Abstract: Methods, systems, and computer programs are presented for providing contextual suggestions and automated responses to users managing incidents within production or security environments. The system utilizes a combination of user-provided data and contextual analysis to proactively offer solutions and insights without requiring explicit queries from the user. The system integrates out-of-the-box insights, natural language interactions, and remediation flows into a cohesive user experience, incorporating playbooks enhanced by automation while leveraging user data and interaction history to tailor suggestions. The system includes a predictive analysis mechanism that runs analyses on relevant data sources, identifying unusual results and generating potential queries. A large language model (LLM) is integrated for generating questions and analyses, with a ranking system prioritizing insights based on machine learning models.

Abstract: Methods, systems, and computer programs are presented for automatic evaluation of security incidents. One method includes receiving a resolution status, for a set of insights, indicating if each insight was a true or a false positive. A global training set, comprising the resolution status for the insights, is generated, and a local training set with a subset of the insights associated with a first user. A machine-learning (ML) program is trained, using the global training set, to obtain a global model, and using the local training set to obtain a local model for the first user. When a new insight for the first user is detected, a global score is obtained using the global model, and a local score is obtained using the local model. A confidence score, calculated based on the global and local scores, is presented as an indication of an estimated severity of the new insight.

Abstract: Techniques are presented for recommending queries to search log information. The system provides useful insights and recommendations based on user needs and queries by utilizing the user context, with information about the user activities (e.g., recent alerts) and the user configuration in the system (e.g., applications configured by the user), to provide recommendations. There may not be enough context for a new user to provide good recommendations, so the system determines the context based on the activities of other users, such as more experienced users or users investigating the same type of problem. Based on the context, the user recommends natural language queries (NLQ) or system queries to accelerate the search process and assist the user during an investigation. Further, NLQs may be converted to complex search queries that use the search query language, and the NLQs may also be used as part of the context for the subsequent recommendations.

Abstract: Methods, systems, and computer programs are presented to generate response information for an alert. One method includes an operation for detecting an alert based on incoming log data or metric data and for calculating information for panels to be presented on a response-alert page. Calculating the information includes calculating first performance values for a period associated with the alert, calculating second performance values for a background period where the alert condition was not present, and calculating a difference between the first performance values and the second performance values. Further, the method includes an operation for selecting, based on the difference, relevant performance values for presentation in one of the panels. The response-alert page is presented with at least one of the panels based on the selected relevant performance values.

Abstract: Methods, systems, and computer programs are presented for generating recommendations to update the severity of a rule for incident-detection. One method includes accessing a resolution status for insights generated based on an evaluation of rules, each rule associated with a weight. The method determines, based on the resolution status, if each insight corresponds to a true positive (TP) or a false positive (FP), and optimizing values for the weights of the one or more rules to lower the number of FPs. The optimizing comprises identifying an objective function based on predicted values for the insights and the insights resolution status, identifying one or more constraints, and using a solver to obtain the optimized values for the weights. A recommendation to change the weight associated with at least one rule is presented on a user interface based on the optimized values for the at least one rule.

Abstract: Methods, systems, and computer programs are presented to generate response information for an alert. One method includes an operation for detecting an alert based on incoming log data or metric data and for calculating information for panels to be presented on a response-alert page. Calculating the information includes calculating first performance values for a period associated with the alert, calculating second performance values for a background period where the alert condition was not present, and calculating a difference between the first performance values and the second performance values. Further, the method includes an operation for selecting, based on the difference, relevant performance values for presentation in one of the panels. The response-alert page is presented with at least one of the panels based on the selected relevant performance values.

Abstract: Clustering structured log data by key-values includes receiving, via a user interface, a request to apply an operator to cluster log messages according to values for keys associated with the request. At least a portion of each log message comprises structured machine data including a set of key-value pairs. The method further includes receiving a log message and determining whether to include the log message in a cluster based at least in part on an evaluation of values in the structured machine data of the log message for the keys associated with the request. The cluster is included in a set of clusters. Each cluster in the set is associated with a different combination of values for the keys associated with the request. The method further includes providing, via the user interface, information associated with the cluster.

Abstract: Methods, systems, and computer programs are presented for problem detection based on deviations from the forecasted behavior of a metric. One method includes an operation for selecting a machine learning (ML) model for predicting future values of a time series for a metric. Further, the method includes forecasting, using the ML model, values of the metric for a forecast period. Afterwards, actual values of the metric are collected during the forecast period, and the actual values are compared to the forecasted values. The method further includes operations for determining an anomaly in a behavior of the metric based on the comparison, and causing presentation in a computer user interface (UI) of the anomaly.

Abstract: Methods, systems, and computer programs are presented for automatic evaluation of security incidents. One method includes receiving a resolution status, for a set of insights, indicating if each insight was a true or a false positive. A global training set, comprising the resolution status for the insights, is generated, and a local training set with a subset of the insights associated with a first user. A machine-learning (ML) program is trained, using the global training set, to obtain a global model, and using the local training set to obtain a local model for the first user. When a new insight for the first user is detected, a global score is obtained using the global model, and a local score is obtained using the local model. A confidence score, calculated based on the global and local scores, is presented as an indication of an estimated severity of the new insight.

Abstract: Methods, systems, and computer programs are presented to generate response information for an alert. One method includes an operation for detecting an alert based on incoming log data or metric data and for calculating information for panels to be presented on a response-alert page. Calculating the information includes calculating first performance values for a period associated with the alert, calculating second performance values for a background period where the alert condition was not present, and calculating a difference between the first performance values and the second performance values. Further, the method includes an operation for selecting, based on the difference, relevant performance values for presentation in one of the panels. The response-alert page is presented with at least one of the panels based on the selected relevant performance values.

Abstract: Clustering structured log data by key-values includes receiving, via a user interface, a request to apply an operator to cluster log messages according to values for keys associated with the request. At least a portion of each log message comprises structured machine data including a set of key-value pairs. The method further includes receiving a log message and determining whether to include the log message in a cluster based at least in part on an evaluation of values in the structured machine data of the log message for the keys associated with the request. The cluster is included in a set of clusters. Each cluster in the set is associated with a different combination of values for the keys associated with the request. The method further includes providing, via the user interface, information associated with the cluster.

Abstract: Clustering structured log data by key-values includes receiving, via a user interface, a request to apply an operator to cluster a set of raw log messages according to values for a set of keys associated with the request. At least a portion of each raw log message comprises structured machine data including a set of key-value pairs. It further includes receiving a raw log message in the set of raw log messages. It further includes determining whether to include the raw log message in a cluster based at least in part on an evaluation of values in the structured machine data of the raw log message for the set of keys associated with the request. The cluster is included in a plurality of clusters. Each cluster in the plurality is associated with a different combination of values for the set of keys associated with the request. It further includes providing, via the user interface, information associated with the cluster.

Abstract: Clustering structured log data by key schema includes receiving a raw log message. At least a portion of the raw log message comprises structured machine data including a set of key-value pairs. It further includes receiving a map of keys to values. It further includes using the received map of keys to values to determine a key schema of the structured machine data. The key schema is associated with a corresponding cluster. It further includes associating the raw log message with the cluster corresponding to the determined key schema.

Abstract: Clustering structured log data by key schema includes receiving a raw log message. At least a portion of the raw log message comprises structured machine data including a set of key-value pairs. It further includes receiving a map of keys to values. It further includes using the received map of keys to values to determine a key schema of the structured machine data. The key schema is associated with a corresponding cluster. It further includes associating the raw log message with the cluster corresponding to the determined key schema.

Abstract: Clustering structured log data by key schema includes receiving a raw log message. At least a portion of the raw log message comprises structured machine data including a set of key-value pairs. It further includes receiving a map of keys to values. It further includes using the received map of keys to values to determine a key schema of the structured machine data. The key schema is associated with a corresponding cluster. It further includes associating the raw log message with the cluster corresponding to the determined key schema.

Abstract: Clustering structured log data by key-values includes receiving, via a user interface, a request to apply an operator to cluster a set of raw log messages according to values for a set of keys associated with the request. At least a portion of each raw log message comprises structured machine data including a set of key-value pairs. It further includes receiving a raw log message in the set of raw log messages. It further includes determining whether to include the raw log message in a cluster based at least in part on an evaluation of values in the structured machine data of the raw log message for the set of keys associated with the request. The cluster is included in a plurality of clusters. Each cluster in the plurality is associated with a different combination of values for the set of keys associated with the request.

Abstract: A computer-implemented method for clustering data to improve data analytics may include (1) extracting a social graph from a data set of messages, the social graph indicating messages as edges such that nodes of the edges indicate corresponding senders and recipients in sender-recipient relationships, (2) detecting communities of collaborators by identifying clusters of nodes within the social graph, (3) applying the identified clusters of nodes within the social graph to a grouping calculation to group the messages of the data set into groups of messages, and (4) providing, through a computing interface, results of a data analytics operation to an end user based at least in part on applying the identified clusters of nodes within the social graph to the grouping calculation. Various other methods, systems, and computer-readable media are also disclosed.

Abstract: The disclosed computer-implemented method for generating a topic tree for digital information may include parsing the digital information and extracting a set of keywords. This method may also include comparing the set of keywords to an ontology and extracting hierarchies from the ontology that match the set of keywords. The extracted ontology entries may then be pruned and sorted. Various other methods, systems, and computer-readable media are also disclosed.