Network security is becoming increasingly important as the information age continues to unfold. Network threats may take a variety of forms (e.g., unauthorized requests or data transfers, viruses, malware, large volumes of network traffic designed to overwhelm network resources, and the like). Many organizations subscribe to network-threat services that periodically provide information associated with network threats, for example, reports that include listings of network-threat indicators (e.g., network addresses, uniform resource identifiers (URIs), and the like), or threat signatures (e.g., malware file identifiers), or threat behaviors (e.g., characteristic patterns of advanced persistent threats). The information provided by such services may be utilized by organizations to identify threats against their networks and associated assets. For example, network devices may monitor network communications and identify any communications between endpoints with network addresses that correspond to threat indicators.
Once identified, these communications events may be logged, and the events logs may be provided to a cyberanalysis system or human cyberanalysts for further investigation into the nature and severity of, and potential remedial actions for, the threats events. Typically, the cyberanalysis system or cyberanalysts will determine that only a small portion of these logged threat events will be reportable, in the sense that the events should be reported to the proper authorities who may be responsible for executing the associated remedial actions and for ensuring the security of the network, and who may be responsible for enforcing regulatory compliances or reporting compliance violations. In many modern enterprise networks, however, the volume and creation rate of network threat event logs often overwhelms the human cyberanalysts' capacities for investigating all of the events. Thus, it is imperative that cyberanalysts' work be assigned efficiently. To that end, the cyberanalysis system or cyberanalysts should investigate only those events that have a high probability of being reportable events, and not waste time and effort investigating threat events that are unlikely to be reportable. Accordingly, there is a need for cyberanalysis workflow acceleration.