Mechanisms are provided to perform security incident disposition operations. A security incident is received that includes a security incident data structure comprising metadata describing properties of the security incident, and a corresponding security knowledge graph which includes nodes representing elements associated with the security incident and edges representing relationships between the nodes. The security incident data structure and security knowledge graph are processed to extract a set of security incident features corresponding to the security incident and input the extracted set of security incident features into a trained security incident machine learning model. The model generates a disposition classification output based on results of processing the extracted set of security incident features. The disposition classification output is output to the source of the security incident data structure.