Many modern organizations have a security operations center (SOC) to deal with security issues on an organizational and technical level. An SOC may be a centralized unit where security application and/or network administrators supervise, among other things, the organization's network and network devices to monitor for, investigate, and defend from potential threats. For example, the SOC may be tasked with monitoring network devices using security applications that alert SOC network administrators each time that a network device is suspected of having been compromised from a security standpoint. For example, a network device may be compromised by being infected with a malicious application such as a virus or a malware.
Unfortunately, however, the task of monitoring a network for every potential instance of a network device being compromised can be very difficult in modern network environments. This difficulty may arise due to the relatively high number of network devices on modern networks and the relatively high number of potentially threatening circumstances that may arise on any given day on the network devices. For example, a large organization may have tens of thousands of network devices connected to its network and the SOC network administrators of the large organization may receive millions of alerts each day to investigate network devices that are suspected of having been compromised. The sheer volume of alerts received in this example makes it impossible for the SOC network administrators to investigate and defend against all but a very small percentage of the alerts, which are often selected at random or based on some rudimentary rules-based ranking, leaving all other alerts uninvestigated. The relatively high number of uninvestigated alerts may result in network devices that were actually compromised remaining unaddressed by network administrators, which leaves the network vulnerable.
The subject matter claimed herein is not limited to embodiments that solve any disadvantages or that operate only in environments such as those described above. Rather, this background is only provided to illustrate one example technology area where some embodiments described herein may be practiced.