CPC G06F 16/9024 (2019.01) [G06F 21/552 (2013.01); G06F 21/554 (2013.01); H04L 63/1416 (2013.01); H04L 63/1425 (2013.01); H04L 63/1433 (2013.01); H04L 63/20 (2013.01)] | 17 Claims |
1. A method, performed by one or more processors, comprising:
receiving one or more event records;
generating, using the one or more event records, an event descriptor object descriptive of one or more potential suspicious system events indicative of a cybersecurity threat occurring in a networked system, wherein the event descriptor object comprises a plurality of event properties;
receiving one or more entity records;
generating, using the one or more entity records, an entity descriptor object descriptive of one or more entities relevant to a security of the networked system, wherein the entity descriptor object comprises a plurality of entity properties;
incorporating, into an object graph, the event descriptor object as a first node and the entity descriptor object as a second node;
in response to determining that a value of an entity property of the plurality of entity properties matches a value of an event property of the plurality of event properties, associating, in the object graph, the event descriptor object with the entity descriptor object; and
determining a course of action entity descriptor object descriptive of one or more actions for mitigating the cybersecurity threat, wherein the object graph comprises a link between the event descriptor object and the course of action entity descriptor object.
|