Abstract: Methods and systems to normalize an input table having a plurality of input table columns with a normalized table having a plurality of normalized table columns are disclosed. For each normalized column identifier associated with a normalized column of the normalized table, a compatibility score is computed for the normalized column identifier and each input column identifier associated with an input column of the input column table to provide set of compatibility scores associated with each normalized column identifier and input column identifier pair. A combinatorial optimization is applied to determine a match for each normalized column identifier with an input column identifier. Data associated with an input column of the input column identifier is mapped to the normalized column of the normalized column identifier matched with the input column identifier.

Abstract: The principles described herein relate to the training and implementation of a model designed to estimate the probability of new security incidents being true incidents. This occurs in an environment where a service such as a SIEM monitors a network of computing systems and other resources and detects a variety of incidents that could be security threats. These incidents are reported to the SOC for investigation and the SOC will take appropriate action to mitigate potential threats of true security breaches. As part of the investigation process, the SOC can label whether a security incident is true, false or benign. After labeling enough security incidents a model can be produced to estimate the probability that new security incidents are true incidents. This would help the SOC filter through security incidents more efficiently and allow for quicker response of the most likely security breaches.