Abstract: Disclosed embodiments provide techniques for cybersecurity AI-driven workflow modifications. A security orchestration, automation, and response (SOAR) platform used to manage a plurality of cybersecurity threat protection applications deployed across a cybersecurity network is accessed. A cybersecurity workflow is executed using the SOAR platform and one or more cybersecurity actions related to the workflow are captured and analyzed for workflow relevance. The cybersecurity actions can include steps taken by security operations center staff and automated cybersecurity threat protection applications. The analysis can be performed by machine learning, and can include evaluations of repeated cybersecurity incidents, operation regression exercises, and suggested remedial steps. The workflow analysis can include identifying recidivistic security operations responses. Based on the analysis, the cybersecurity workflow is updated to improve workflow quality.

Abstract: Disclosed embodiments provide techniques for cybersecurity AI-driven workflow generation using policies. A set of cybersecurity threat protection applications is accessed and managed by a security orchestration, automation, and response (SOAR) platform. The cybersecurity threat protection applications are deployed across a managed cybersecurity network. One or more cybersecurity network compliance requirements are assimilated into the SOAR platform by translating the compliance requirements into one or more cybersecurity application policies and work processes. The assimilation is accomplished using an AI user interface with natural language processing. The cybersecurity application policies provide conformity with the compliance requirements. The application policies generate one or more cybersecurity application workflows for the managed cybersecurity network. The SOAR platform executes the cybersecurity workflow.

Abstract: Disclosed embodiments provide techniques for cybersecurity operations mitigation management. A plurality of network-connected cybersecurity threat protection applications is accessed. A plurality of inputs from the cybersecurity threat protection applications is received in response to one or more cybersecurity events. A cybersecurity mitigation is initiated, triggered by an analysis of the one or more security events. The mitigation is performed by at least one of the threat protection applications. The analysis is performed on a network-connected computer platform. The network-connected computer platform comprises a security automation and response system (SOAR) that enables the analysis, managing, and validating of the cybersecurity event mitigation. The mitigating and validating are based on a library of cybersecurity mitigation success metrics, including validators, success criteria, and time factors.

Abstract: Disclosed techniques include cybersecurity operations case triage groupings. A plurality of network-connected cybersecurity threat protection applications is accessed. A plurality of inputs is received from the cybersecurity threat protection applications. The plurality of inputs is initiated by one or more cybersecurity events. A computer platform is used to analyze metadata associated with the plurality of inputs from the cybersecurity threat protection applications. The analyzing is based on parsing incoming traffic alerts from the cybersecurity threat protection applications. The inputs are triaged into groupings, based on the metadata. The triaging determines commonality of threats among the plurality of inputs. The groupings are based on a number of users experiencing the plurality of inputs. The number of users is matched against a threshold for the plurality of inputs and a particular grouping. A cybersecurity threat response is generated, based on the groupings.

Abstract: Disclosed techniques include cybersecurity operations center load balancing. A cybersecurity security operations center (SOC) caseload history is accessed. Triage results from the SOC caseload history are analyzed on a computer platform to produce an analyst threat response profile. The analyst threat response profile is augmented with threat response resolution metrics. The threat response resolution metrics are updated with a subjective rating. The subjective rating is supplied by management, peers, or machine learning. Notification of a new cybersecurity threat is received across a cybersecurity network by the SOC. The new cybersecurity threat is assigned to a specific analyst, based on the augmented analyst threat response profile. The assigning is further based on weighting of threat severity, threat complexity, and analyst availability. An existing SOC caseload is reassigned to increase availability of the specific analyst.

Abstract: Disclosed techniques include cybersecurity workflow management using autodetection. A cybersecurity threat protection workflow is accessed. At least one cybersecurity threat protection application notification is received. The cybersecurity threat protection application notification causes an irreversible action to be scheduled by the workflow. The irreversible action comprises a destructive response. The destructive response includes killing a process, deleting an account, shutting down a computer, wiping a computer, or shutting down a router. The irreversible action is detected before it is implemented by the workflow. The irreversible action in the workflow is mitigated using a supervisory workflow element. The mitigating the irreversible action comprises initiating a machine learning algorithm. The machine learning algorithm enables a near real-time response. The machine learning algorithm self-triggers the actionable response.