching the observable; aggregating, within the private network, data from the search result that matches the observable to obtain a report that includes an indication of the observable, a count of occurrences of the observable, and identification of one or more components associated with the observable; and transmitting the report to the server.

Abstract: A computing device receives a training data set that includes a plurality of positive examples of sensitive data and a plurality of negative examples of sensitive data. The computing device analyzes the training data set using machine learning to generate a machine learning-based detection (MLD) profile that can be used to classify new data as sensitive data or as non-sensitive data. The computing device computes a quality metric for the MLD profile.

Abstract: A computer-implemented method for classifying documents for data loss prevention may include 1) identifying training documents for a machine learning classifier configured for data loss prevention, 2) performing a semantic analysis on training documents to identify topics within the set training documents, 3) applying a similarity metric to the topics to identify at least one unrelated topic with a similarity to the other topics within the plurality of topics, as determined by the similarity metric, that falls below a similarity threshold, 4) identifying, based on the semantic analysis, at least one irrelevant training document within the set of training documents in which a predominance of the unrelated topic is above a predominance threshold, and 5) excluding the irrelevant training document from the set of training documents based on the predominance of the unrelated topic within the irrelevant training document. Various other methods, systems, and computer-readable media are also disclosed.

Abstract: A computing device receives a training data set that comprises a plurality of sensitive documents and a plurality of non-sensitive documents. The computing device determines a quality of the training data set. The quality may be determined using k-fold cross validation and/or latent semantic indexing. In response to determining that the training data set has a satisfactory quality, the computing device then analyzes the training data set using machine learning to train a machine learning-based detection (MLD) profile, the MLD profile to be used by a data loss prevention (DLP) system to classify new documents as sensitive documents or as non-sensitive documents.

Abstract: A method and apparatus for identity consolidation for a plurality of electronic identities is described. In one embodiment, the method includes receiving user identification data extracted from an electronic communication, the user identification data corresponding to an unknown identity of a sender of the electronic communication. The method further includes determining a known identity for the sender using the user identification data extracted from the electronic communication and associating the known identity with the unknown identity of the sender of the electronic communication. In one embodiment, an association between the known identity and the unknown identity is maintained to determine whether parties of subsequent information transfers are authorized to participate in the information transfers.