Abstract: Techniques are described for enabling analysts and other users of an IT operations platform to identify certain data objects managed by the platform (for example, events, files, notes, actions results, etc.) as “evidence” when such data objects are believed to be of particular significance to an investigation or other matter. For example, an event generated based on data ingested from an anti-virus service and representing a security-related incident might include artifacts indicating an asset identifier, a hash value of a suspected malicious file, a file path on the infected endpoint, and so forth. An analyst can use various interfaces and interface elements of an IT operations platform to indicate which of such events and/or artifacts, if any, represent evidence in the context of the investigation that the analyst is conducting. In response, the IT operations platform can perform various automated actions.

Abstract: An information technology (IT) operations platform is described that enables users to execute one or more executable actions from a set of executable actions presented in a prioritized order based on historical data. In response to identifying an occurrence of a type of incident in an IT environment, the IT operations platform generates a workbook based on a customizable workbook template. The customizable workbook template includes a plurality of tasks grouped into a plurality of phases for responding to occurrences of the type of incident, and each task of the plurality of tasks is associated with a respective set of suggested executable actions for completing the corresponding task. The IT operations platform then causes the display of a graphical user interface (GUI) including a representation of the workbook, including interface elements representing the respective set of suggested executable actions displayed in the prioritized order.

Abstract: Techniques are described for enabling analysts and other users of an IT operations platform to identify certain data objects managed by the platform (for example, events, files, notes, actions results, etc.) as “evidence” when such data objects are believed to be of particular significance to an investigation or other matter. For example, an event generated based on data ingested from an anti-virus service and representing a security-related incident might include artifacts indicating an asset identifier, a hash value of a suspected malicious file, a file path on the infected endpoint, and so forth. An analyst can use various interfaces and interface elements of an IT operations platform to indicate which of such events and/or artifacts, if any, represent evidence in the context of the investigation that the analyst is conducting. In response, the IT operations platform can perform various automated actions.

Abstract: An information technology (IT) operations platform is described that enables users to execute one or more executable actions from a set of executable actions presented in a prioritized order based on historical data. In response to identifying an occurrence of a type of incident in an IT environment, the IT operations platform generates a workbook based on a customizable workbook template. The customizable workbook template includes a plurality of tasks grouped into a plurality of phases for responding to occurrences of the type of incident, and each task of the plurality of tasks is associated with a respective set of suggested executable actions for completing the corresponding task. The IT operations platform then causes the display of a graphical user interface (GUI) including a representation of the workbook, including interface elements representing the respective set of suggested executable actions displayed in the prioritized order.

Abstract: Techniques are described for enabling users to add custom code function blocks and multi-prompt blocks to customizable playbooks that can be executed by an orchestration, automation, and response (OAR) platform. At a high level, a playbook comprises computer program code and possibly other data that can be executed by an OAR platform to carry out an automated set of actions. A playbook is comprised of one or more functions or codeblocks, where each codeblock contains program code that performs defined functionality when the codeblock is encountered during execution of the playbook of which it is a part. For example, a first codeblock may implement an action that is performed relative to one or more IT assets, another codeblock might filter data generated by the first codeblock in some manner, and so forth.