Incorporating software-as-a-service data into a cyber threat defense system

What is claimed is: 1. A method for a cyber threat defense system incorporating data from a Software-as-a-Service (SaaS) application hosted by a third-party operator platform to identify cyber threats related to the SaaS application, comprising: collecting, with a SaaS module from one or more connectors deployed to a network entity representing at least one of a user and a network device that utilizes the SaaS application, third-party event data describing an administrative event of the SaaS application hosted by the third-party operator platform; comparing the third-party event data, received from the one or more connectors, to one or more machine-learning models trained on a normal benign behavior of that network entity using a normal behavior benchmark describing parameters corresponding to a normal pattern of activity for that network entity to spot behavior on the network deviating from the normal benign behavior; identifying whether the network entity that utilized the SaaS application is in a breach state of the normal behavior benchmark; causing the SaaS module to cooperate with i) the one or more connectors to supply the event data describing the administrative event once it is observed from the SaaS application hosted by the third-party operator platform; ii) the third-party operator platform hosting the SaaS application to keep a connection open until an event is observed and the event data describing the administrative event is returned to the SaaS module, and iii) any combination of these two; and executing an autonomous response in response to the cyber threat using an autonomous response module to mitigate the identified cyber threat. 2. The method for the cyber threat defense system of claim 1 , further comprising: directing the one or more connectors to send a Hypertext Transfer Protocol Secure event request to the third-party SaaS application to request the administrative event from an audit log of the third-party SaaS application. 3. The method for the cyber threat defense system of claim 1 , further comprising: identifying whether the breach state and a chain of relevant behavioral parameters deviating from the normal benign behavior of that network entity correspond to a cyber threat. 4. The method for the cyber threat defense system of claim 1 , further comprising: using the autonomous response module to tag a specific user to have a lower threshold for the autonomous response, depending on circumstances of the cyber threat. 5. The method for the cyber threat defense system of claim 1 , further comprising: using the autonomous response module to tag a specific user so that no more SaaS activities successfully occurs for that specific user until a human has verified that unusual behavior that deviated from the normal benign behavior is allowed or blocked indefinitely. 6. A non-transitory computer readable medium comprising computer readable code operable, when executed by one or more processing apparatuses in a cyber threat defense system to instruct a computing device to perform a method for a cyber threat defense system incorporating data from a Software-as-a-Service (SaaS) application hosted by a third-party operator platform to identify cyber threats related to that SaaS application, comprising: collecting, with a SaaS module from one or more connectors deployed to a network entity representing at least one of a user and a network device that utilizes the SaaS application, third-party event data describing an administrative event of the SaaS application hosted by the third-party operator platform; comparing the third-party event data, received from the one or more connectors, to one or more machine-learning models trained on a normal benign behavior of that network entity using a normal behavior benchmark describing parameters corresponding to a normal pattern of activity for that network entity to spot behavior on the network deviating from the normal benign behavior; identifying whether the network entity that utilized the SaaS application is in a breach state of the normal behavior benchmark; causing the SaaS module to cooperate with i) the one or more connectors to supply the event data describing the administrative event once it is observed from the SaaS application hosted by the third-party operator platform; ii) the third-party operator platform hosting the SaaS application to keep a connection open until an event is observed and the event data describing the administrative event is returned to the SaaS module, and iii) any combination of these two; and executing an autonomous response in response to the cyber threat using an autonomous response module to mitigate the identified cyber threat. 7. The method for the cyber threat defense system of claim 6 , further comprising: where the executing of the autonomous response module to take the autonomous response to the cyber threat includes one or more of executing at least one of alerting an internal system administrator of the cyber threat and a suggested action to counter the cyber threat, alerting the third-party operator platform of the cyber threat and a suggested action to counter the cyber threat, autonomously reducing permissions of the network entity in the breach state of the normal behavior benchmark, and autonomously disabling a user account of the network entity in the breach state of the normal behavior benchmark, based on a threat risk parameter corresponding to aspects of the cyber threat. 8. The method for the cyber threat defense system of claim 6 , further comprising: harvesting metadata from a data rich description and then using the metadata in the comparison of the normal behavior benchmark describing parameters corresponding to the normal pattern of activity for that network entity to spot behavior on a network deviating from the normal benign behavior; and directing the one or more connectors to request the third-party operator platform to delete an event report. 9. The method for the cyber threat defense system of claim 6 , further comprising: collecting network traffic in addition to the collected data from the SaaS application used by the network entity in order to analyze both to contextualize and understand the breach state and a chain of relevant behavioral parameters deviating from the normal benign behavior of that network entity in order to accurately correspond to the breach state and the chain of relevant behavioral parameters to the cyber threat. 10. The method for the cyber threat defense system of claim 6 , further comprising: collecting, from one or more probes deployed to the network entity, probe data describing network-administrated activity, external to the SaaS application, by the network entity to analyze the probe data and the third-party event data in context to accurately associate the breach state and a chain of relevant behavioral parameters with the cyber threat. 11. An apparatus for a cyber threat defense system, comprising: one or more input ports configured to connect to one or more connectors deployed to a network entity representing at least one of a user and a network device that utilizes a software-as-a-service (SaaS) application hosted by a third-party operator platform; a SaaS module configured to collect from the one or more connectors deployed to the network entity that utilizes the SaaS application, third-party event data describing an administrative event of the SaaS application; a comparison module configured to execute a comparison the third-party event data, received from the one or more connectors, to one or more machine-learning models trained on a normal benign behavior of that network entity using a normal behavior benchmark descri