Abstract: In some embodiments, a request to filter information associated with activities within a network environment is received in response to a user interaction with a graph that comprises a plurality of nodes. At least one node included in the graph is associated with an activity within a network environment. As one example, the request to filter is triggered by a user interaction with a visual representation of at least a portion of the graph. As another example, the request to filter is triggered by a user interaction with a query field. In response to receiving the filter request, a query is generated based on a join using a query service.

Abstract: Detecting anomalous behavior of a device, including: generating, using information describing historical activity associated with a user device, a trained model for detecting normal activity for the user device; gathering information describing current activity associated with the user device; and determining, by using the information describing current activity associated with the user device as input to the trained model, whether the user device has deviated from normal activity.

Abstract: Generating user-specific polygraphs for network activity, including: gathering information describing network activity associated with a user and generating, based on the information, a user-specific polygraph that includes one or more destinations associated with the network activity.

Abstract: A database server stores compressed units in data blocks of a database. A table (or data from a plurality of rows thereof) is first compressed into a “compression unit” using any of a wide variety of compression techniques. The compression unit is then stored in one or more data block rows across one or more data blocks. As a result, a single data block row may comprise compressed data for a plurality of table rows, as encoded within the compression unit. Storage of compression units in data blocks maintains compatibility with existing data block-based databases, thus allowing the use of compression units in preexisting databases without modification to the underlying format of the database. The compression units may, for example, co-exist with uncompressed tables. Various techniques allow a database server to optimize access to data in the compression unit, so that the compression is virtually transparent to the user.

Abstract: Log data associated with an environment that includes containers is received. An example of such an environment is one managed by Kubernetes. A logical graph is generated using at least a portion of the received log data. The logical graph is used to detect an anomaly. In response to the anomaly being detected, the anomaly is recorded.

Abstract: An agent executes in user space on a machine and monitors for network connections. In response to detecting an initiation of a network connection, data associated with a process associated with the network connection is collected, e.g., by the agent. At least a portion of the collected process data is reported to an external node. The reported information can be used to detect anomalies in a network environment.

Abstract: Detecting deviations from typical user behavior, including: identifying a geographic location of a device that is associated with a user; determining device activity associated with the user; and detecting, based on a profile associated with the user, that the device activity associated with the user deviates from normal activity for the user.

Abstract: Detecting anomalous behavior of a device, including: generating, using information describing historical activity associated with a user device, a trained model for detecting normal activity for the user device; gathering information describing current activity associated with the user device; and determining, by using the information describing current activity associated with the user device as input to the trained model, whether the user device has deviated from normal activity.

Abstract: Establishing a location profile for a user device, including: gathering information associated with the location of a user device; determining, based on the information associated with the location of a user device, whether the user device is being accessed at a known location; responsive to determining that the user device is being accessed at a known location: determining a characterization of the known location; and determining, based on the characterization of the known location, whether device utilization is anomalous; and responsive to determining that the user device is not being accessed at a known location: determining a characterization of the unknown location; and determining, based on the characterization of the unknown location, whether device utilization is anomalous.

Abstract: A logical graph is generated using at least a portion of log data received from a set of agents executing on one or more nodes in one or more data centers. The logical graph is generated at least in part by clustering a first set of nodes using a first clustering criteria. The logical graph is augmented at least in part by performing a reclustering operation using a second clustering criteria.

Abstract: A frame is received at an agent. The frame is analyzed to determine that the frame is associated with a first known pod. IP information is reported to a backend process. The backend process is configured to stitch the IP information with other IP information reported by one or more additional agents to identify a second pod.

Abstract: A logical graph is generated using at least a portion of log data received from a set of agents executing on one or more nodes in one or more data centers. The logical graph is augmented using data obtained from one or more agents executing in containerized environments, including by representing communications between pods within the logical graph. The augmented logical graph is used to detect an anomaly.

Abstract: A request to filter information associated with activities within a network environment is received in response to a user interaction with a graph that comprises a plurality of nodes. At least one node included in the graph is associated with an activity within a network environment. As one example, the request to filter is triggered by a user interaction with a visual representation of at least a portion of the graph. As another example, the request to filter is triggered by a user interaction with a query field. In response to receiving the filter request, a query is generated based on an implicit join using a query service.

Abstract: Activities within a network environment are monitored (e.g., using agents). At least a portion of the monitored activities are used to generate a logical graph model. The generated logical graph model is used to determine an anomaly. The detected anomaly is recorded and can be used to generate an alert.

Abstract: First information associated with a first user login activity is received, as is second information associated with a second user login activity. A determination is made, using the received first and second information, that the first user login activity and second user login activity have a parent-child relationship. The first user login activity and the second user login activity are linked to at least one user and a process.

Abstract: Approaches for composing the display of a virtualized web browser. Upon a host module, executing in a host operating system, of a virtualized web browser being instructed to display a new web page, policy data is consulted to determine if one or more trigger conditions are satisfied. Upon determining that at least one of the one or more trigger conditions is satisfied, the virtualized web browser, transparently to a user, retrieving and rendering the new web page in a location different than where the previous web page was retrieved and rendered by the virtualized web browser. After the new web page has been retrieved and rendered at the location specified by the policy data, the host module displays the new web page. The policy data may operate to specify the behavior of individual tabs of the virtualized web browser.

Abstract: Log data associated with at least one user session in a network environment associated with an original user is received. A logical graph is generated using at least a portion of the received log data. One example of such a logical graph is a privilege change graph that models privilege changes between processes. Another example of such a logical graph is a user login graph that models machines with which the original user interacts. Another example of such a logical graph is a machine-server graph that clusters machines into nodes based on resources executing on the machine. The generated logical graph is used to detect an anomaly.

Abstract: An agent executes in user space on a machine and monitors for network connections. In response to detecting an initiation of a network connection, data associated with a process associated with the network connection is collected, e.g., by the agent. At least a portion of the collected process data is reported to an external node. The reported information is used to detect anomalies in a network environment.

Abstract: Log data associated with an environment that includes containers is received. An example of such an environment is one managed by Kubernetes. A logical graph is generated using at least a portion of the received log data. The logical graph is used to detect an anomaly. In response to the anomaly being detected, the anomaly is recorded.

Abstract: Embodiments of the invention enable any request to download data to a computer system to be performed such that the requested data is stored in a dedicated virtual machine. A request to transfer data from an external location to the computer system is received. The request may originate from a process in a virtual machine or a host operating system. A connection with the external location using parameters identified in the request. The request is performed by transferring the data from the external location to a dedicated virtual machine which does not have access to the file system and cannot persistently store data on the computer system. One or more dedicated virtual machines may be instantiated as needed. A single dedicated virtual machine may accommodate multiple downloads concurrently.