Processes in a network which cause and are attributable to security incidents are identified. Processes which are initiated on devices in an enterprise network at boot of the devices are identified. The enterprise network is continuously monitored to collect data about processes which were initiated or spawned on devices in the enterprise network after the boot of the devices. Each process is determined to be a major system process, a minor system process, or a non-system process based, at least in part, on the collected data which indicates associations among the processes. Based on matching a security incident alert to a first of the processes, it is determined whether the first process is a non-system process to validate the security incident alert.