Abstract: Methods, systems, and apparatus, including computer programs encoded on a computer storage medium, for incident response are disclosed. In one aspect, a system includes a cognitive engine that is configured to receive data identifying actions performed in response to a computer security threat. Based on the data identifying the actions performed in response to the computer security threat, the system generates one or more workflows and a particular workflow that are associated with the computer security threat and that each identify one or more actions to remediate the computer security threat. The system also includes a scoring system and event triage engine that is configured to analyze the actions of the one or more workflows and of the particular workflow, and based on analyzing the actions of the one or more workflows and of the particular workflow, select a primary workflow as a workflow to respond to the computer security threat.

Abstract: Methods, systems, and apparatus, including computer programs encoded on a computer storage medium, for incident response are disclosed. In one aspect, a computer-implemented method includes receiving data identifying two or more groups of actions performed to remediate a computer security threat. The method includes determining first unique paths from a first action of each of the two or more groups of actions to a second action of each of the two or more groups of actions, and determining second unique paths from the second action of each of the two or more groups of actions to a third action of each of the two or more groups of actions. The method also includes combining common paths among the first unique paths and the second unique paths, identifying one of the common paths that appears most frequently, and determining a core path that includes a subset of the actions of the two or more groups of actions based on the one of the common paths that appears most frequently.

Abstract: Methods, systems, and apparatus, including computer programs encoded on a computer storage medium, for incident response are disclosed. In one aspect, a computer-implemented method includes receiving data identifying two or more groups of actions performed to remediate a computer security threat. The method includes determining first unique paths from a first action of each of the two or more groups of actions to a second action of each of the two or more groups of actions, and determining second unique paths from the second action of each of the two or more groups of actions to a third action of each of the two or more groups of actions. The method also includes combining common paths among the first unique paths and the second unique paths, identifying one of the common paths that appears most frequently, and determining a core path that includes a subset of the actions of the two or more groups of actions based on the one of the common paths that appears most frequently.

Abstract: Methods, systems, and apparatus, including computer programs encoded on a computer storage medium, for incident response are disclosed. In one aspect, a system includes a cognitive engine that is configured to receive data identifying actions performed in response to a computer security threat. Based on the data identifying the actions performed in response to the computer security threat, the system generates one or more workflows and a particular workflow that are associated with the computer security threat and that each identify one or more actions to remediate the computer security threat. The system also includes a scoring system and event triage engine that is configured to analyze the actions of the one or more workflows and of the particular workflow, and based on analyzing the actions of the one or more workflows and of the particular workflow, select a primary workflow as a workflow to respond to the computer security threat.

Abstract: Methods, systems, and apparatus, including computer programs encoded on computer storage media, for determining threat data contextualization.

Abstract: Methods, systems, and apparatus, including computer programs encoded on computer storage media, for determining threat data contextualization.