Abstract: Embodiments of various systems and methods described herein provide an identity security database analytics system which is configured to provide security alerts to a user. The security alerts can include for personalized metrics related to potential identity theft incidents. The personalized metrics can include user specific information on security breaches of the user's personal information as well as depersonalized statistics generated based on information of other users having one or more similar characteristics of the user.

Abstract: Requests are received for handling by a cloud computing environment which are then executed by the cloud computing environment. While each request is executing, performance metrics associated with the request are monitored. A vector is subsequently generated that encapsulates information associated with the request including the text within the request and the corresponding monitored performance metrics. Each request is then assigned (after it has been executed) to either a normal request cluster or an abnormal request cluster based on which cluster has a nearest mean relative to the corresponding vector. In addition, data can be provided that characterizes requests assigned to the abnormal request cluster. Related apparatus, systems, techniques and articles are also described.

Abstract: In an embodiment, a computer-implemented method for causing funds to be transferred between a first user and a second user of a payment transfer system includes receiving, from an application executing on a user device of the first user, a user input for a payment transfer. The user input includes an identifier associated with the second user and a payment amount. The method includes configuring a resource associated with the payment transfer system and accessible via an interactive interface element activatable at a user device of the second user. The resource is configured to initiate transfer of the payment amount. The method includes causing an electronic message associated with the payment transfer and the interactive interface element to be transmitted to the user device of the second user. The method includes, upon receiving an indication of an intent to effectuate the payment transfer, initiating a transfer of the payment amount.

Abstract: A system and method for fast-detection and mitigation of emerging network fraud attacks includes sourcing digital event data samples associated with one or more online services; executing graph-rendering computer instructions that automatically construct a backbone graph using a subset of features extracted from the sourced digital event data samples, wherein the constructing includes: identifying, as graphical nodes, a first plurality of distinct features of the subset of features; identifying, as graphical edges, a second plurality of distinct features of the subset of features; generating a graphical edge between distinct pairs of graphical nodes comprising a same type of feature of the subset of features based on feature values associated with at least one distinct feature of the second plurality of distinct features; and mitigating, via a digital threat mitigation action, if one or more emerging network fraud attacks is identified based on an assessment of a cluster of networked nodes.

Abstract: A network security computing system includes a steganographic communications analysis engine monitoring incoming and outgoing messages on a secure computing network. The steganographic communications analysis engine identifies a pattern of file transfers between a first computing device on the secure computing network and an internal or external message recipient. When a pattern is identified, the steganographic communications analysis engine quarantines an associated computing device from the secure network. The steganographic communications analysis engine analyzes files transferred between the computing device and the recipient for indications of steganographic information and causes display, based on an identified indication of steganography, an indication that the computing device had been compromised by command and control malware.

Abstract: Systems and methods of blocking phishing attempts in a computer network, including receiving a list of assets of the computer network, wherein each asset is associated with at least one computer network address, generating at least one address permutation on the at least one computer network address of each asset of the computer network, wherein the generated at least one address permutation is different from the address associated with each asset of the computer network, receiving a communication request at a gateway server of the computer network, determining a destination address of the communication request, comparing the determined destination address with the at least one address permutation, and when the determined destination address is the same as at least one address permutation, blocking the communication request at the gateway server.

Abstract: One or more computing devices, systems, and/or methods are provided. Event information associated with a plurality of events may be identified. The plurality of events may be associated with first entities corresponding to a first entity type and second entities associated with a second entity type. A first network profile associated with the first entities and the second entities may be generated based upon the event information. An iterative process may be performed to identify a coalition network associated with fraudulent activity. The iterative process may include analyzing the first network profile to identify a first set of entities, of the first entities, that are related to an entity of the second entities, and/or analyzing the first network profile to identify a second set of entities, of the second entities, that are related to the first set of entities. Multiple iterations may be performed to identify the coalition network.

Abstract: The present application provides a device for providing control plane (CP) and/or user plane (UP) analytics. The device is configured to obtain information related to a resource and/or a change of a resource related to a CP and/or a UP; perform an analysis based on the obtained information; and generate data based on the analysis. This application also provides a management plane entity, for example, an operation, administration and management (OAM). The management plane entity is configured to provide information related to a resource, wherein the resource is related to a CP and/or a UP to the device for providing analytics.

Abstract: Systems and methods are provided for the classification of identified security vulnerabilities in software applications, and their automated triage based on machine learning. The disclosed system may generate a report listing detected potential vulnerability issues, and extract features from the report for each potential vulnerability issue. The system may receive policy data and business rules, and compare the extracted features relative to such data and rules. The system may determine a token based on the source code of a potential vulnerability issue, and a vector based on the extracted features of a potential vulnerability issue and based on the token. The system may select a machine learning modelling method and/or an automated triaging method based on the vector, and determine a vulnerability accuracy score based on the vector using the selected method.

Abstract: Systems and methods are described for resource-efficient memory deduplication and write-protection. In an example, a method includes receiving, by a computing device having a processor, a request to assess deduplication for a plurality of candidate files. The computing device may perform one or more iterative steps for deduplication. The iterative steps may include: receiving, from the plurality of candidate files, a candidate file that is not write-protected; determining, based on a predetermined Bernoulli distribution, a decision to write-protect the candidate file; rendering the candidate file as a write-protected candidate file; determining, based on a review of other candidate files from the plurality of candidate files, that the write-protected candidate file can be deduplicated; and deduplicating the write-protected candidate file.

Abstract: Described is a system for detection of network activities using transitive tensor analysis. The system divides a tensor into multiple subtensors, where the tensor represents communications on a communications network of streaming network data. Each subtensor is decomposed, separately and independently, into subtensor mode factors. Using transitive mode factor matching, orderings of the subtensor mode factors are determined. A set of subtensor factor coefficients is determined for the subtensor mode factors, and the subtensor factor coefficients are used to determine the relative weighting of the subtensor mode factors, and activity patterns represented by the subtensor mode factors are detected. Based on the detection, an alert of an anomaly is generated, indicating a in the communications network and a time of occurrence.

Abstract: Systems, methods, apparatuses, and computer program products for dynamically updating routing identifiers (IDs) are provided. One method may include deciding, at a network node, to update a routing identifier for at least one user equipment. The method may then include obtaining or generating a new routing identifier to be assigned to the at least one user equipment along with authentication vectors, and transmitting the new routing identifier to an authentication entity.

Abstract: Disclosed herein are systems and method for inspecting archived slices for malware using empty spare files. In one exemplary aspect, the method comprises generating a backup slice and a virtual volume comprising a list of files in the backup slice and associated file information. The method comprises mounting the virtual volume to a disk. The method comprises creating, in the virtual volume, empty sparse files that are placeholders of the files reference in the list of files. The method comprises detecting a change between a respective empty sparse file and a corresponding file in a previous backup slice and accordingly storing the actual content of the file in the virtual volume in place of the respective empty sparse file. The method comprises scanning the virtual volume for malicious software and generating a cured slice that replaces the backup slice in the backup archive upon detection.

Abstract: A method includes processing a user input for generating a non-deterministic finite automata tree (NFAT) correlation policy. The user input indicates one or more of a static condition or a dynamic condition for inclusion in the NFAT correlation policy. The static condition includes a comparison between a defined entity and a first fixed parameter. The dynamic condition includes a comparison between the defined entity and a variable parameter. An applicable NFAT element is generated that includes at least one of the NFAT correlation policy generated based on a determination that the user input indicates the static condition or a NFAT template generated based on a determination that the user input indicates the dynamic condition. Event data received from a network device is processed to detect a status of a network entity associated with a communication network based on the applicable NFAT element.

Abstract: Example implementations relate to method and system for securing a workload from a security vulnerability based on management of critical patches for the workload. The method includes obtaining information of existing patches for each of a plurality of infrastructure resources that are required to execute the workload, where the infrastructure resources are segregated as multiple layers. The method further includes determining dependency of the infrastructure resources across the multiple layers and identifying the security vulnerability related to the infrastructure resources. The method further includes evaluating perceived criticalities of first and second new patches for the security vulnerability based a workload weightage, a resource age of the infrastructure resources, and an actual criticality of the first and second new patches.

Abstract: Disclosed is a cyber-security system that is configured to aggregate and unify data from multiple components and platforms on a network. The system allows security administrators can to design and implement a workflow of device-actions taken by security individuals in response to a security incident. Based on the nature of a particular threat, the cyber-security system may initiate an action plan that is tailored to the security operations center and their operating procedures to protect potentially impacted components and network resources.

Abstract: Embodiments of the invention are directed to systems, methods, and computer program products for generation of dynamic authentication tokens for use in system-to-system transaction authorization and user identity verification. The system utilizes user historical data to generate unique authentication tokens which are customized to a particular user. Furthermore, the system rotates not only the encryption algorithms used, but also the datasets being encrypted in order to provide a high level of security such that even if a user's historical data was compromised, it would be highly unlikely that an attacker would be able to recreate the authentication token stemming from said historical data at any given point in time. The system eliminates the need for user-provided authentication credentials and provides a more secure and more efficient method of authenticating data exchange between multiple systems or applications.

Abstract: A trust reality service brokering apparatus located on an edge cloud receives a context rule, analyzes event data of at least one physical entity connected to the edge cloud based on the context rule, and transmits an action command to a physical entity or virtual entity corresponding to the event when it is determined that an event has occurred according to an analysis result.

Abstract: Methods, apparatus, and processor-readable storage media for evaluating cyber attacker behavior using machine learning to identify anomalies are provided herein. An example method includes obtaining, based on events associated with changes in one or more of a registry and a computer process, baseline models comprising a user context representing normal behavior for a first subset of features associated with the events with respect to a given user, an inverse context that represents normal behavior for at least one feature with respect to a particular value of one or more features in the first subset, and a global context representing a behavior of the features across the plurality of users; detecting a new event attributable to the given user; calculating a score for the new event using one or more of the baseline models; and determining that the new event is an anomaly in response to the score satisfying a threshold.

Abstract: A cyber security protection system includes a plurality of threat information updating devices; and a proactive suspicious domain alert system, which including: a domain information monitoring device; a domain information storage device; and a security threat analysis device, arranged to operably communicate data with the plurality of threat information updating devices through a network. If the domain information monitoring device detects that a domain mapping of a suspect domain is changed and the new domain mapping of the suspect domain points to a predetermined local address, the domain information monitoring device would further monitor a domain mapping variation frequency of the suspect domain. If the domain mapping variation frequency of the suspect domain exceeds a predetermined value, the security threat analysis device adds the suspect domain into an alert list to render the plurality of threat information updating devices to block their member devices from accessing the suspect domain.

Abstract: Herein disclosed is a method for automatically extracting signatures for malware. The method takes advantage of a fundamental economic requirement of malware authors: they must reuse code to manage the time investment. The method disclosed finds shared code between malware and generates signatures from the code. A method is also disclosed for separating code that is found predominantly, if not exceptionally, in malware from code that may be found in benign program.

Abstract: Analytics processing circuitry can include a data scavenger and a data analyzer coupled to receive the data from the data scavenger. The data scavenger collects data from at least one element of interest of a plurality of elements of interest of an IC. The data analyzer identifies patterns in the data from the data scavenger over a time frame or for a snapshot of time based on a predefined metric. The analytics processing circuitry can further include a moderator and a risk predictor. The risk predictor generates a risk assessment regarding whether the data collected by the data scavenger is indicative of normal behavior or abnormal behavior based at least on the output of the data analyzer and a behavioral model for the IC, which can be device and application specific. A threat response can be performed based on the risk assessment.

Abstract: A determination apparatus includes a keyword extraction unit that extracts keywords characterizing a vulnerability from known vulnerability information, and a 0-day attack determination unit that compares the keywords characterizing the vulnerability and keywords included in a request used for an attack, and when a value of a score indicating a degree of inclusion of same keywords as the keywords characterizing the vulnerability in the request is smaller than a predetermined threshold, determines that the request is a 0-day attack that is neither a known attack nor an attack similar to the known attack.

Abstract: A computing system for securely managing access to resources of a computing device receives an input at a secure login of a user interface. The computing system compares the input to a plurality of stored security measures and activates one of an operating system or a configuration of a false desktop system. A user interface of the false desktop system shares characteristics with a user interface of an operating system and restricts access to specified files, data stores, applications, networking functions, and/or ports associated with the computing system. When configured, the false desktop system or the operating system is enabled based on the location of the computing system. When configured, the false desktop system deletes files, data stores, and applications of the operating system.

Abstract: Conventional email filtering services are not suitable for recognizing sophisticated malicious emails, and therefore may allow sophisticated malicious emails to reach inboxes by mistake. Introduced here are threat detection platforms designed to take an integrative approach to detecting security threats. For example, after receiving input indicative of an approval from an individual to access past email received by employees of an enterprise, a threat detection platform can download past emails to build a machine learning (ML) model that understands the norms of communication with internal contacts (e.g., other employees) and/or external contacts (e.g., vendors). By applying the ML model to incoming email, the threat detection platform can identify security threats in real time in a targeted manner.

Abstract: A charging cable has a current sensor, a charging state indicator and logic circuitry to operate the indicator based on detected levels of current flow to a chargeable device. If the sensor detects current is below a low threshold, the logic circuitry operates the indicator to indicate that the cable is not connected to any chargeable device. If the sensor detects current at or above a higher threshold, the logic circuitry operates the indicator to provide a perceptible output indicating that the cable is connected to the chargeable device and the current is charging the battery. If the sensor detects current at or above the low threshold but below the high threshold, the logic circuitry operates the indicator to provide a perceptible output indicating that the cable is connected to a chargeable device but is not charging the battery of the device, e.g. when the battery is, or is nearly, fully charged.

Abstract: The main objective of Certificate Transparency (CT) is to detect mis-issued certificates or rouge certificate authorities. It has been observed that phishing sites have been increasingly acquiring certificates to look more legitimate and reach more victims, thus providing an opportunity to predict phishing domains early. The present disclosure provides systems and methods for early detection of phishing and benign domain traces in CT logs. The provided system may predict phishing domains early even before content is available via time-, issuer-, and certificate-based characteristics that are used to identify sets of CT-based inexpensive and novel features. The CT-features are augmented with other features including passive DNS (pDNS) and domain-based lexical features.

Abstract: In an embodiment, process for providing a secure remote workspace includes accessing, via a first client application, a remote desktop application. The process includes activating, within the remote desktop, a second client application to provide access to a task. The process includes obtaining user input in connection with executing the task, and transmitting user input information associated with the execution of the task to a server.

Abstract: Mechanisms for identifying a pattern of computing resource activity of interest, in activity data characterizing activities of computer system elements, are provided. A temporal graph of the activity data is generated and a filter is applied to the temporal graph to generate one or more first vector representations, each characterizing nodes and edges within a moving window defined by the filter. The filter is applied to a pattern graph representing a pattern of entities and events indicative of the pattern of interest, to generate a second vector representation. The second vector representation is compared to the one or more first vector representations to identify one or more nearby vectors, and one or more corresponding subgraph instances are output to an intelligence console computing system as inexact matches of the temporal graph.

Abstract: Systems and methods are provided for monitoring information-security coverage to identify a vulnerability or risk in the information-security coverage. An information-security system can include computing systems, databases, a security server, etc. that can communicate data via a network. The server can be used to obtain data indicating a process for managing or monitoring information-security in the system and data indicating activity on the network, computing systems, server, or databases. The server then determines a metric based on the obtained data and the metric can indicate a risk or vulnerability in information-security coverage in the system. The server can then aggregate the data and transmit the aggregated data to a computing device. The computing device can generate an interface for outputting data for monitoring information-security coverage or identifying a vulnerability or risk in information-security coverage, which can improve the security of the information-security system.

Abstract: A multimode system for receiving data in a retail environment includes: a secure input module for receiving high security input and low security input from a customer, the high security input to be communicated by the secure input module in cipher text, and the low security input to be communicated by the secure input module in plaintext. The multimode system is adapted to operate in a high security mode and a low security mode. The multimode system is adapted to enter the low security mode upon detection by the multimode system of a security breach condition. In the high security mode, the secure input module accepts low security input and high security input. In the low security mode, the secure input module accepts the low security input and does not accept the high security input.

Abstract: Methods, systems, and apparatus for a threat detection system. The threat detection system includes a threat forensics platform. The threat forensics platform includes a memory. The memory is configured to store a baseline model of controller area network (CAN) data. The threat forensics platform includes a processor coupled to the memory. The processor is configured to obtain CAN data including multiple messages. The processor is configured to compare the CAN data including the multiple messages with the baseline model. The processor is configured to determine a threat score for the CAN data based on the comparison and determine that there is a threat within the CAN data based on the threat score. The processor is configured to provide an indication that there is the threat to a driver of a vehicle or to a service provider.

Abstract: A data storage device providing secure data storage for a software application executed by an operating system in a computer system including a file system operation interceptor that detects requests for file system operations in respect of data for the application; a file system operation analyzer that is responsive to the interceptor and that analyses an intercepted file system operation request to identify attributes associated with the file system operation; a comparator that compares the attributes with a predefined security policy definition; a cryptographic unit that encrypts and/or decrypts data using one or more cryptographic functions; wherein the cryptographic unit is operable in response to the comparator to perform an encryption or decryption operation on the data and effect the performance of the requested file system operation by the operating system.

Abstract: A method for reprogramming data of a software function executed by an execution core and a security core, the data being present in two physically separate non-volatile memories, each managed by one of the execution or security cores, including the following steps: upon receiving a reprogramming request, a second value is stored in a first Boolean, determining whether the first Boolean is equal to the second value and if a second Boolean is equal to a first value, and if affirmative; an execution core is made to emit at a reinitialization request via a bidirectional communication channel towards a security core and a request to initialize a portion of the first non-volatile memory towards the set of functions for managing the non-volatile memory by an execution core; a second value is stored in the second Boolean; it is determined whether a predetermined reprogramming event has taken place, and if affirmative, the first value is stored in the first Boolean, while keeping the second value in the second Boolean

Abstract: An orchestration system is described that is configured to receive a request to monitor compliance of an enterprise infrastructure and generate an infrastructure change that is associated with the compliance of the enterprise infrastructure, based at least in part on a set of predetermined criteria. In doing so, the orchestration system may further generate one or more infrastructure change events based at least in part on instances of the infrastructure change within the enterprise infrastructure. The orchestration system may further generate a verification report for the enterprise infrastructure, based at least in part on the one or more infrastructure change events, and transmit the verification report to a registered user associated with the request.

Abstract: An integrated-circuit device comprises a bus system connected to a processor, a plurality of peripherals, each connected to the bus system, hardware filter logic; and a peripheral interconnect system, separate from the bus system and connected to the peripherals. For each peripheral, the hardware filter logic stores a respective value determining whether the peripheral is in a secure state. The peripheral interconnect system provides a set of one or more channels for signalling events between peripherals. At least one channel is a secure channel or is configurable to be a secure channel. The peripheral interconnect system is configured to allow an event signal from a peripheral in the secure state to be sent over a secure channel and to prevent an event signal from a peripheral that is not in the secure state from being sent over the secure channel.

Abstract: A method for searching for abnormal sessions, the method may include (a) obtaining session metadata for each of session of a group of sessions; wherein a session metadata of a session is indicative of at least one session feature that represents activities of the session; (b) forming multiple chunks, whereas each chunk comprises session metadata regarding a portion of the group of sessions; (c) for each chunk, generating chunk-based clusters by applying an iterative clustering process on data points that represent session metadata of the chunk; (d) generating group-based clusters, based on the chunk-based clusters; (e) determining, based at least on the group-based clusters, user profiles and abnormal sessions.

Abstract: Described herein are systems, methods, and non-transitory computer readable media for automating the transfer/syncing of datasets or other artifacts from one security domain (e.g., a low security side environment) to another security domain (e.g., a high security side environment) in a seamless manner that complies with requirements of a data transfer mechanism used to transfer data between the two security domains while ensuring data integrity and consistency between the two security domains.

Abstract: An example method includes detecting, using sensors, packets throughout a datacenter. The sensors can then send packet logs to various collectors which can then identify and summarize data flows in the datacenter. The collectors can then send flow logs to an analytics module which can identify the status of the datacenter and detect an attack.

Abstract: A computer-implemented method, computer program product and computing system for: obtaining first system-defined platform information concerning a first security-relevant subsystem within a computing platform; obtaining at least a second system-defined platform information concerning at least a second security-relevant subsystem within the computing platform; combining the first system-defined platform information and the at least a second system-defined platform information to form system-defined consolidated platform information; and generating a security profile based, at least in part, upon the system-defined consolidated platform information.

Abstract: Methods allow a predicting and detecting potential anomalies at a service infrastructure. A strings table having entries that define character strings and corresponding anomaly probabilities is accessed. A log entry related to an event occurring in the service infrastructure is generated in a database. The log entry includes a character string designating a name of a file or an IP address and a domain name hosted by the service infrastructure. A search is made for the character string in the strings table. The domain name is marked as suspect if the character string is found in the strings table and if an anomaly probability for the character string exceeds a predetermined threshold. The anomaly probabilities may be calculated using a Bayesian filter that accounts for a number of domains hosted by the service infrastructure on which the character string has recently appeared.

Abstract: This disclosure provides systems, methods, and apparatus, including computer programs encoded on computer-readable media, for a user equipment (UE) to select a data connection based on which applications are active in a foreground process of an application processor. The UE may activate a dedicated data subscription (DDS) based on a list of active applications. In some aspects, the UE may programmatically initiate a DDS switch based on which applications are active. The UE may determine which data connection to activate as the DDS based on the application configuration information and which applications are active. Application configuration information may indicate preferences regarding different data connections to use for each application. The application configuration information may indicate a preferred radio access technology (RAT), a preferred communication network, a preferred subscription, or any combination thereof.

Abstract: Computer-implemented method of detecting potential cybersecurity threats from collected data pertaining to a monitored network, the collected data comprising network data and/or endpoint data. The method comprises structuring the collected data as at least one data matrix, each row of the data matrix being a datapoint and each column corresponding to a feature. The method also comprises identifying one or more datapoints as anomalous, thereby detecting a potential cybersecurity threat. The method also comprises extracting causal information about the anomalous datapoint based on an angular relationship between a second-pass coordinate vector of the anomalous datapoint and a second-pass coordinate vector of one or more features. The second-pass coordinate vectors are determined by applying a second-pass singular value decomposition (SVD) to a residuals matrix.

Abstract: A computer-implemented method for revoking access permissions to computing resources, the method including retrieving certification rules for a computing resource; receiving information related to a user associated with an access permission for the computing resource; comparing the information with the certification rules to determine compliance with the certification rules; and responsive to determining that compliance with the certification rules fails, revoking the access permission.

Abstract: An integrated circuit device has a processor, a software-trace message handling system, a software-trace message sink peripheral, and a hardware interconnect system. The interconnect system is capable of directing software-trace messages from the processor to the software-trace message handling system, and of directing software-trace messages from the processor to the software-trace message sink peripheral. The software-trace message sink peripheral can present an interconnect delay to the processor, when receiving a software-trace message from the processor, that is equal to or substantially equal to an interconnect delay that the software-trace message handling system would have presented to the processor if the software-trace message handling system were to have received the software-trace message.

Abstract: Systems and methods for creating and handling workspace indicators of compromise (IOC) based upon configuration drift are described. In some embodiments, a memory storage device may have program instructions stored thereon that, upon execution by one or more processors of an Information Handling System (IHS) of a workspace orchestration service, cause the IHS to: receive configuration information from a client IHS at a workspace orchestration service, where the configuration information represents a change in a configuration of a workspace executed by the client IHS, and where the workspace is instantiated based upon a workspace definition provided by the workspace orchestration service; determine, by the workspace orchestration service, that the configuration information matches an IOC; and transmit, from the workspace orchestration service to the client IHS, an instruction to perform an action responsive to the IOC.

Abstract: A transceiver for sending and receiving data from a controller area network (CAN) bus is disclosed. The transceiver includes a microcontroller port, a transmitter and a receiver. The transceiver is configured to receive a data frame from a microcontroller via the microcontroller port and to determine if the microcontroller is authorized to send the data frame or part of it based on a message identifier in the data frame and the outcome of the arbitration process. If the microcontroller is unauthorized to send the data, the transceiver is configured to invalidate the data frame and disconnect the microcontroller from the CAN bus for a predetermined period.

Abstract: A computer system is provided. The computer system includes a memory and at least one processor coupled to the memory. The processor is configured to identify a message to a plug and play (PnP) manager of an operating system, the message comprising an identifier of a device to be configured by the PnP manager, determine whether the device is targeted for device identifier translation at least in part by determining whether the device satisfies one or more target device criteria, and replace the identifier of the device with a reference identifier different from the identifier of the device in response to a determination that the device is targeted for device identifier translation, the reference identifier being usable by the PnP manager to install or configure the device.

Abstract: Techniques are described for an IT and security operations application to automatically generate aggregate (or “bulk,” “group,” or “composite”) notable events by identifying notable events sharing common characteristics and aggregating the related notable events into a single aggregate notable event entity that can be displayed and operated upon. The IT and security operations application identifies related notable events based on notable events generated by a common correlation search, notable events having common event attributes, based on user-specified relatedness criteria, or other such criteria. Once identified, in some embodiments, the IT and security operations application displays, in notable event lists and other interfaces, a singular aggregate notable event to users representing each of the identified related notable events.

Abstract: A first cloud extension agent that facilitates internet-based management of a first set of local computing resources of a network is provided by a remote network management platform. A first connection is established to the first cloud extension agent. A second cloud extension agent that facilitates internet-based management of a second set of local computing resources of a network is provided by the remote network management platform. A second connection is established to the second cloud extension agent. A first set of instructions is provided to the first cloud extension via the first connection and a second set of instructions is provided to the second cloud extension via the second connection.