Recovery services for computing systems

Example implementations relate to capturing and/or recovering components of a computing system. A recovery service may receive a recovery script from an external recovery script repository, wherein the recovery script may include a number of actions, each respective action being a capture action or a recovery action. For action in the recovery script, the recovery service may request a recovery agent to perform the action on a component of the computing system

Model-based computer attack analytics orchestration

Examples relate to model-based computer attack analytics orchestration. In one example, a computing device may: generate, using an attack model that specifies behavior of a particular attack on a computing system, a hypothesis for the particular attack, the hypothesis specifying, for a particular state of the particular attack, at least one attack action; identify, using the hypothesis, at least one analytics function for determining whether the at least one attack action specified by the hypothesis occurred on the computing system; provide an analytics device with instructions to execute the at least one analytics function on the computing system; receive analytics results from the analytics device; and update a state of the attack model based on the analytics results

Recovery services for computing systems

Example implementations relate to capturing and/or recovering components of a computing system. A recovery service may receive a recovery script from an external recovery script repository, wherein the recovery script may include a number of actions, each respective action being a capture action or a recovery action. For action in the recovery script, the recovery service may request a recovery agent to perform the action on a component of the computing system

Model-based computer attack analytics orchestration

Examples relate to model-based computer attack analytics orchestration. In one example, a computing device may: generate, using an attack model that specifies behavior of a particular attack on a computing system, a hypothesis for the particular attack, the hypothesis specifying, for a particular state of the particular attack, at least one attack action; identify, using the hypothesis, at least one analytics function for determining whether the at least one attack action specified by the hypothesis occurred on the computing system; provide an analytics device with instructions to execute the at least one analytics function on the computing system; receive analytics results from the analytics device; and update a state of the attack model based on the analytics results