	US 12,149,413 B2
	Cybersecurity incident response and security operation system employing playbook generation through custom machine learning
Dario Valentino Forte, Torre de' Picenardi (IT); Michele Zambelli, Cremona (IT); and Vojtech Letal, Pardubice (CZ)
Assigned to Sumo Logic, Inc., Redwood City, CA (US)
Filed by Sumo Logic, Inc., Redwood City, CA (US)
Filed on May 24, 2023, as Appl. No. 18/322,887.
Application 18/322,887 is a continuation of application No. 17/653,762, filed on Mar. 7, 2022, granted, now 11,706,095.
Application 17/653,762 is a continuation of application No. 16/594,538, filed on Oct. 7, 2019, granted, now 11,469,963.
Application 16/594,538 is a continuation of application No. 15/620,439, filed on Jun. 12, 2017, granted, now 10,439,884.
Claims priority of provisional application 62/490,817, filed on Apr. 27, 2017.
Prior Publication US 2023/0308357 A1, Sep. 28, 2023
This patent is subject to a terminal disclaimer.
Int. Cl. H04L 9/40 (2022.01); G06F 21/62 (2013.01); H04L 41/0654 (2022.01); H04L 41/12 (2022.01); G06F 3/0482 (2013.01); H04L 41/22 (2022.01)

CPC H04L 41/12 (2013.01) [G06F 21/62 (2013.01); H04L 41/0654 (2013.01); H04L 63/061 (2013.01); H04L 63/20 (2013.01); G06F 3/0482 (2013.01); H04L 41/22 (2013.01)]

20 Claims

1. A computer-implemented method comprising:

accessing a plurality of incidents of an incident response system, each incident from the plurality of incidents having an associated playbook comprising actions for resolving the incident;

learning a model based on features associated with the plurality of incidents, wherein the features comprise a first feature for frequencies of actions played for an incident resolution and a second feature for user feedback regarding a resolution of the incident;

accessing information about a new incident;

selecting, by the model, a plurality of related incidents based on a similarity of the features of the new incident and the features of the plurality of incidents;

selecting a plurality of committed actions in the playbooks of the related incidents;

calculating a score for each committed action from the plurality of committed actions;

creating a custom playbook for the new incident with committed actions having a score above a predetermined threshold; and

causing presentation on a display of the custom playbook for responding to the new incident.