Core Concepts
Alert Correlation
Connect related alerts to understand the full attack story.
Alert Correlation
Correlation is the process of connecting related alerts to see the complete picture of an attack. A single alert rarely tells the full story.
Why Correlation Matters
Attackers don't operate in isolation:
Phase 1: Phishing email → User clicks link
Phase 2: Malware downloads → XDR detects process
Phase 3: C2 beacon → Firewall sees connection
Phase 4: Lateral movement → SIEM logs authentication
Phase 5: Data theft → Firewall sees large uploadEach phase generates alerts. Correlation connects them.
Correlation Indicators
IP Address
Same source or destination IP across alerts:
- External IP contacting multiple hosts
- Internal IP making unusual connections
- Known bad IP appearing in multiple logs
User Account
Same user in multiple suspicious events:
- Failed logins → successful login → privilege escalation
- Normal user suddenly accessing sensitive systems
- Service account used interactively
Hostname/Endpoint
Multiple alerts from the same system:
- Process execution → file creation → network connection
- Login → process → data access chain
- Endpoint showing signs of compromise
Time Window
Events occurring close together:
- Alerts within minutes of each other
- Sequence suggesting attack progression
- Burst of activity followed by quiet
IOCs (Indicators of Compromise)
Shared technical indicators:
- Same file hash across endpoints
- Common domain in network logs
- Matching process names or paths
Correlation Groups
When alerts are correlated, they form a correlation group:
| Field | Description |
|---|---|
| Group ID | Unique identifier |
| Alert Count | Number of related alerts |
| Severity | Highest severity in group |
| Timeline | First to last alert |
| Common IOCs | Shared indicators |
Using Correlation in SOC Simulator
SIEM View
- Click on an alert
- Check the "Related Alerts" section
- View the correlation timeline
- See shared IOCs
Correlation Timeline
Visual representation showing:
- When each alert occurred
- How alerts relate to each other
- The attack progression
Correlation Graph
Network-style view showing:
- Alerts as nodes
- Connections between them
- Central indicators (IPs, users, etc.)
Tips for Better Correlation
When you see one suspicious alert, always ask: "What else should I see if this is real?"
- Pivot on IOCs - Search for IPs, users, hashes across all logs
- Expand timeframe - Look 30 minutes before and after
- Check all tools - SIEM might miss what XDR catches
- Follow the chain - Initial access → execution → persistence → etc.
Correlation Scoring
SOC Simulator scores your correlation ability:
| Metric | Description |
|---|---|
| Groups Found | Correlation groups you identified |
| Completeness | Did you find all related alerts? |
| Speed | How quickly you connected the dots |
| Accuracy | Were your correlations correct? |
Practice Exercise
When you see an alert:
- Note the key IOCs (IP, user, hostname, hash)
- Search for each IOC in other alerts
- Build a timeline of events
- Determine if it's isolated or part of a chain
- Assess the full scope before making a triage decision