To address the challenge of efficiently distinguishing genuine threats from massive alerts in Security Operations Centers (SOCs), this paper proposes a graph-based alert contextualization method. It constructs an alert relation graph within a sliding time window, aggregating semantically related alerts into structural graph units. Crucially, it introduces a Graph Matching Network (GMN) to enable fine-grained matching between incoming alerts and historical attack patterns, supporting both attack-stage identification and alert prioritization. The method integrates temporal correlation modeling, graph representation learning, and an interpretable graph aggregation mechanism. Experimental results demonstrate significant improvements: +12.3% in attack-chain identification accuracy and AUC for alert ranking. Moreover, it enhances analysts’ ability to compare current alerts with contextual and historical evidence, providing a higher-level, interpretable graph model for alert analysis.

Interpreting the massive volume of security alerts is a significant challenge in Security Operations Centres (SOCs). Effective contextualisation is important, enabling quick distinction between genuine threats and benign activity to prioritise what needs further analysis.This paper proposes a graph-based approach to enhance alert contextualisation in a SOC by aggregating alerts into graph-based alert groups, where nodes represent alerts and edges denote relationships within defined time-windows. By grouping related alerts, we enable analysis at a higher abstraction level, capturing attack steps more effectively than individual alerts. Furthermore, to show that our format is well suited for downstream machine learning methods, we employ Graph Matching Networks (GMNs) to correlate incoming alert groups with historical incidents, providing analysts with additional insights.