Abstract: Disclosed techniques include cybersecurity operations case triage groupings. A plurality of network-connected cybersecurity threat protection applications is accessed. A plurality of inputs is received from the cybersecurity threat protection applications. The plurality of inputs is initiated by one or more cybersecurity events. A computer platform is used to analyze metadata associated with the plurality of inputs from the cybersecurity threat protection applications. The analyzing is based on parsing incoming traffic alerts from the cybersecurity threat protection applications. The inputs are triaged into groupings, based on the metadata. The triaging determines commonality of threats among the plurality of inputs. The groupings are based on a number of users experiencing the plurality of inputs. The number of users is matched against a threshold for the plurality of inputs and a particular grouping. A cybersecurity threat response is generated, based on the groupings.

Abstract: Disclosed techniques include cybersecurity operations center load balancing. A cybersecurity security operations center (SOC) caseload history is accessed. Triage results from the SOC caseload history are analyzed on a computer platform to produce an analyst threat response profile. The analyst threat response profile is augmented with threat response resolution metrics. The threat response resolution metrics are updated with a subjective rating. The subjective rating is supplied by management, peers, or machine learning. Notification of a new cybersecurity threat is received across a cybersecurity network by the SOC. The new cybersecurity threat is assigned to a specific analyst, based on the augmented analyst threat response profile. The assigning is further based on weighting of threat severity, threat complexity, and analyst availability. An existing SOC caseload is reassigned to increase availability of the specific analyst.

Abstract: Disclosed techniques include cybersecurity workflow management using autodetection. A cybersecurity threat protection workflow is accessed. At least one cybersecurity threat protection application notification is received. The cybersecurity threat protection application notification causes an irreversible action to be scheduled by the workflow. The irreversible action comprises a destructive response. The destructive response includes killing a process, deleting an account, shutting down a computer, wiping a computer, or shutting down a router. The irreversible action is detected before it is implemented by the workflow. The irreversible action in the workflow is mitigated using a supervisory workflow element. The mitigating the irreversible action comprises initiating a machine learning algorithm. The machine learning algorithm enables a near real-time response. The machine learning algorithm self-triggers the actionable response.

Abstract: Disclosed techniques include integrated cybersecurity state change buffer service. A plurality of network-connected cybersecurity threat protection applications is accessed. A background synchronization service is initiated. The background synchronization service receives status from at least one of the plurality of cybersecurity threat protection applications. The status comprises high-volume incoming status data. The status is monitored, using the background synchronization service. A real-time state change in the status is identified, based on the monitoring. The identifying a real-time state change includes quantifying incoming data associated with the status. An actionable response is triggered, based on the state change that was identified. The actionable response enables self-healing of a connected security orchestration, automation, and response (SOAR) application system. The status is processed, using the background synchronization service, to provide the actionable response.

Abstract: Disclosed techniques include integrated cybersecurity threat management. A plurality of network-connected cybersecurity threat protection applications is accessed. A plurality of heterogeneous log files is ingested, wherein the log files are generated by at least two of the cybersecurity threat protection applications. The plurality of heterogeneous log files that were ingested is evaluated to enable identification of cybersecurity threat protection application capabilities. Each of the plurality of log files is sorted. The sorting enables identification of cybersecurity threat protection elements among the plurality of log files. The cybersecurity threat protection elements that were identified are integrated. The integrated cybersecurity threat protection elements are evaluated. At least one response for cybersecurity threat management is generated, based on a result of the evaluating. The response is provided to a cybersecurity threat management entity.

Abstract: Disclosed techniques include cybersecurity threat management using impact scoring. A plurality of cybersecurity threat protection applications is accessed. A first cybersecurity threat notification is received from one of the plurality of cybersecurity threat protection applications. An impact score is dynamically assigned to the first cybersecurity threat notification, wherein the assigning an impact score is based on information about a device for which the first cybersecurity threat notification was received. The impact score is weighted based on an evaluation of a user of the device for which the first cybersecurity threat notification was received. The weighting is further based on evaluation of device owners and evaluation of an asset. The information about a device and information about one or more users of the device comprise impact score metadata. The first cybersecurity threat notification is responded to, based on the impact score. The dynamically assigning includes the impact score metadata.

Abstract: Disclosed techniques include cybersecurity threat management using element mapping. A plurality of cybersecurity threat protection applications is accessed. The cybersecurity threat protection applications include at least two different data management schemas. A first mapping of each of the plurality of cybersecurity threat protection applications is integrated. The first mapping includes a transformation of outputs of each of the plurality of cybersecurity threat protection applications. A second mapping of each of the plurality of cybersecurity threat protection applications is integrated. The second mapping includes a transformation of inputs of each of the plurality of cybersecurity threat protection applications. Cybersecurity is managed for a data network, based on data collected through the first mapping and data transmitted through the second mapping. The integrating a first mapping and a second mapping comprises a universal data layer for cybersecurity management.