Abstract: In some implementations, a method includes obtaining an unlabeled computer security data log and processing the unlabeled computer security data log using a machine learning model to generate a probability distribution that includes a respective probability for each of a plurality of possible log types. Each of the plurality of possible log types is associated with a corresponding parser that parses logs of the possible log type to extract structured computer security data. The method further includes selecting the possible log type having the highest probability and parsing the unlabeled computer security data log using the parser corresponding to the selected possible log type.

Abstract: The subject matter of this specification generally relates to computer security. In some implementations, a method includes maintaining a first data structure that stores arrays of identifier tuples. Each identifier tuple corresponds to a respective computer security event and includes one or more identifiers for a computing element associated with the computer security event. Each array of identifier tuples corresponds to a respective identifier and only includes identifier tuples that include the corresponding identifier. A second data structure that stores arrays of computer security data is maintained. Each array of computer security data corresponds to a respective identifier tuple stored in the first data structure and only includes computer security data associated with each identifier in the corresponding identifier tuple. A query that specifies a first identifier for a first computing element is received.

Abstract: Methods, systems, and apparatus, including computer programs encoded on computer storage media, for surfacing anomalous network activity on a user interface. An example method provides, for presentation on a user device, a user interface for analyzing network traffic from a customer network. The user interface is populated with network traffic data from the customer network for display to the user. An interactive first filter that is configurable for filtering network traffic based on prevalence of the destination domains of the network traffic is displayed to the user. A first user input configuring the first filter to a first prevalence value is received. In response, the network traffic data is filtered in the user interface to only include network traffic data that has a destination domain that is less prevalent than the first prevalence value.

Abstract: In some implementations, a method includes obtaining an unlabeled computer security data log and processing the unlabeled computer security data log using a machine learning model to generate a probability distribution that includes a respective probability for each of a plurality of possible log types. Each of the plurality of possible log types is associated with a corresponding parser that parses logs of the possible log type to extract structured computer security data. The method further includes selecting the possible log type having the highest probability and parsing the unlabeled computer security data log using the parser corresponding to the selected possible log type.

Abstract: The subject matter of this specification generally relates to computer security. In some implementations, a method includes receiving indicators of compromise from multiple security data providers. Each indicator of compromise can include data specifying one or more characteristics of one or more computer security threats. Each indicator of compromise can be configured to, when processed by a computer, cause the computer to detect the presence of the specified one or more characteristics of the one or more computer security threats. Telemetry data for computing systems of users can be received. The telemetry data can include data describing at least one event detected at the computing system. A determination is made that the telemetry data for a given user includes the one or more characteristics specified by a given indicator of compromise.

Abstract: Methods, systems, and apparatus, including computer programs encoded on computer storage media, for surfacing anomalous network activity on a user interface. An example method provides, for presentation on a user device, a user interface for analyzing network traffic from a customer network. The user interface is populated with network traffic data from the customer network for display to the user. An interactive first filter that is configurable for filtering network traffic based on prevalence of the destination domains of the network traffic is displayed to the user. A first user input configuring the first filter to a first prevalence value is received. In response, the network traffic data is filtered in the user interface to only include network traffic data that has a destination domain that is less prevalent than the first prevalence value.

Abstract: The subject matter of this specification generally relates to computer security. In some implementations, a method includes receiving indicators of compromise from multiple security data providers. Each indicator of compromise can include data specifying one or more characteristics of one or more computer security threats. Each indicator of compromise can be configured to, when processed by a computer, cause the computer to detect the presence of the specified one or more characteristics of the one or more computer security threats. Telemetry data for computing systems of users can be received. The telemetry data can include data describing at least one event detected at the computing system. A determination is made that the telemetry data for a given user includes the one or more characteristics specified by a given indicator of compromise.