The technology disclosed includes a system to group security alerts generated in a computer network and prioritize grouped security alerts for analysis. The system includes graphing entities in the computer network as entities connected by one or more edges. Native scores for pending alerts are assigned to nodes or to edges between the nodes. A connection type is assigned to each edge and weights are assigned to edges representing relationship strength between the nodes. The technology disclosed includes traversing the graph starting at starting nodes and propagating native scores through and to neighboring nodes connected by the edges. Aggregate score for a visited node is calculated by accumulating propagated scores at visited nodes with their respective native scores. The technology disclosed forms clusters of connected nodes in the graph that have a respective aggregate score above a selected threshold. The clusters are ranking and prioritized for analysis.