Abstract: A method and system for determining abnormal configuration of network objects deployed in a cloud computing environment are provided. The method includes collecting network object data on a plurality of network objects deployed in the cloud computing environment; constructing a network graph based on the collected network object data, wherein the network graph includes a visual representation of network objects identified in the cloud computing environment; determining relationships between the identified network objects in the network graph, wherein the determined relationships between the identified network objects includes descriptions of connections between the identified network objects; and analyzing the network graph and the determined relationships to generate insights, wherein the generated insights include at least a list of abnormal connections between the identified network objects.

Abstract: A method and system for determining reachability of objects deployed in a cloud environment to an external network is presented. The method includes identifying a plurality of network paths in the cloud environment, wherein each network path includes at least two objects deployed in the cloud environment; statistically analyzing each object in each respective network path to determine its reachability properties; analyzing the reachability properties determined for each object to determine if the respective object is reachable through its respective network path from at least a network external to the cloud environment; and saving each object together with its respective network path and reachability properties in a database.

Abstract: A method and system for cataloging network objects in a cloud environment are presented. The system includes collecting at least network object data on a plurality of network objects operable in a cloud environment, wherein the plurality of network objects are operable at different layers of the cloud environment; identifying the plurality of network objects operable in the cloud environment; constructing at least a network graph based on the identified network objects; determining relationships between the identified network objects in the at least a network graph; generating at least an insight for least one of the identified network objects, wherein the insight is generated in response to the network graph and the determined relationships; and tagging each of the plurality of network objects for which an insight is generated.

Abstract: A method and system for determining reachability properties of security objects are provided. The method includes accessing a security graph, wherein the security graph lists all security objects and their connections in a cloud environment of an organization; identifying a plurality of network paths in the cloud environment, wherein each network path includes at least two security objects accessible in the cloud environment; for each of the plurality of identified network paths, iteratively analyzing each security object in a respective network path to determine its reachability properties, wherein the reachability properties of a security object as a minimal set of reachable properties of all other security objects in the respective network path; and populating the security graph with the determined reachability properties of each security object.

Abstract: According to examples, an apparatus may include a processor and a computer readable medium on which is stored machine readable instructions that may cause the processor to assign the activities in user activity data into a plurality of groups based on common user identifiers corresponding to the pairs of activities. The instructions may also cause the processor to determine a correlation between a user event and the plurality of groups, determine whether the user event is suspicious based on the determined correlation, and based on a determination that the user event is suspicious, output an indication that the user event is suspicious.

Abstract: According to examples, an apparatus may include a processor and a computer readable medium on which is stored machine readable instructions that may cause the processor to assign the activities in user activity data into a plurality of groups based on common user identifiers corresponding to the pairs of activities. The instructions may also cause the processor to determine a correlation between a user event and the plurality of groups, determine whether the user event is suspicious based on the determined correlation, and based on a determination that the user event is suspicious, output an indication that the user event is suspicious.

Abstract: When processing events associated with a group comprising multiple different sub-groups, a hash function can be applied to the sub-group identifier to map the events associated with the sub-group to different computational elements used to process the group's events. The hash value can be a number between 1 and n or 0 and n?1 where n is the number of computational elements available to the group. Data concerning the last time a particular value for a property was encountered in an event stream can be retained. On each computational element assigned to the group, the detection of a particular property value in an event of a sub-group can be collected, periodically aggregated and sent to each of the computational elements used by the group, thereby enabling the first detection of a new property value within a group of events to be determined.

Abstract: When processing events associated with a group comprising multiple different sub-groups, a hash function can be applied to the sub-group identifier to map the events associated with the sub-group to different computational elements used to process the group's events. The hash value can be a number between 1 and n or 0 and n?1 where n is the number of computational elements available to the group. Data concerning the last time a particular value for a property was encountered in an event stream can be retained. On each computational element assigned to the group, the detection of a particular property value in an event of a sub-group can be collected, periodically aggregated and sent to each of the computational elements used by the group, thereby enabling the first detection of a new property value within a group of events to be determined.