Incident response management based on environmental characteristics
First Claim
1. A method implemented by a computing device in a computing environment, comprising:
- determining, in response to notification of an incident in the computing environment, one or more action recommendations, wherein the notification is generated upon identification of an issue in the computing environment;
obtaining, from the computing environment, environmental characteristics related to the incident;
obtaining a default hierarchy of administrators responsible for responding to the incident;
modifying, based at least on the environmental characteristics, the default hierarchy of administrators to obtain a modified hierarchy of administrators;
outputting the one or more action recommendations for receipt by a device associated with an administrator in the modified hierarchy of administrators, wherein upon receipt of the one or more actions recommendations, the device displays the one or more actions recommendations;
receiving input associated with an action recommendation of the one or more action recommendations; and
executing an operation based on the input.
2 Assignments
0 Petitions
Accused Products
Abstract
Systems, methods, and software described herein provide for managing service level agreements (SLAs) for security incidents in a computing environment. In one example, an advisement system identifies a rule set for a security incident based on enrichment information obtained for the security incident, wherein the rule set is associated with action recommendations to be taken against the incident. The advisement system further identifies a default SLA for the security incident based on the rule set, and obtains environmental characteristics related to the security incident. Based on the environmental characteristics, the advisement system determines a modified SLA for the security incident.
-
Citations
30 Claims
-
1. A method implemented by a computing device in a computing environment, comprising:
-
determining, in response to notification of an incident in the computing environment, one or more action recommendations, wherein the notification is generated upon identification of an issue in the computing environment; obtaining, from the computing environment, environmental characteristics related to the incident; obtaining a default hierarchy of administrators responsible for responding to the incident; modifying, based at least on the environmental characteristics, the default hierarchy of administrators to obtain a modified hierarchy of administrators; outputting the one or more action recommendations for receipt by a device associated with an administrator in the modified hierarchy of administrators, wherein upon receipt of the one or more actions recommendations, the device displays the one or more actions recommendations; receiving input associated with an action recommendation of the one or more action recommendations; and executing an operation based on the input. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14)
-
-
15. A computing apparatus comprising:
-
one or more non-transitory computer readable storage media; a processing system operatively coupled to the one or more non-transitory computer readable storage media; and program instructions stored on the one or more non-transitory computer readable storage media that, when executed by the processing system, direct the processing system to; determine, in response to notification of an incident in a computing environment, one or more action recommendations, wherein the notification is generated upon identification of an issue in the computing environment; obtain, from the computing environment, environmental characteristics related to the incident; obtain a default hierarchy of administrators responsible for responding to the incident; modify, based at least on the environmental characteristics, the default hierarchy of administrators to obtain a modified hierarchy of administrators; output the one or more action recommendations for receipt by a device associated with an administrator in the modified hierarchy of administrators, wherein upon receipt of the one or more actions recommendations, the device displays the one or more actions recommendations; receive input associated with an action recommendation of the one or more action recommendations; and execute an operation based on the input. - View Dependent Claims (16, 17, 18, 19, 20, 21, 22, 23, 24, 25)
-
-
26. An apparatus comprising:
-
one or more non-transitory computer readable storage media; and program instructions stored on the one or more non-transitory computer readable storage media that, when executed by a processing system, direct the processing system to; determine, in response to notification of an incident in a computing environment, one or more action recommendations, wherein the notification is generated upon identification of an issue in the computing environment; obtain, from the computing environment, environmental characteristics related to the incident; obtain a default hierarchy of administrators responsible for responding to the incident; modify, based at least on the environmental characteristics, the default hierarchy of administrators to obtain a modified hierarchy of administrators; output the one or more action recommendations for receipt by a device associated with an administrator in the modified hierarchy of administrators, wherein upon receipt of the one or more actions recommendations, the device displays the one or more actions recommendations; receive input associated with an action recommendation of the one or more action recommendations; and execute an operation based on the input. - View Dependent Claims (27, 28, 29, 30)
-
Specification