Abstract: A system for dynamically determining the legitimacy of a source internet protocol (IP) address requesting access to a target resource includes an address classifier, a resource similarity identifier, and a connection legitimacy prediction engine. The IP address classifier classifies the source IP address into a relevant address group selected from among a plurality of address groups. Each of the address groups consist of IP addresses that satisfy at least one address similarity criterion. The resource similarity identifier identifies a group of similar resources for the target resource based commonalities in a first subset of the address groups that have previously accessed the target resource and subsets of the address groups that have accessed each of the similar resources.

Abstract: Malicious service provider activity detection is enabled. A first log is obtained. The first log comprises a record of a first control plane operation executed on behalf of a first entity. A service provider associated with the execution of the first control plane operation is identified. The service provider has privileges to execute control plane operations on behalf of the first entity. A first malicious activity score is determined based at least on the service provider. The first malicious activity score is indicative of a degree to which the first control plane operation is anomalous with respect to the first entity. A determination that the first control plane operation potentially corresponds to malicious activity is made based at least on the determined first malicious activity score. Responsive to determining that the first control plane operation potentially corresponds to malicious activity, a security alert is generated.

Abstract: Malicious activity detection is enabled for cloud computing platforms. A first log comprising a record of a first control plane operation executed by a cloud application associated with an entity is obtained. A plurality of second logs, each comprising a record of a respective second control plane operation executed in association with the entity, is obtained. A first property set is generated based on the first log and a second property set is generated based on the plurality of second logs. A malicious activity score indicative of a degree to which the first control plane operation is anomalous with respect to the entity is determined based on the first property set and the second property set. A determination that the first control plane operation potentially corresponds to malicious activity is made based on the malicious activity score and a security alert is generated.

Abstract: Systems and techniques for reduction of security detection false positives are described herein. Suspicious activity data is obtained for an operation. Operation data is obtained for the operation. It is determined that the operation is related to a parent operation that has not triggered an alert. The operation is cleared from the suspicious activity data.

Abstract: A recovery instruction pertaining to a resource is detected. The recovery instruction is matched with a delete instruction that caused the resource to enter a soft-deleted. A mismatch between a first user account associated with the recovery instruction and a second user account associated with the delete instruction is determined. A mitigation action is performed based on determining the mismatch between the first user account and the second user account.

Abstract: Systems and methods are described for threat detection for cloud applications. A log that includes a record of a control plane operation executed by a cloud application is received. A feature set is generated based on the record. Respective subsets of the feature set are provided to two or more anomaly detection models. Each anomaly detection model is configured to output a respective anomaly score indicative of a degree to which the execution of the control plane operation is anomalous with respect to a particular context (e.g., application, resource, subscription, tenant) based on the subset provided thereto. A determination that a security alert should be generated is made based at least on the anomaly scores output by the two or more anomaly detection models and an indication that the control plane operation is included in a list of impactful operations. Responsive to the determination, the security alert is generated.

Abstract: Compromised user accounts are identified by detecting anomalous cloud activities. Cloud activities are determined to be anomalous by comparing the behavior of a particular user with the previous behavior of that user as well as the previous behavior of other, related users. In some configurations, the related users are organized into one or more hierarchies, such as by geographic location or by a logical structure of a cloud service. The behavior of the related users is modeled at different levels in the hierarchy. Anomaly scores from different groups and levels of the hierarchy are compiled and filtered before being used to determine whether to send a security alert. In some configurations, the security alert indicates that the anomalous operation was detected, why the operation was determined to be anomalous, and in some cases, what harm the operation could lead to if the user is in fact compromised.