This document discusses using machine learning to generate attack narratives from security alerts. It proposes clustering alerts into narratives using unsupervised machine learning to aggregate millions of alerts into thousands of narratives. This reduces the analysis load on security teams. Real-world data from a large company showed clustering reduced alerts by a factor of 1,000 while still revealing meaningful incidents like a Struts code execution attack. Domain expertise is needed to select features, metrics, and algorithms to produce useful narratives.