	US 12,443,708 B2
	Reduction of security detection false positives
Shalom Shay Shavit, Yehud (IL); Ram Haim Pliskin, Rishon Lezion (IL); and Daniel Davraev, Or Yehuda (IL)
Assigned to Microsoft Technology Licensing, LLC, Redmond, WA (US)
Filed by Microsoft Technology Licensing, LLC, Redmond, WA (US)
Filed on Feb. 13, 2023, as Appl. No. 18/108,978.
Prior Publication US 2024/0273189 A1, Aug. 15, 2024
Int. Cl. G06F 21/55 (2013.01)

CPC G06F 21/554 (2013.01)

20 Claims

8. At least one non-transitory machine-readable medium comprising instructions that, when executed by at least one processor, cause the at least one processor to perform operations to:

obtain suspicious activity data for an operation;

obtain operation data for the operation;

identify a correlation identifier for the operation;

determine that the correlation identifier is equal to a parent correlation identifier of a parent operation;

generate an operation cluster comprising the operation and the parent operation using the correlation identifier;

determine that the parent operation has not triggered an alert; and

clear members of the operation cluster from the suspicious activity data.