Abstract: Techniques are described for providing an integrated development environment (IDE) extension that assists developers with many aspects developing apps for an information technology (IT) and security operations application. For example, the IDE extension includes functionality to assist with packaging and deploying apps to a remote IT and security operations application, viewing information about apps installed by a remote IT and security operations application, and testing app action implementations within their IDE. The IDE extension significantly increases developers' ability to create functional and stable IT and security operations application apps for interfacing with a wide variety of security technologies, thereby improving the security and stability of IT environments in which the apps are used.

Abstract: A system generates a user interface that enables a user to generate a chart from one or more statements of a data processing package. Via one or more user interactions with the user interface, the system may receive one or more chart parameters for a chart. Using a statement from the data processing package and the one or more chart parameters, the system may generate an additional statement and append the generated statement to the data processing package to form an enriched data processing package. The system may communicate the enriched data processing package to a search service for execution. The system may display the results in an interactive chart.

Abstract: A data intake and query system processes and stores events, which are associated with token identifiers for tokens corresponding to data sources for the messages that the events are generated from. Thus, the data intake and query system can receive a request to provide analyses and visualizations regarding stored events associated with a particular component associated with a plurality of events, such as a data source for the messages from which the plurality of events are generated from. These requests and the resulting visualizations can be customized based on selected tokens and selected components.

Abstract: Systems and methods are disclosed for processing data associated with isolated execution environments. A chunk of data associated with an isolated execution environment can include log data and non-log data. At least a portion of the log data can include log data generated by the isolated execution environment. The system can parse the chunk of data to identify the log data and the non-log data and extract at least a portion of the log data from the chunk of data. The extracted data can be further processed to generate one or more events.

Abstract: Techniques are described for providing a software-based platform used to collect and analyze data artifacts generated during software development processes and to display results of the analyses as actionable information. The software development observability platform is a software-based agent (also referred to as an “artifact collector”) capable of capturing output from a wide variety of software development tools including compilers, test frameworks, code coverage and type checker tools, and the like. The artifact collector stores the data in an event data format and forwards the data to a data intake and query system or other destination for further analysis. In some examples, the software development observability platform further includes graphical user interfaces (GUIs) and other analysis tools that enable users to obtain insights into their software development processes.

Abstract: Described herein is a technique to update an edge device deployed in a secure computing network. A repository connected to a public network stores build contents configured to update software installed on the edge device; the public network is inaccessible to devices within the secure computing environment. A second device connected to the public network acquires the build contents in a signed lockbox file. An edge device management service generates a lockbox file containing the build contents and a trusted signer outside the secure computing network signs the lockbox file. The second device connects to secure computing network and establishes communications with the edge device. The edge device verifies the signed lockbox file provided by the second device. Upon verification, the edge device extracts the contents of the signed lockbox file and updates the software installed on the edge device.

Abstract: Techniques are described for providing a threat analysis platform capable of automating actions performed to analyze security-related threats affecting IT environments. Users or applications can submit objects (e.g., URLs, files, etc.) for analysis by the threat analysis platform. Once submitted, the threat analysis platform routes the objects to dedicated engines that can perform static and dynamic analysis processes to determine a likelihood that an object is associated with malicious activity such as phishing attacks, malware, or other types of security threats.

Abstract: Described herein are techniques are provided for enabling a security orchestration, automation, and response (SOAR) service to automatically manage apps used to interface with an integrated security operations service and other related devices and services. Further described herein is a SOAR app generator service or application used to automate the creation of apps for a SOAR service based on application programming interfaces (API) specifications for related devices or services, as well as visual playbook editor interfaces for a SOAR service that enable the configuration of complex action input parameters including arrays and objects.

Abstract: Data are mapped from multiple tools to a common information model during the development life cycle of a software application. The common information model normalizes the data, enabling the data to be correlated even when development tasks are performed by separate entities using different tools. Using the common information model, security issues are identified in a later part of the software development life cycle based on data generated at an earlier phase, such as on an ongoing basis throughout the life cycle. A user can investigate the security issues and associated risk using an interactive dashboard.

Abstract: Techniques are described for providing an integrated development environment (IDE) extension that assists developers with many aspects developing apps for an information technology (IT) and security operations application. For example, the IDE extension includes functionality to assist with packaging and deploying apps to a remote IT and security operations application, viewing information about apps installed by a remote IT and security operations application, and testing app action implementations within their IDE. The IDE extension significantly increases developers' ability to create functional and stable IT and security operations application apps for interfacing with a wide variety of security technologies, thereby improving the security and stability of IT environments in which the apps are used.

Abstract: Techniques are described for providing a threat analysis platform capable of automating actions performed to analyze security-related threats affecting IT environments. Users or applications can submit objects (e.g., URLs, files, etc.) for analysis by the threat analysis platform. Once submitted, the threat analysis platform routes the objects to dedicated engines that can perform static and dynamic analysis processes to determine a likelihood that an object is associated with malicious activity such as phishing attacks, malware, or other types of security threats.

Abstract: An observability system is disclosed that provides novel techniques for configuring indexable custom tags. The observability system enables customers and users to specify and create indexable custom tags in a flexible and user-friendly manner. The observability system includes a novel custom tag configuration system that enables users of the observability system to configure indexed custom tags. Using a set of user interfaces (e.g., graphical user interfaces (GUIs)), a user is guided through a workflow for configuring indexed custom tags.

Abstract: Aspects described herein provide security actions based on a current state of a security threat. In one example, a computer-implemented method includes identifying a security threat within a computing environment comprising a plurality of computing assets. The method further includes obtaining state information for the security threat within the computing environment from computing assets of the plurality of computing assets in the computing environment. The method further includes determining a current state for the security threat within the computing environment based on the state information. The method further includes obtaining enrichment information for the security threat that relates kill-state information to an identity of the security threat. The method further includes determining one or more security actions for the security threat based on the enrichment information and the current state for the security threat.

Abstract: Described herein are systems and methods for enhancing an interface for an information technology (IT) environment. In one implementation, an incident service causes display of a first version of a course of action and obtains input indicative of a request for a new action in the course of action. The incident service further determines suggested actions based at least one the input and causes display of the suggested actions. Once displayed, the incident service obtains input indicative of a selection of at least one action from the suggested actions, and causes display input indicative of a selection of at least one action from the suggested actions.

Abstract: Techniques are described for providing users of an IT and security operations application with the ability to enable the collection and display of playbook run statistics. Users can selectively enable the generation of playbook run statistics for individual playbooks. Once enabled for a playbook, the IT and security operations application automatically adds source code to the playbook or otherwise enables the collection of function block-level statistics during playbook executions. Users can view the statistics collected for a playbook to compare the performance of individual blocks against one another, to compare the performance of individual playbook runs against other playbook runs or against an average of all playbook runs, and so forth.

Abstract: Described are systems, methods, and techniques profiled call stack linking. Data relating to functions that are part of call stacks can be captured from a series of snapshots. Frame information for the identified functions (e.g., a span ID, trace ID) can be identified and indexed. Responsive to receiving a query for a visualization specifying one or more criteria (e.g., all frames that are part of a span), all frames corresponding with the criteria can be identified. An action can be performed using the identified frames, such as generating a visualization of the identified frames for use in deriving insights into the functions being executed as part of a call stack.

Abstract: Techniques are described that enable an IT and security operations application to prioritize the processing of selected events for a defined period of time. Data is obtained reflecting activity within an IT environment, wherein the data includes a plurality of events each representing an occurrence of activity within the IT environment. A severity level is assigned to each event of the plurality of events, where the events are processed by the IT and security operations application in an order that is based at least in part on the severity level assigned to each event. Input is received identifying at least one event of the plurality of events for expedited processing to obtain a set of expedited events, and the identified events are processed by the IT and security operations application before processing events that are not in the set of expedited events.