US Patent 11785052 Incident response plan based on indicators of compromise

A system and method for responding to incidents in an enterprise network is disclosed. The system tracks incidents by creating, in an incident Manager, incident objects for each incident. Each incident object includes details for the incidents, also known as incident characteristics. The system also creates one or more indicators of compromise (IOCs) associated with the incident characteristics for each incident. When processing a new incident or an update to an incident, the system compares IOCs associated with the incident object for the incident being processed to stored IOCs for other incidents to determine if other incidents are related to the incident being processed. In embodiments, the system can then generate tasks for responding to new incidents based on incident characteristics of and IOCs associated with the new incidents, and can regenerate tasks for responding to incidents based on updates to incident characteristics of and IOCs associated with the incidents.