Item request has been placed! ×
Item request cannot be made. ×
loading  Processing Request

Nested courses of action to support incident response in an information technology environment

Item request has been placed! ×
Item request cannot be made. ×
loading   Processing Request
اقرأ أكثر حفظ في قائمتي
  • Publication Date:
    March 14, 2023
  • معلومة اضافية
    • Patent Number:
      11604,877
    • Appl. No:
      16/119954
    • Application Filed:
      August 31, 2018
    • نبذة مختصرة :
      Described herein are systems and methods for improving incident response in an information technology (IT) environment. In one implementation, an incident service initiates execution of a course of action and identifies a step in the first course of action that determines data in a first format. The incident service further determines a format requirement for a second step in the course of action and translates the data from the first format to the second format in accordance with the format requirement.
    • Inventors:
      Splunk Inc. (San Francisco, CA, US)
    • Assignees:
      Splunk Inc. (San Francisco, CA, US)
    • Claim:
      1. A method comprising: receiving, via a graphical user interface provided by an incident service, input defining a first course of action, wherein the first course of action includes a first plurality of steps to respond to incidents occurring in information technology (IT) environments, wherein the input defines a graphical diagram indicative of sequencing for the first plurality of steps, wherein a particular step of the first plurality of steps in the graphical diagram represents a call to a second course of action, and wherein the second course of action includes a second plurality of steps to obtain, from an external service, supplemental information about incidents occurring in IT environments; storing data defining the first course of action in a course of action database managed by the incident service, wherein the course of action database stores data defining a plurality of courses of action including the first course of action and the second course of action; initiating execution of the first course of action, wherein the first course of action is executed to respond to an incident occurring in an IT environment, and wherein the first course of action involves modifying a configuration of a component of the IT environment; during the execution of the first course of action: identifying the particular step in the first plurality of steps representing the call to the second course of action, obtaining the data defining the second course of action from the course of action database managed by the incident service, initiating execution of the second course of action, obtaining result data from the execution of the second course of action, identifying a first format of the result data, determining that a second step in the first plurality of steps uses as input result data in a second format that is different from the first format, and translating the result data from the first format to the second format; and in response to obtaining the result data, executing a second step in the first plurality of steps in the first course of action based on the result data in the second format to respond to the incident occurring in the IT environment.
    • Claim:
      2. The method of claim 1 , wherein the result data comprises addressing data for the incident in the IT environment.
    • Claim:
      3. The method of claim 1 , wherein the result data comprises geographic location information.
    • Claim:
      4. The method of claim 1 , wherein the second step comprises a step to compare the result data with one or more criteria.
    • Claim:
      5. The method of claim 1 , wherein the second step comprises a step to compare the result data with a threshold.
    • Claim:
      6. The method of claim 1 : wherein the first course of action includes a plurality of operations each corresponding to a different data format; wherein translating the result data from the first format to the second format includes executing an operation of the plurality of operations associated with the first format.
    • Claim:
      7. The method of claim 1 further comprising: receiving, via the graphical user interface, input defining the second course of action; and storing data defining the second course of action in the course of action database.
    • Claim:
      8. The method of claim 1 further comprising: in response to identifying the particular step, pausing execution of the first course of action; and in response to obtaining the result data, resuming execution of the first course of action.
    • Claim:
      9. A computing apparatus comprising: one or more non-transitory computer readable storage media; a processing system operatively coupled to the one or more non-transitory computer readable storage media; and program instructions stored on the one or more non-transitory computer readable storage media that, when executed by the processing system, direct the processing system to: receive, via a graphical user interface provided by an incident service, input defining a first course of action, wherein the first course of action includes a first plurality of steps to respond to incidents occurring in information technology (IT) environments, wherein the input defines a graphical diagram indicative of sequencing for the first plurality of steps, wherein a particular step of the first plurality of steps in the graphical diagram represents a call to a second course of action, and wherein the second course of action includes a second plurality of steps to obtain, from an external service, supplemental information about incidents occurring in IT environments; store data defining the first course of action in a course of action database managed by the incident service, wherein the course of action database stores data defining a plurality of courses of action including the first course of action and the second course of action; initiate execution of the first course of action, wherein the first course of action is executed to respond to an incident occurring in an IT environment, and wherein the first course of action involves modifying a configuration of a component of the IT environment; during the execution of the first course of action: identify the particular step in the first plurality of steps representing the call to the second course of action, obtain the data defining the second course of action from the course of action database managed by the incident service, initiate execution of the second course of action, obtain result data from the execution of the second course of action, identify a first format of the result data, determine that a second step in the first plurality of steps uses as input result data in a second format that is different from the first format, and translate the result data from the first format to the second format; and in response to obtaining the result data, execute a second step in the first plurality of steps in the first course of action based on the result data in the second format to respond to the incident occurring in the IT environment.
    • Claim:
      10. The computing apparatus of claim 9 , wherein the program instructions further direct the processing system to: receive, via the graphical user interface, input defining the second course of action; and store data defining the second course of action in the course of action database.
    • Claim:
      11. The computing apparatus of claim 9 , wherein the program instructions further direct the processing system to: in response to identifying the particular step, pause execution of the first course of action; and in response to obtaining the result data, resume execution of the first course of action.
    • Claim:
      12. The computing apparatus of claim 9 , wherein the second step comprises a step to compare result data with one or more criteria.
    • Claim:
      13. The computing apparatus of claim 9 , wherein the second step comprises a step to compare result data with a threshold.
    • Claim:
      14. A non-transitory computer readable storage media comprising: program instructions that, when executed by a processing system, direct the processing system to: receive, via a graphical user interface provided by an incident service, input defining a first course of action, wherein the first course of action includes a first plurality of steps to respond to incidents occurring in information technology (IT) environments, wherein the input defines a graphical diagram indicative of sequencing for the first plurality of steps, wherein a particular step of the first plurality of steps in the graphical diagram represents a call to a second course of action, and wherein the second course of action includes a second plurality of steps to obtain, from an external service, supplemental information about incidents occurring in IT environments; store data defining the first course of action in a course of action database managed by the incident service, wherein the course of action database stores data defining a plurality of courses of action including the first course of action and the second course of action; initiate execution of the first course of action, wherein the first course of action is executed to respond to an incident occurring in an IT environment, and wherein the first course of action involves modifying a configuration of a component of the IT environment; during the execution of the first course of action: identify the particular step in the first plurality of steps representing the call to the second course of action, obtain the data defining the second course of action from the course of action database managed by the incident service, initiate execution of the second course of action, obtain result data from the execution of the second course of action, identify a first format of the result data, determine that a second step in the first plurality of steps uses as input result data in a second format that is different from the first format, and translate the result data from the first format to the second format; and in response to obtaining the result data, execute a second step in the first plurality of steps in the first course of action based on the result data in the second format to respond to the incident occurring in the IT environment.
    • Claim:
      15. The non-transitory computer readable storage media of claim 14 , wherein the program instructions further direct the processing system to: receive, via the graphical user interface, input defining a second course of action; and store data defining the second course of action in the course of action database.
    • Claim:
      16. The non-transitory computer readable storage media of claim 14 , wherein the second step comprises a step to compare result data with one or more criteria.
    • Claim:
      17. The non-transitory computer readable storage media of claim 14 , wherein the second step comprises a step to compare result data with a threshold.
    • Patent References Cited:
      10091230 October 2018 Machani
      10743046 August 2020 Sahni
      20050086635 April 2005 Parikh
      20090089869 April 2009 Varghese
      20140279829 September 2014 Reinart
      20150365438 December 2015 Carver
      20170365027 December 2017 Hein
      20190213016 July 2019 Raghunath
    • Other References:
      Chris Simmons, “Playbook Series: Creating Nested Playbooks for Responding to Malware Incidents”, Dec. 8, 2016, obtaine online from , retrieved on Jul. 17, 2021. cited by examiner
    • Assistant Examiner:
      Zhu, Zhimei
    • Primary Examiner:
      Williams, Jeffery L
    • Attorney, Agent or Firm:
      Nicholson De Vos Webster & Elliott LLP
    • الرقم المعرف:
      edspgr.11604877