Abstract: Adapting automatic software update behavior for virtual desktop infrastructure deployed endpoints includes detecting a request for services of a threat management facility for an enterprise network that originates from a compute instance embodied as a virtual machine instantiated from a versioned software template, and updating software on the compute instance based on a determination of availability of updated software for the compute instance and an update pause parameter indicating that updating software for virtual machines instantiated from the versioned software template is permitted for the compute instance.

Abstract: A threat management facility receives data from a variety of sources such as compute instances within an enterprise network, cloud service providers supporting the enterprise network, and third-party data providers such as geolocation services. In order to facilitate prompt notification of potential risks, the threat management facility may incrementally update data for use in threat assessments as the data becomes available from these different sources, and create suitable alerts or notifications whenever the currently accumulated data provides an indication of threat meeting a predetermined threshold.

Abstract: An asynchronous stream of security events is added to a data lake for enterprise security by identifying groups of related events related to a security threat, and creating rules to fold these related events into a single security event along with metadata. The folding rules may then be applied to security events in the event stream to compress data in the data lake and improve detection efficiency.

Abstract: A platform for threat investigation in an enterprise network receives threat data from managed endpoints, and is augmented with data from cloud computing platforms and other third-party resources. The resulting merged data set can be incrementally updated and used to automatically launch investigations at appropriate times.

Abstract: A threat management facility receives data from a variety of sources such as compute instances within an enterprise network, cloud service providers supporting the enterprise network, and third-party data providers such as geolocation services. In order to facilitate prompt notification of potential risks, the threat management facility may incrementally update data for use in threat assessments as the data becomes available from these different sources, and create suitable alerts or notifications whenever the currently accumulated data provides an indication of threat meeting a predetermined threshold.

Abstract: A threat management system stores an attack matrix characterizing tactics and techniques, and provides threat detection based on patterns of traversal of the attack matrix. Where the threat management system provides a data lake of security events and a query interface for using the data lake to investigate security issues, useful inferences may also be drawn by comparing query activity in the query interface with the patterns of traversal of the attack matrix, such as by using a malicious pattern of traversal to identify a concurrent chain of queries indicative of a threat, or by presenting separate threat scores to an analyst based on query activity and patterns of traversal.

Abstract: An asynchronous stream of security events is added to a data lake for enterprise security by identifying groups of related events related to a security threat, and creating rules to fold these related events into a single security event along with metadata. The folding rules may then be applied to security events in the event stream to compress data in the data lake and improve detection efficiency.

Abstract: A threat management facility receives data from a variety of sources such as compute instances within an enterprise network, cloud service providers supporting the enterprise network, and third-party data providers such as geolocation services. In order to facilitate prompt notification of potential risks, the threat management facility may incrementally update data for use in threat assessments as the data becomes available from these different sources, and create suitable alerts or notifications whenever the currently accumulated data provides an indication of threat meeting a predetermined threshold.

Abstract: Adapting automatic software update behavior for virtual desktop infrastructure deployed endpoints includes detecting a request for services of a threat management facility for an enterprise network that originates from a compute instance embodied as a virtual machine instantiated from a versioned software template, and updating software on the compute instance based on a determination of availability of updated software for the compute instance and an update pause parameter indicating that updating software for virtual machines instantiated from the versioned software template is permitted for the compute instance.

Abstract: A threat management facility for an enterprise provides security services to a number of virtual compute instances executing on a remote cloud computing platform. In order to prevent or reduce an accumulation of records for abandoned compute instances, each new virtual compute instance is explicitly identified by a user (and optionally a template), and then compared to existing records to identify possible redundancies, which can be deleted or otherwise managed.

Abstract: An asynchronous stream of security events is added to a data lake for enterprise security by identifying groups of related events related to a security threat, and creating rules to fold these related events into a single security event along with metadata. The folding rules may then be applied to security events in the event stream to compress data in the data lake and improve detection efficiency.

Abstract: A platform for managing threat data integrates threat data from a variety of sources including internal threat data from instrumented compute instances associated with an enterprise network and threat data from one or more independent, external resources. Threat assessments are incrementally revised as this threat data is asynchronously received from various sources, and a threat intervention container is automatically created and presented to an investigator when a composite threat score for one or more of the compute instances meets a predetermined threshold.

Abstract: A threat management system stores an attack matrix characterizing tactics and techniques, and provides threat detection based on patterns of traversal of the attack matrix. Where the threat management system provides a data lake of security events and a query interface for using the data lake to investigate security issues, useful inferences may also be drawn by comparing query activity in the query interface with the patterns of traversal of the attack matrix, such as by using a malicious pattern of traversal to identify a concurrent chain of queries indicative of a threat, or by presenting separate threat scores to an analyst based on query activity and patterns of traversal.

Abstract: A threat management facility receives data from a variety of sources such as compute instances within an enterprise network, cloud service providers supporting the enterprise network, and third-party data providers such as geolocation services. In order to facilitate prompt notification of potential risks, the threat management facility may incrementally update data for use in threat assessments as the data becomes available from these different sources, and create suitable alerts or notifications whenever the currently accumulated data provides an indication of threat meeting a predetermined threshold.

Abstract: A platform for threat investigation in an enterprise network receives threat data from managed endpoints, and is augmented with data from cloud computing platforms and other third-party resources. The resulting merged data set can be incrementally updated and used to automatically launch investigations at appropriate times.

Abstract: Material is incrementally deposited using material directed toward a deposition zone. The scan path of the directed material is controlled according to a path plan derived to reduce derivation from an ideal uniform temperature profile for the deposition during the deposition process. A path plan having angled scan passes that intersect (or overcross one another), for example in a mirrorbox path plan, is preferred.

Abstract: Material is incrementally deposited using material directed toward a deposition zone. The scan path of the directed material is controlled according to a path plan derived to minimise or reduce derivation from an ideal uniform temperature profile for the deposit during the deposition process. A path plan having an angled scan passes intersecting or over-crossing (for example in a mirrorbox path plan) is preferred.