Abstract: Methods, systems, and devices for large language model (LLM) based security insights and/or recommendations at a data security system are described. A data security system may obtain event information associated with monitored computing assets and/or user accounts for a client or customer of the data security system. The data security system may filter the event information and associated computing asset and/or user account information in accordance with a security policy for the client and may generate a prompt for an LLM based on the filtered event and computing asset and/or user account information. The data security system may provide the prompt to the LLM, and the LLM may provide a natural language response to the prompt that provides a security action recommendation to resolve one or more events and/or insights such as a rationale for the security action recommendation and/or an explanation of threats associated with the event.

Abstract: Methods, systems, and devices for security data ingestion and processing at a data security system are described. The data security system may obtain data files from multiple security data sources which may have multiple input formats. The data security system may extract information from the obtained data files and may store the extracted information in one or more databases in format(s) compatible with the one or more databases. The data security system may output information retrieved from the one or more databases to a computing device for display at the computing device via an application programming interface (API). The data security system may convert the information from the storage format(s) associated with the one or more databases to a format compatible with the API (e.g., for display at the computing device). The data security system may perform data processing on the information stored at the one or more databases.

Abstract: Methods, systems, and devices for data security system computing asset and user identity management are described. For example, the data security system may obtain input records from multiple event information sources. The data security system may manage multiple assets for a client that may be associated with multiple user accounts. The multiple event information sources may provide computing asset identifiers (IDs) and/or user IDs in different formats. The data security system may determine linkages between different computing asset IDs between different user IDs in event records. For example, the data security system may use machine learning models to identify linkages between different computing asset IDs, between different user IDs in event logs, and/or between data records obtained from multiple event information sources. Accordingly, the data security system may provide a holistic view of events associated with the same computing asset and/or the same user account.

Abstract: Methods, systems, and devices for collecting risk information associated with common vulnerabilities and exposures (CVEs) from multiple CVE data sources and generating a combined CVE risk score are described. A data security system may monitor for and manage data security risks associated with one or more computing or assets. The data security system may collect CVE risk information from multiple CVE data sources. The data security system may detect the presence of a computing objects associated with a CVE on a monitored computing asset. The data security system may generate a combined risk score for the presence of the computing objects associated with the CVE on the computing asset based on the risk information collected from the multiple CVE data sources and based on contextual information associated with the computing asset.

Abstract: Methods, systems, and devices for generating and applying function-based and/or rule-based labels to data records for a data security system are described. Such labels may be used for querying of data records. A user of a data security system may define metadata criteria for triggering generation of a label. In some examples, the user may define a function that may transform the metadata that satisfies the triggering criteria for a data record into a label to apply to the data record. In some examples, the user may define a rule that indicates a label to apply to the data record(s) that satisfy the metadata criteria. A user may query the database for records based on the labels applied to the data records in a consistent format expected by the administrative user.

Abstract: Methods, systems, and devices for asset discovery, user discovery, data classification, risk evaluation, and data/device security are described. The method includes retrieving data stored at one or more remote locations, summarizing the retrieved data at the one or more remote locations, transferring the summarized data from the one or more remote locations to the at least one computing device, processing the transferred data by the at least one computing device, discovering assets in technology environments, classifying data that resides on each asset of the discovered assets into a respective confidentiality group of multiple confidentiality groups, calculating one or more risk scores for the discovered assets or users of the discovered assets, or both, and performing a security action to protect data that resides on an asset of the discovered assets.

Abstract: Methods, systems, and devices for asset discovery, user discovery, data classification, risk evaluation, and data/device security are described. The method includes retrieving data stored at one or more remote locations, summarizing the retrieved data at the one or more remote locations, transferring the summarized data from the one or more remote locations to the at least one computing device, processing the transferred data by the at least one computing device, discovering assets in technology environments, classifying data that resides on each asset of the discovered assets into a respective confidentiality group of multiple confidentiality groups, calculating one or more risk scores for the discovered assets or users of the discovered assets, or both, and performing a security action to protect data that resides on an asset of the discovered assets.

Abstract: The disclosed computer-implemented method for labeling automatically generated reports may include (i) identifying incident reports that describe incidents that each involve at least one computing system and that comprise automatically collected information about the incidents and a manually analyzed subset of incident reports that comprise manually generated information, (ii) assigning at least one label to at least one incident report in the manually analyzed subset based on applying a machine learning model to the manually generated information, (iii) deriving, from the automatically collected information, a set of features that describe incident reports, (iv) propagating at least one label from a labeled incident report to an incident report that is not in the manually analyzed subset and that comprises similar features with the labeled incident report, and (v) performing an action related to the label on the incident report. Various other methods, systems, and computer-readable media are also disclosed.

Abstract: The disclosed computer-implemented method for labeling automatically generated reports may include (i) identifying incident reports that describe incidents that each involve at least one computing system and that comprise automatically collected information about the incidents and a manually analyzed subset of incident reports that comprise manually generated information, (ii) assigning at least one label to at least one incident report in the manually analyzed subset based on applying a machine learning model to the manually generated information, (iii) deriving, from the automatically collected information, a set of features that describe incident reports, (iv) propagating at least one label from a labeled incident report to an incident report that is not in the manually analyzed subset and that comprises similar features with the labeled incident report, and (v) performing an action related to the label on the incident report. Various other methods, systems, and computer-readable media are also disclosed.

Abstract: Securing compromised network devices in a network. In one embodiment, a method may include (a) identifying a Positive Unlabeled (PU) machine learning classifier, (b) selecting labeled positive samples and unlabeled positive and negative samples as a bootstrap subset of training data from a set of training data, (c) training the PU machine learning classifier, (d) repeating (a)-(c) one or more times to create a set of trained PU machine learning classifiers, (e) predicting probabilities that a network device in a network has been compromised using each of the trained PU machine learning classifiers, (f) combining the probabilities predicted at (e) to generate a combined risk score for the network device, (g) repeating (e)-(f) one or more times to create a ranked list of combined risk scores, and (h) performing a security action on one or more of the network devices in the ranked list.