On an individual scale, a user can secure a computing device by installing and regularly updating a suite of anti-malware products, and investigating any reports produced by the anti-malware products about suspicious activity on the computing device. On an enterprise scale, an administrator may be responsible for large numbers of computing devices and networks that each have a suite of security products installed that generate reports. In some cases, a single administrator may be responsible for hundreds of physical and virtual computing systems across dozens of networks that collectively generate thousands of incident reports, only some of which indicate genuine malicious activity. In some instances, an incident report may indicate malicious activity that was handled by automated systems, such as a virus download that was successfully blocked. Only a few reports out of thousands may contain information that needs to be assessed and acted upon by an administrator.
Unfortunately, some traditional systems for analyzing incident reports may not have any method in place for sorting severe incidents that require human attention from benign or minor incidents that can be safely ignored. Other traditional systems may have labeling methods with high rates of false positives, which waste time, or false negatives, which endanger security. The instant disclosure, therefore, identifies and addresses a need for systems and methods for labeling automatically generated reports.