A new cybersecurity incident is registered at a security incident response platform. At a playbook generation system, details are received of the new cybersecurity incident from the security incident response platform. At least some of the details correspond to a set of features of the new cybersecurity incident. A set or subset of nearest neighbors of the new cybersecurity incident is localized in a feature space. The nearest neighbors of the new cybersecurity incident are other cybersecurity incidents having a distance from the new cybersecurity incident within the feature space that is defined by differences in features of the nearest neighbors with respect to the set of features of the new cybersecurity incident. A custom playbook is created for responding to the new cybersecurity incident having prescriptive procedures based on occurrences of prescriptive procedures previously employed in response to the nearest neighbor cybersecurity incidents.

Examples described herein include systems and methods for providing dynamic serviceability for a software-defined data center (“SDDC”). An example method can include collecting data-center metrics from a management service that monitors the SDDC, filtering the data-center information based on a predetermined list of metrics provided by a partner entity, and translating the filtered data-center information into a partner-specific format requested by the partner entity. The example method can also include generating metadata associated with the translated data-center information and transmitting the metadata and translated data-center information to a partner site associated with the partner entity. If the partner site is not available, the method can include transmitting the information to a partner-accessible storage location and, when the partner site becomes available, identifying the storage location and failed attempt to deliver the information.

Examples described herein include systems and methods for providing dynamic serviceability for a software-defined data center (“SDDC”). An example method can include collecting data-center metrics from a management service that monitors the SDDC, filtering the data-center information based on a predetermined list of metrics provided by a partner entity, and translating the filtered data-center information into a partner-specific format requested by the partner entity. The example method can also include generating metadata associated with the translated data-center information and transmitting the metadata and translated data-center information to a partner site associated with the partner entity. If the partner site is not available, the method can include transmitting the information to a partner-accessible storage location and, when the partner site becomes available, identifying the storage location and failed attempt to deliver the information.

A system for troubleshooting network problems is disclosed. A model can use demographic information, network usage information, and network membership information to determine an importance of a problem. The importance of the problem for the user who reported the problem, a number of other users affected by the problem, and the importance of the problem to the other users can be used to determine a priority for resolving the problem. Before and after a work order is executed to resolve the problem, network metrics can be gathered, including aggregate network metrics, and automatically presented in various user interfaces. The analysis of the metrics can be used to update a database of which work orders are assigned in response to which problems.

Methods, systems, and devices are provided herein for a mechanism to identify link down reasons. As described herein, a first port of a first peer device may be determined to have unexpectedly changed to a port down state. Subsequently, a topology file may be referenced to identify a second port of a second peer device with which the first peer device is intended to have a link if not for the first port being in a port down state. In some examples, port settings of the first port may be compared with port settings of the second port. If a port setting for the first port mismatches an associated port setting for the second port, an alert message may be transmitted to a network administrator indicating this mismatch as a possible reason for the first port being in the port down state.

Embodiments are directed to monitoring network traffic using network monitoring computers (NMCs). NMCs may determine requests provided to a server based on a first portion of network traffic. NMCs may determine suspicious requests based on characteristics of the provided requests. NMCs may employ the characteristics of the suspicious requests to provide correlation information that is associated with the suspicious requests. NMCs may determine dependent actions associated with the server based on a second portion of the network traffic and the correlation information. And, in response to determining anomalous activity associated with the evaluation of the dependent actions, NMCs may provide reports associated with the anomalous activity.

A fault recovery method and apparatus, and a storage medium are provided, and belong to the field of Internet technologies. In the method, network composition information and abnormal event information of a target network are obtained, where the network composition information includes a network topology of the target network and device information of a plurality of network devices on the target network, and the device information includes one or more of interface configuration information, protocol configuration information, and service configuration information; and then a possible root cause of a fault of the target network is determined based on the network composition information and the abnormal event information, where the possible root cause of the fault is used to determine a corresponding fault recovery plan.

A fault recovery method and apparatus, and a storage medium are provided, and belong to the field of Internet technologies. In the method, network composition information and abnormal event information of a target network are obtained, where the network composition information includes a network topology of the target network and device information of a plurality of network devices on the target network, and the device information includes one or more of interface configuration information, protocol configuration information, and service configuration information; and then a possible root cause of a fault of the target network is determined based on the network composition information and the abnormal event information, where the possible root cause of the fault is used to determine a corresponding fault recovery plan.

A system and method for recommending a similar incident in operations technologies and a related device are provided. The method includes: obtaining alarm information of a to-be-processed incident; obtaining incident diagnosis information of M dimensions based on the alarm information, wherein the M dimensions include M different perspectives of incident diagnosis, and M is an integer greater than 1; performing processing based on the incident diagnosis information of the M dimensions, to obtain a feature of the to-be-processed incident; obtaining a plurality of similarity degrees through calculation based on the feature of the to-be-processed incident and features of a plurality of historical incidents, wherein the plurality of similarity degrees represent respective similarity degrees between the to-be-processed incident and the plurality of historical incidents; and obtaining a similar incident from the plurality of historical incidents through filtering based on the plurality of similarity degrees, and recommending the similar incident.

A system and method for recommending a similar incident in operations technologies and a related device are provided. The method includes: obtaining alarm information of a to-be-processed incident; obtaining incident diagnosis information of M dimensions based on the alarm information, wherein the M dimensions include M different perspectives of incident diagnosis, and M is an integer greater than 1; performing processing based on the incident diagnosis information of the M dimensions, to obtain a feature of the to-be-processed incident; obtaining a plurality of similarity degrees through calculation based on the feature of the to-be-processed incident and features of a plurality of historical incidents, wherein the plurality of similarity degrees represent respective similarity degrees between the to-be-processed incident and the plurality of historical incidents; and obtaining a similar incident from the plurality of historical incidents through filtering based on the plurality of similarity degrees, and recommending the similar incident.