Abstract: A first instance of an event management system monitors event data corresponding to a first group of users in a cloud computing system. Using a first machine learning (ML) algorithm, the first instance detects an anomalous event from the event data. The first ML algorithm is trained using historical event data. A second instance of the event management system is created and a copy of the first ML algorithm is added to the second instance. The second instance monitors second event data corresponding to a second group of users in the cloud computing system. Using the copy of the first ML algorithm, the second instance detects a second anomalous event from the second event data.

Abstract: Devices, systems, and methods are provided for cloud-based entity reputation scoring. A method may include determining, based on domain name service (DNS) data associated with entities of the cloud-based environment, a k-partite graph with nodes and edges, a node including a first elastic computing instance. The method may include generating features associated with the first elastic computing instance. The method may include determining, based on the features, a minimum value, a maximum value, and an average value, and generating a feature vector comprising the minimum value, the maximum value, and the average value. The method may include determining, based on the feature vector, a reputation score associated with the first elastic computing instance. The method may include communicating based on the reputation score.

Abstract: Techniques for threat scanning transplanted containers are described. A method of threat scanning transplanted containers may include generating a container map of running containers on a block storage volume mounted to a scanning instance of a threat scanning service, scanning the block storage volume by a scanning engine of the scanning instance, identifying at least one threat on the block storage volume, and identifying at least one container associated with the at least one threat using the container map.

Abstract: A system and method relating to multi-level data de-duplication operations relating to data records associated with multiple user systems. The system includes a first set of computing instances execute a first set of de-duplication operations to generate a set of locally de-duplicated files associated with a data stream comprising the data records associated with the user systems. The system includes a storage system to store the set of locally de-duplicated files. The system includes a second set of computing instances to receive, in accordance with a frequency type of multiple frequency types, the set of locally de-duplicated files from the storage system and execute a second set of de-duplication operations to generate a set of globally de-duplicated files associated with the data records.

Abstract: Devices and methods are provided for determining computer resource connectivity and providing computer resource protection. A computer system may identify a first indication of each network configuration between a computing resource and a data resource. The system may identify a second indication of a request for credentials associated with accessing at least one of the computing resource or the data resource. The system may determine an action including accessing the computing resource and the data resource using a network configuration and a credential. The system may determine that the action has occurred a number of times that is less than a threshold. The system may cancel a credential or network configuration associated with the action.

Abstract: Systems, methods, and computer-readable media are disclosed for systems and methods for identifying false positives in malicious domain data using network traffic data logs. Example methods may include determining a first domain name identifier in a set of domain name identifiers classified as malicious, determining a first IP address associated with the first domain name identifier, and determining first virtual private cloud (VPC) flow log data that corresponds to historical network traffic associated with the first IP address. Certain methods may include determining second VPC flow log data that corresponds to historical network traffic associated with a second IP address that is classified as non-malicious, determining, using the first VPC flow log data and the second VPC flow log data, that the first VPC flow log data is non-malicious, and determining that the first domain name identifier is to be classified as non-malicious.

Abstract: Systems for providing a multi-tenant threat intelligence service are provided. The system receives threat information from a user including IP addresses, and universal threat information including IP addresses. Modify an in-memory IP address tree using IP addresses received from the user and included in the universal threat information. Compare IP addresses from logs of network activity associated with the user to the in-memory IP address tree, and identify IP addresses included in the IP address tree. Cause matching IP addresses to be sent to the user as representing potentially malicious network activity.

Abstract: A processing device receives a request to create a second account in a cloud computing system having multiple web services. The request specifies an organization unit (OU) associated with a first account of the cloud computing system. A first instance of a threat detection service monitors activity data associated with the first account and detects anomalous activity by the first account using a first machine learning (ML) model. The processing device creates the second account and attaches the second account to the OU. The processing device generates a second ML model for the second account using at least a portion of the first ML model and monitors subsequent activity data associated with the second account using the second ML model to detect anomalous activity by the second account.

Abstract: Systems for providing a subscription-based multi-tenant threat intelligence service are provided. The systems receive first threat information associated with a first source of a first threat intelligence feed. Receive an indication that a first user associated with a first computing resource within a compute environment has subscribed to the first threat intelligence feed. Determine, based on the first threat information and the first user's subscription to the first threat intelligence feed, that a portion of activity associated with the first computing resource includes activity by an endpoint identified in the first threat information. In response to determining that the portion of the activity includes activity by an endpoint identified in the first threat information, perform an action.

Abstract: Systems are provided for collecting threat intelligence to use in monitoring network activity in computing environments for malicious activity. The systems load sensors into compute resources associated with particular users of a compute resource virtualization platform. The systems receive network activity information sent by first and second sensors, identify an IP address as being a suspected source of malicious computing activity using aggregated the first and second network activity, and generate threat information that includes the IP address as a suspected source of malicious computing activity.