Methods, systems, and apparatus, including computer programs encoded on a computer storage medium, for incident response are disclosed. In one aspect, a system includes a cognitive engine that is configured to receive data identifying actions performed in response to a computer security threat. Based on the data identifying the actions performed in response to the computer security threat, the system generates one or more workflows and a particular workflow that are associated with the computer security threat and that each identify one or more actions to remediate the computer security threat. The system also includes a scoring system and event triage engine that is configured to analyze the actions of the one or more workflows and of the particular workflow, and based on analyzing the actions of the one or more workflows and of the particular workflow, select a primary workflow as a workflow to respond to the computer security threat. The system also includes an automated incident investigation engine that is configured to receive an alert that identifies the computer security threat, and process the computer security threat according to the primary workflow that is associated with the computer security threat and that identifies one or more actions to remediate the computer security threat.
展开▼
