Abstract: A computer-implemented method according to one embodiment includes causing a search to be performed for data on at least one security endpoint and organizing information about the performed search into steps and variables. Security analytics are run on a dataset provided from the performed search, and based on results of the analytics, a response is invoked to protect a system that interacts with the analyzed dataset. A computer program product according to another embodiment includes a computer readable storage medium having program instructions embodied therewith. The program instructions are readable and/or executable by a computer to cause the computer to perform the foregoing method. A system according to another embodiment includes a processor, and logic integrated with the processor, executable by the processor, or integrated with and executable by the processor. The logic is configured to perform the foregoing method.

Abstract: A computer-implemented method includes receiving CTI from a data source during a search of a system, and capturing the CTI in a STIX bundle. The method includes invoking an analytic pipeline on the STIX bundle that includes applying a classification model on the STIX bundle to classify features from the CTI and applying a clustering model on the STIX bundle to identify a cluster of features from the CTI. The output of the analytic pipeline is analyzed to identify suspicious features that include a combination of the classified features and the cluster of features. The suspicious features are annotated thereby highlighting risk and threat, and attack techniques are identified using existing domain expertise encoded as heuristics to provide additional machine learning features.

Abstract: A computer implemented method detects suspicious domains. A computer system determines a homographic similarity between a target domain and a known domain. The compute system compares first registration information for the target domain and second registration information for the known domain to form a registration comparison in response the homographic similarity being sufficiently similar to be potentially suspicious. The computer system compares a set of first landing page images for the target domain and a set of second landing page images for the known domain to form an image comparison in response to a match between the first ownership information for the target domain and the second ownership information for the known domain being absent. The computer system determines a threat level for the target domain based on the image comparison.

Abstract: A computer-implemented method according to one embodiment includes causing a search to be performed for data on at least one security endpoint and organizing information about the performed search into steps and variables. Security analytics are run on a dataset provided from the performed search, and based on results of the analytics, a response is invoked to protect a system that interacts with the analyzed dataset. A computer program product according to another embodiment includes a computer readable storage medium having program instructions embodied therewith. The program instructions are readable and/or executable by a computer to cause the computer to perform the foregoing method. A system according to another embodiment includes a processor, and logic integrated with the processor, executable by the processor, or integrated with and executable by the processor. The logic is configured to perform the foregoing method.

Abstract: A method, system, and computer-usable medium for analyzing security data formatted in STIX™ format. Data related to actions performed by one or more users is captured. Individual tasks, such as analytics or extract, transform, load (ETL) tasks related to the captured data is created. Individual tasks are registered to a workflow for executing particular security threat or incident analysis. The workflow is executed and visualized to perform the security threat or incident analysis.

Abstract: For providing computing resources to a user a liaison service initializes communication for first and second computing resources for the user. The liaison services communicate between the user and the computing resources. The communicating authenticates respective requests by the user for the respective first and second computing resources. Initializing the first and second computing resource services for the user by the liaison service includes providing, to the user via the liaison service, respective first and second account identifiers for the respective first and second computing resource services and includes storing in association with the first and second account identifiers, by the liaison service in a user password vault, respective first and second computing resource key identifiers.

Abstract: Aspects of the present invention provide for methods that index geographic locations with comparative indicators that are determined from a sentiment analysis of opinion data, wherein the comparative indicators may include sums of different indices that are each determined from sentiment analysis of opinion data.

Abstract: A framework system is present that provides an end-to-end solution for user on-boarding, storing, securing, configuring, authenticating of the target person (grantee user), and transmittal of digitized documents assets. The framework system is preferably a multi-tenant cloud based system, although other systems may be used. The system processes multiple inputs to cognitively determine implementation (cognitive decision making) of digitized assets to a grantee user or target user without human intervention.

Abstract: Identifying cyber adversary behavior on a computer network is provided. Individual security events are received from multiple threat intelligence data sources. A security incident corresponding to an attack on at least one element of the computer network, the security incident being described by the individual security events received from the multiple threat intelligence data sources, is matched to a defined cyber adversary objective in a structured framework of a plurality of defined cyber adversary objectives and a related technique associated with the defined cyber adversary objective used by a cyber adversary in the attack. A set of mitigation actions is performed on the computer network based on matching the security incident corresponding to the attack on the computer network to the defined cyber adversary objective and the related technique.

Abstract: A method, system, and computer-usable medium for analyzing security data formatted in STIX™ format. Data related to actions performed by one or more users is captured. Individual tasks, such as analytics or extract, transform, load (ETL) tasks related to the captured data is created. Individual tasks are registered to a workflow for executing particular security threat or incident analysis. The workflow is executed and visualized to perform the security threat or incident analysis.

Abstract: Data item transfer between mobile devices is provided. Network association and proximity of a plurality of mobile devices of a requested data item by a requesting mobile device are determined using a shared ledger of mobile device inventory data, mobile device network connection data, and mobile device geolocation data. A target mobile device that contains the requested data item, is connected to a same local network as the requesting mobile device, and is geographically located proximate with a threshold to the requesting mobile device is identified based on the determined network association and proximity of the plurality of mobile devices and data in the shared ledger. A transfer of the requested data item from the target mobile device to the requesting mobile device is initiated via the same local network based on mobile device management policies.

Abstract: Optimizing ingestion of security structured data into a graph database for security analytics is provided. A plurality of streams of information is received from a plurality of security information sources. Respective subsets of information are ingested from each of the plurality of security information sources to generate small subgraphs of security information. Each of the small subgraphs comply to a schema used by a master knowledge graph. A batch process is performed to ingest a plurality of small subgraphs into the master knowledge graph.

Abstract: Prioritizing security incidents for analysis is provided. A set of security information and event management data corresponding to each of a set of security incidents is retrieved. A source weight of a security incident and a magnitude of the security incident are used to determine a priority of the security incident within the set of security incidents. A local analysis of the security incident is performed based on the retrieved set of security information and event management data corresponding to the security incident and the determined priority of the security incident.

Abstract: For providing computing resources to a user a liaison service initializes communication for first and second computing resources for the user. The liaison services communicate between the user and the computing resources. The communicating authenticates respective requests by the user for the respective first and second computing resources. Initializing the first and second computing resource services for the user by the liaison service includes providing, to the user via the liaison service, respective first and second account identifiers for the respective first and second computing resource services and includes storing in association with the first and second account identifiers, by the liaison service in a user password vault, respective first and second computing resource key identifiers.

Abstract: Aspects of the present invention provide devices that index geographic locations with comparative indicators that are determined from a sentiment analysis of opinion data, wherein the comparative indicators may include sums of different indices that are each determined from sentiment analysis of opinion data.

Abstract: Identifying cyber adversary behavior on a computer network is provided. Individual security events are received from multiple threat intelligence data sources. A security incident corresponding to an attack on at least one element of the computer network, the security incident being described by the individual security events received from the multiple threat intelligence data sources, is matched to a defined cyber adversary objective in a structured framework of a plurality of defined cyber adversary objectives and a related technique associated with the defined cyber adversary objective used by a cyber adversary in the attack. A set of mitigation actions is performed on the computer network based on matching the security incident corresponding to the attack on the computer network to the defined cyber adversary objective and the related technique.

Abstract: Data item transfer between mobile devices is provided. Network association and proximity of a plurality of mobile devices of a requested data item by a requesting mobile device are determined using a shared ledger of mobile device inventory data, mobile device network connection data, and mobile device geolocation data. A target mobile device that contains the requested data item, is connected to a same local network as the requesting mobile device, and is geographically located proximate with a threshold to the requesting mobile device is identified based on the determined network association and proximity of the plurality of mobile devices and data in the shared ledger. A transfer of the requested data item from the target mobile device to the requesting mobile device is initiated via the same local network based on mobile device management policies.

Abstract: In response to an attempt to install an instance of a container in a production environment, a set of security criteria associated with the container and features of the production environment are compared. Based on the comparison, a determination is made as to whether the features of the production environment satisfy the set of security criteria.

Abstract: Prioritizing security incidents for analysis is provided. A set of security information and event management data corresponding to each of a set of security incidents is retrieved. A source weight of a security incident and a magnitude of the security incident are used to determine a priority of the security incident within the set of security incidents. A local analysis of the security incident is performed based on the retrieved set of security information and event management data corresponding to the security incident and the determined priority of the security incident.

Abstract: Optimizing ingestion of security structured data into a graph database for security analytics is provided. A plurality of streams of information is received from a plurality of security information sources. Respective subsets of information are ingested from each of the plurality of security information sources to generate small subgraphs of security information. Each of the small subgraphs comply to a schema used by a master knowledge graph. A batch process is performed to ingest a plurality of small subgraphs into the master knowledge graph.