Network security threat intelligence sharing

What is claimed is: 1. A system, comprising: a memory; and one or more processors, wherein the memory includes instructions that, when executed, are configured to cause the one or more processors to: implement a plurality of customer instances within a datacenter, wherein each customer instance of the plurality of customer instances is associated with a respective customer network of a plurality of customer networks outside of the datacenter; implement a central instance within the datacenter, wherein the central instance is communicatively coupled to the plurality of customer instances; receive, at a first customer instance of the plurality of customer instances, an alert from a first customer network of the plurality of customer networks, wherein the alert is associated with a network security threat; generate, at the central instance, a search query based on one or more observable s associated with the alert; invoke, at a second customer instance of the plurality of customer instances, a search of data of a second customer network associated with the second customer instance based on the search query; receive, at the second customer instance, a search result based on the search of data of the second customer network, wherein the search result reflects occurrences of the one or more observables in the second customer network; conduct, at the central instance, incident analysis comprising: identifying a kill chain based on the search result, wherein the kill chain comprises a combination of related security vulnerabilities that leads to possible network security compromise; and determining a risk score associated with the network security threat based on the occurrences of the one or more observables associated with the search result; conduct, at the plurality of customer instances, incident enrichment comprising determining running processes and network statistics associated with the plurality of customer networks; conduct, at the central instance, threat association comprising identifying a network security threat actor associated with the alert based at least in part on the kill chain and the search result that reflects the occurrences of the one or more observables in the second customer network; determine, at the plurality of customer instances, security threat remediation by selecting a remediation measure to break the kill chain; implement the remediation measure to block communication with the network security threat actor based at least in part on the incident analysis, the incident enrichment, and the threat association; and transmit a recommendation to the second customer instance based on the security threat remediation. 2. The system of claim 1 , wherein invoking the search of data comprises communicating with an agent device to conduct a search within the second customer network. 3. The system of claim 1 , wherein invoking the search of data comprises querying a security information and event management database of the second customer network. 4. The system of claim 1 , wherein the instructions, when executed, are configured to cause the one or more processors to: input, via the second customer instance, data pertaining to the occurrences of the one or more observables to a neural network or a support vector machine; and determine the risk score based on a resulting output of the neural network or the support vector machine. 5. The system of claim 1 , wherein conducting incident enrichment comprises updating a white list, a black list, a firewall rule, or any combination thereof. 6. The system of claim 1 , wherein the instructions, when executed, are configured to cause the one or more processors to cause the central instance to relay a message comprising the search query to the second customer instance based on the alert. 7. A method, comprising: receiving, at a first customer instance of a plurality of customer instances, an alert from a first customer network of a plurality of customer networks, wherein the alert is associated with a network security threat; generating, at a central instance communicatively coupled to the first customer instance, a search query based on one or more observables associated with the alert; invoking, at a second customer instance of the plurality of customer instances, a search of data of a second customer network associated with the second customer instance based on the search query; receiving, at the second customer instance, a search result based on the search of data of the second customer network, wherein the search result reflects occurrences of the one or more observables in the second customer network; performing, at the central instance, incident analysis comprising: identifying a kill chain based on the search result, wherein the kill chain comprises a combination of related security vulnerabilities that leads to possible network security compromise; and determining network security threat information comprising a risk score associated with the network security threat based on the occurrences of the one or more observables associated with the search result; performing, at the plurality of customer instances, incident enrichment comprising determining running processes and network statistics associated with the plurality of customer networks; conducting, at the central instance, threat association comprising identifying a network security threat actor associated with the alert based at least in part on the kill chain and the search result that reflects the occurrences of the one or more observables in the second customer network; determining, at the plurality of customer instances, security threat remediation by selecting a remediation measure to break the kill chain; implementing the remediation measure to block communication with the network security threat actor based at least in part on the incident analysis, the incident enrichment, and the threat association; and transmitting a recommendation to the second customer instance based on the security threat remediation. 8. The method of claim 7 , comprising: invoking, at a third customer instance of the plurality of customer instances, an additional search of data of a third customer network associated with the second customer instance based on the search query; and receiving, at the third customer instance, an additional search result based on the additional search of data of the third customer network, wherein the additional search result reflects the occurrences of the one or more observables in the third customer network. 9. The method of claim 8 , wherein performing the incident analysis comprises determining the risk score associated with the network security threat based on the occurrences of the one or more observables associated with the search result and the additional search result. 10. The method of claim 7 , comprising invoking a threat mitigation measure using a framework configured to interface to a plurality of network security products provided by a plurality of software publishers, wherein determining the security threat remediation is based on the threat mitigation measure. 11. The method of claim 7 , comprising transmitting, via the central instance, an alert message to a third customer instance of the plurality of customer instances, wherein the alert message comprises the network security threat information. 12. The method of claim 7 , wherein invoking the search of data comprises communicating with an agent device of the second customer network to query a security information and event management database of the second customer network. 13. A system, comprising: a memory; and one or more pr