Network security threat intelligence sharing

What is claimed is: 1 . A system, comprising: a memory; and one or more processors, wherein the memory includes instructions that, when executed, are configured to cause the one or more processors to: implement a plurality of customer instances within a datacenter, wherein each customer instance of the plurality of customer instances is associated with a respective customer network of a plurality of customer networks outside of the datacenter; implement a central instance within the datacenter, wherein the central instance is communicatively coupled to the plurality of customer instances; receive, at a first customer instance of the plurality of customer instances, an alert from a first customer network of the plurality of customer networks, wherein the alert is associated with a network security threat; generate, at the central instance, a search query based on one or more observables associated with the alert; invoke, at a second customer instance of the plurality of customer instances, a search of data of a second customer network associated with the second customer instance based on the search query; receive, at the second customer instance, a search result based on the search of data of the second customer network; conduct, at the central instance, incident analysis comprising determining a risk score associated with the network security threat based on occurrences of the one or more observables associated with the search result; conduct, at the plurality of customer instances, incident enrichment comprising determining running processes and network statistics associated with the plurality of customer networks; conduct, at the central instance, threat association comprising identifying a network security threat actor associated with the alert; and determine, at the plurality of customer instances, security threat remediation based at least in part on the incident analysis, the incident enrichment, and the threat association. 2 . The system of claim 1 , wherein invoking the search of data comprises communicating with an agent device to conduct a search within the second customer network. 3 . The system of claim 1 , wherein invoking the search of data comprises querying a security information and event management database of the second customer network. 4 . The system of claim 1 , wherein the instructions, when executed, are configured to cause the one or more processors to: input, via the second customer instance, data pertaining to occurrences of the one or more observables to a neural network or a support vector machine; and determine the risk score based on a resulting output of the neural network or a support vector machine. 5 . The system of claim 1 , wherein conducting incident enrichment comprises updating a white list, a black list, a firewall rule, or any combination thereof. 6 . The system of claim 1 , wherein conducting incident analysis comprises identifying a kill chain based on the search result, wherein the kill chain comprises a combination of related security vulnerabilities that leads to possible network security compromise, and wherein the security threat remediation is based at least in part on the risk score and the kill chain associated with the incident analysis. 7 . The system of claim 1 , wherein the instructions, when executed, are configured to cause the one or more processors to cause the central instance to relay a message comprising the search query to the second customer instance based on the alert. 8 . The system of claim 1 , wherein the instructions, when executed, are configured to cause the one or more processors to transmit a recommendation to the second customer instance based on the security threat remediation. 9 . A method, comprising: receiving, at a first customer instance of a plurality of customer instances, an alert from a first customer network of a plurality of customer networks, wherein the alert is associated with a network security threat; generating, at a central instance communicatively coupled to the first customer instance, a search query based on one or more observables associated with the alert; invoking, at a second customer instance of the plurality of customer instances, a search of data of a second customer network associated with the second customer instance based on the search query; receiving, at the second customer instance, a search result based on the search of data of the second customer network; performing, at the central instance, incident analysis to determine network security threat information comprising a risk score associated with the network security threat based on occurrences of the one or more observables associated with the search result; performing, at the plurality of customer instances, incident enrichment comprising determining running processes and network statistics associated with the plurality of customer networks; conducting, at the central instance, threat association comprising identifying a network security threat actor associated with the alert; and determining, at the plurality of customer instances, security threat remediation based at least in part on the incident analysis, the incident enrichment, and the threat association. 10 . The method of claim 9 , comprising: invoking, at a third customer instance of the plurality of customer instances, an additional search of data of a third customer network associated with the second customer instance based on the search query; and receiving, at the third customer instance, an additional search result based on the search of data of the third customer network. 11 . The method of claim 10 , wherein performing the incident analysis comprises determining the risk score associated with the network security threat based on occurrences of the one or more observables associated with the search result and the additional search result. 12 . The method of claim 9 , comprising invoking a threat mitigation measure using a framework configured to interface to a plurality of network security products provided by a plurality of software publishers, wherein determining the security threat remediation is based on the threat mitigation measure. 13 . The method of claim 9 , comprising transmitting, via the central instance, an alert message to a third customer instance of the plurality of customer instances, wherein the alert message comprises the network security threat information. 14 . The method of claim 9 , wherein invoking the search of data comprises communicating with an agent device of the second customer network to query a security information and event management database of the second customer network. 15 . A system, comprising: a memory; and one or more processors, wherein the memory includes instructions that, when executed, are configured to cause the one or more processors to: implement a plurality of customer instances within a network, wherein the plurality of customer instances is associated with respective private networks of a plurality of private networks that are outside of the network; implement a central instance within the network, wherein the central instance is communicatively coupled to the plurality of customer instances; receive, at a first customer instance of the plurality of customer instances, an alert from a first private network of the plurality of private networks, wherein the alert is associated with a network security threat; generate, at the central instance, a search query based on one or more observables associated with the alert; invoke, at a second customer instance of the plurality of custom