Abstract: Embodiments detect cyberattack campaigns against multiple cloud tenants by analyzing activity data to find sharing anomalies. Data that appears benign in a single tenant's activities may indicate an attack when the same or similar data is also found for additional tenants. Attack detection may depend on activity time frames, on how similar certain activities of different tenants are to one another, on how unusual it is for different tenants to share an activity, and on other factors. Sharing anomaly analysis may utilize hypergeometric probabilities or other statistical measures. Detection avoidance attempts using digital entity randomization are revealed and thwarted. Authorized vendors may be recognized, mooting anomalousness. Although data from multiple tenants is analyzed together for sharing anomalies while monitoring for attacks, tenant confidentiality and privacy are respected through technical and legal mechanisms. Mitigation is performed in response to an attack indication.

Abstract: Embodiments detect cyberattack campaigns against multiple cloud tenants by analyzing activity data to find sharing anomalies. Data that appears benign in a single tenant's activities may indicate an attack when the same or similar data is also found for additional tenants. Attack detection may depend on activity time frames, on how similar certain activities of different tenants are to one another, on how unusual it is for different tenants to share an activity, and on other factors. Sharing anomaly analysis may utilize hypergeometric probabilities or other statistical measures. Detection avoidance attempts using entity randomization are revealed and thwarted. Authorized vendors may be recognized, mooting anomalousness. Although data from multiple tenants is analyzed together for sharing anomalies while monitoring for attacks, tenant confidentiality and privacy are respected through technical and legal mechanisms. Mitigation is performed in response to an attack indication.

Abstract: Security Information and Event Management tools, log management tools, log analysis tools, and other event data management tools are enhanced. Enhancements harvest entity extraction rules from queries, query results, and other examples involving the extraction of field values from large amounts of data, and help perform entity extraction efficiently. Entity extraction operations locate IP addresses, usernames, and other field values that are embedded in logs or data streams, for example, and populate object properties with extracted values. Previously used extraction rules are applied in new contexts with different users, different data sources, or both. An entity extraction rules database serves as a model that contains rules specifying parsing mechanisms. Parsing mechanisms may include regular expressions, separation character definitions, and may process particular file formats or object notation formats or markup language formats.

Abstract: Embodiments detect cyberattack campaigns against multiple cloud tenants by analyzing activity data to find sharing anomalies. Data that appears benign in a single tenant's activities may indicate an attack when the same or similar data is also found for additional tenants. Attack detection may depend on activity time frames, on how similar certain activities of different tenants are to one another, on how unusual it is for different tenants to share an activity, and on other factors. Sharing anomaly analysis may utilize hypergeometric probabilities or other statistical measures. Detection avoidance attempts using entity randomization are revealed and thwarted. Authorized vendors may be recognized, mooting anomalousness. Although data from multiple tenants is analyzed together for sharing anomalies while monitoring for attacks, tenant confidentiality and privacy are respected through technical and legal mechanisms. Mitigation is performed in response to an attack indication.

Abstract: Technology automatically groups security alerts into incidents using data about earlier groupings. A machine learning model is trained with select data about past alert-incident grouping actions. The trained model prioritizes new alerts and aids alert investigation by rapidly and accurately grouping alerts with incidents. The groupings are provided directly to an analyst or fed into a security information and event management tool. Training data may include entity identifiers, alert identifiers, incident identifiers, action indicators, action times, and optionally incident classifications. Investigative options presented to an analyst but not exercised may serve as training data. Incident updates produced by the trained model may add an alert to an incident, remove an alert, merge two incidents, divide an incident, or create an incident. Personalized incident updates may be based on a particular analyst's historic manual investigation actions.

Abstract: Techniques are provided to dynamically generate response actions that may be used to investigate and respond to a security alert. Different prediction models are initially trained using a corpus of training data. This training data is obtained by identifying previous security alerts and then grouping together alert clusters. An analysis is performed to identify which steps were used to respond to the alerts in each group. These steps are fed into a prediction model to train the model. After multiple models are trained and after a new security alert is received, one model is selected to operate on the new alert, where the model is selected because it is identified as being most compatible with the new alert. When the selected model is applied to the new alert, the model generates a set of recommended steps that may be followed to investigate and/or respond to the new alert.

Abstract: Security Information and Event Management tools, log management tools, log analysis tools, and other event data management tools are enhanced. Enhancements harvest entity extraction rules from queries, query results, and other examples involving the extraction of field values from large amounts of data, and help perform entity extraction efficiently. Entity extraction operations locate IP addresses, usernames, and other field values that are embedded in logs or data streams, for example, and populate object properties with extracted values. Previously used extraction rules are applied in new contexts with different users, different data sources, or both. An entity extraction rules database serves as a model that contains rules specifying parsing mechanisms. Parsing mechanisms may include regular expressions, separation character definitions, and may process particular file formats or object notation formats or markup language formats.

Abstract: Techniques are provided to dynamically generate response actions that may be used to investigate and respond to a security alert. Different prediction models are initially trained using a corpus of training data. This training data is obtained by identifying previous security alerts and then grouping together alert clusters. An analysis is performed to identify which steps were used to respond to the alerts in each group. These steps are fed into a prediction model to train the model. After multiple models are trained and after a new security alert is received, one model is selected to operate on the new alert, where the model is selected because it is identified as being most compatible with the new alert. When the selected model is applied to the new alert, the model generates a set of recommended steps that may be followed to investigate and/or respond to the new alert.