Microsoft Corporation
SECURITY ALERT-INCIDENT GROUPING BASED ON INVESTIGATION HISTORY

Abstract:

Technology automatically groups security alerts into incidents using data about earlier groupings. A machine learning model is trained with select data about past alert-incident grouping actions. The trained model prioritizes new alerts and aids alert investigation by rapidly and accurately grouping alerts with incidents. The groupings are provided directly to an analyst or fed into a security information and event management tool. Training data may include entity identifiers, alert identifiers, incident identifiers, action indicators, action times, and optionally incident classifications. Investigative options presented to an analyst but not exercised may serve as training data. Incident updates produced by the trained model may add an alert to an incident, remove an alert, merge two incidents, divide an incident, or create an incident. Personalized incident updates may be based on a particular analyst's historic manual investigation actions. Grouped alerts may be standard, or be based on custom alert triggering rules.