Discovering cyber-attack process model based on analytical attack graphs

What is claimed is: 1. A computer-implemented method for security of an enterprise network, comprising: receiving, by one or more processors, analytical attack graph data representative of an analytical attack graph, the analytical attack graph including: one or more rule nodes each representing a network configuration rule; and one or more impact nodes each representing an impact of one or more respective network configuration rules; converting, by the one or more processors, the analytical attack graph to a tactic graph including one or more tactic nodes, each tactic node representing at least one rule node and at least one impact node, the converting comprising: retrieving, from a database, data that associates tactic nodes with combinations of rule nodes and impact nodes; and replacing combinations of rule nodes and impact nodes of the analytical attack graph with tactic nodes based on the retrieved data; determining, by the one or more processors, one or more paths of the tactic graph that lead to a particular network impact; generating, by the one or more processors, a process model that is different from the tactic graph, based on the determined one or more paths that lead to the particular network impact, the process model representing network activity for execution of a process that leads to the particular network impact; and executing, by the one or more processors and within the enterprise network, one or more remedial actions based on the process model to mitigate cyber-security risk to the enterprise network. 2. The method of claim 1 , wherein: each rule node is associated with a rule type; and each tactic node is associated with a rule type of the respective at least one rule node that is represented by the tactic node. 3. The method of claim 1 , wherein the analytical attack graph includes one or more fact nodes each representing an input condition. 4. The method of claim 3 , wherein one or more tactic nodes of the tactic graph each represent at least one fact node in combination with the at least one rule node and the at least one impact node. 5. The method of claim 1 , wherein generating a process model based on the one or more paths that lead to the particular network impact comprises: generating, from the tactic graph, an event log, the event log including a plurality of events, each event being associated with a respective path of the one or more paths of the tactic graph. 6. The method of claim 5 , wherein each event of the event log is associated with a timestamp indicating a time of the event with respect to a simulated start time of the respective path. 7. The method of claim 1 , wherein the analytical attack graph data is based on simulated security attacks on the enterprise network. 8. The method of claim 1 , wherein each rule node is associated with a hardness score representing a difficulty of achieving the network configuration rule by an attacker. 9. The method of claim 1 , wherein: the process model includes one or more network activity nodes, and each network activity node corresponds to one or more tactic nodes of the tactic graph. 10. The method of claim 9 , wherein the one or more tactic nodes corresponding to a network activity node represent rule nodes of the same rule type. 11. The method of claim 1 , wherein determining one or more paths of the tactic graph that lead to a particular network impact includes determining the one or more paths using a graph traversal algorithm. 12. The method of claim 1 , further comprising: comparing network traffic of actual execution of processes within the enterprise network to a set of process models, the set of process models comprising the process model; and identifying the process as being performed in the enterprise network based on the comparing. 13. The method of claim 1 , further comprising determining, based on a set of process models, a level of security risk of the enterprise network. 14. The method of claim 1 , further comprising training a machine-learning (ML) model at least partially based on the process model. 15. A non-transitory computer-readable storage medium coupled to one or more processors and having instructions stored thereon which, when executed by the one or more processors, cause the one or more processors to perform operations for process discovery in an enterprise network, the operations comprising: receiving, by the one or more processors, analytical attack graph data representative of an analytical attack graph, the analytical attack graph including: one or more rule nodes each representing a network configuration rule; and one or more impact nodes each representing an impact of one or more respective network configuration rules; converting, by the one or more processors, the analytical attack graph to a tactic graph including one or more tactic nodes, each tactic node representing at least one rule node and at least one impact node, the converting comprising: retrieving, from a data base, data that associates tactic nodes with combinations of rule nodes and impact nodes; and replacing combinations of rule nodes and impact nodes of the analytical attack graph with tactic nodes based on the retrieved data; determining, by the one or more processors, one or more paths of the tactic graph that lead to a particular network impact; generating, by the one or more processors, a process model that is different from the tactic graph based on the determined one or more paths that lead to the particular network impact, the process model representing network activity for execution of a process that leads to the particular network impact; and executing, by the one or more processors and within the enterprise network, one or more remedial actions based on the process model to mitigate cyber-security risk to the enterprise network. 16. The non-transitory computer-readable storage medium of claim 15 , wherein: each rule node is associated with a rule type; and each tactic node is associated with a rule type of the respective at least one rule node that is represented by the tactic node. 17. The non-transitory computer-readable storage medium of claim 15 , wherein the analytical attack graph includes one or more fact nodes each representing an input condition. 18. A system, comprising: one or more computers; and a computer-readable storage device coupled to the one or more computers and having instructions stored thereon which, when executed by the one or more computers, cause the one or more computers to perform operations for process discovery in an enterprise network, the operations comprising: receiving, by one or more computers, analytical attack graph data representative of an analytical attack graph, the analytical attack graph including: one or more rule nodes each representing a network configuration rule; and one or more impact nodes each representing an impact of one or more respective network configuration rules; converting, by the one or more computers, the analytical attack graph to a tactic graph including one or more tactic nodes, each tactic node representing at least one rule node and at least one impact node, the converting comprising: retrieving, from a data base, data that associates tactic nodes with combinations of rule nodes and impact nodes; and replacing combinations of rule nodes and impact nodes of the analytical attack graph with tactic nodes based on the retrieved data; determining, by the one or more computers, one or more paths of the tactic graph that lead to a particular network impac