US 11,895,143 B2
Providing action recommendations based on action effectiveness across information technology environments
Sourabh Satish, Fremont, CA (US); Oliver Friedrichs, Woodside, CA (US); Atif Mahadik, Fremont, CA (US); and Govind Salinas, Sunnyvale, CA (US)
Assigned to Splunk Inc., San Francisco, CA (US)
Filed by Splunk Inc., San Francisco, CA (US)
Filed on May 20, 2021, as Appl. No. 17/326,070.
Application 17/326,070 is a continuation of application No. 14/677,493, filed on Apr. 2, 2015, granted, now 11,019,092.
Claims priority of provisional application 62/087,025, filed on Dec. 3, 2014.
Claims priority of provisional application 62/106,830, filed on Jan. 23, 2015.
Claims priority of provisional application 62/106,837, filed on Jan. 23, 2015.
Prior Publication US 2021/0281601 A1, Sep. 9, 2021
This patent is subject to a terminal disclaimer.
Int. Cl. H04L 9/40 (2022.01); G06F 21/55 (2013.01); G06F 16/28 (2019.01); H04L 47/2425 (2022.01)
CPC H04L 63/1441 (2013.01) [G06F 16/285 (2019.01); G06F 21/554 (2013.01); H04L 63/0236 (2013.01); H04L 63/1416 (2013.01); H04L 63/1425 (2013.01); H04L 63/1433 (2013.01); H04L 63/20 (2013.01); H04L 47/2425 (2013.01)] 22 Claims
OG exemplary drawing
 
1. A computer-implemented method, comprising:
receiving, by an advisement computing system, an indication of a security incident involving a computing device in a first information technology (IT) environment, wherein the first IT environment is associated with a first organization and includes a plurality of computing devices, wherein the advisement computing system provides action recommendations to a plurality of IT environments associated with a plurality of organizations including the first organization, and wherein the security incident indicates a virus present in the first IT environment;
identifying a plurality of action recommendations for responding to the security incident in the first IT environment;
identifying, for each action recommendation of the plurality of action recommendations, an effectiveness measurement indicating an effectiveness of the action recommendation against past occurrences of security incidents involving the virus, wherein the effectiveness measurement for an action recommendation of the plurality of action recommendations based on measuring, by the advisement computing system, whether the virus remained active in a second IT environment of the plurality of IT environments after execution of the action recommendation in the at least one second IT environment, and wherein the effectiveness measurement for the action recommendation of the plurality of action recommendations is further generated at least in part by measuring an effectiveness of the action recommendation against security incidents associated with a same internet protocol (IP) address;
identifying a subset of action recommendations from the plurality of action recommendations based on a respective effectiveness measurement of each action recommendation of the plurality of action recommendations, wherein the subset of action recommendations is less than the plurality of action recommendations;
receiving input selecting an action recommendation from the subset of action recommendations; and
implementing the action recommendation in the IT environment.