Cybersecurity incident response and security operation system employing playbook generation and parent matching through custom machine learning

Abstract

A cybersecurity incident is registered at a security incident response platform. At a playbook generation system, details are received of the cybersecurity incident from the security incident response platform. At least some of the details correspond to a set of features of the cybersecurity incident. A set or subset of nearest neighbors of the cybersecurity incident is localized in a feature space. The nearest neighbors of the cybersecurity incident are other cybersecurity incidents having a distance from the cybersecurity incident within the feature space that is defined by differences in features of the nearest neighbors with respect to the set of features of the cybersecurity incident. A playbook is created for responding to the cybersecurity incident having prescriptive procedures based on occurrences of prescriptive procedures previously employed in response to the nearest neighbor cybersecurity incidents. The differences in features of the nearest neighbors with respect to the set of features of the cybersecurity incident are calculated, for at least one feature, using a present-or-equal metric, and for at least one other feature, using a symmetric difference metric. The playbook generation system is also a parent recommendation system, which identifies a parent for the cybersecurity incident, based on distances of the nearest neighbors of the cybersecurity incident in the feature space. The parent recommendation system adjusts, based on the recommended parent or the parent other than the recommended parent being selected, weights of features upon which distances in the feature space are based.