# Alert Correlation [[Alert Correlation]] is an [[Incident Containment]] capability which ingest alerts from the organization's resources, stores the alerts, and triages these alerts to identify unauthorized access or abuse for an organization's resources. Alert correlation is commonly automated because of the number of events and scale required to triage alerts. Alert correlation commonly requires events to be sent as logs to a collector which then enriches the alerts with additional metadata and stores the alerts as they are being processed against rules that support correlation. ## Map ``` mermaid <!-- element style="width:90%; height:auto" --> graph TD Top[[Cybersecurity]] --- E[[Incident Containment]] E --- E.1[[Alert Correlation]] E --- E.2[[Case Management]] E --- E.3[[Incident Management]] E --- E.4[[Forensic Analysis]] E --- E.5[[Asset Restoration]] E --- E.6[[Abuse Reporting]] E --- E.7[[Failure Tracing]] E.1 --- E.1.1[[Alert Definition]] E.1.1 ---E.1.2[[Alert Collection]] E.1.2 ---E.1.3[[Alert Triage]] E.1.3 ---E.1.4[[Potential Case Feed]] %% Class Definitions %% ===================== class Top,A,A.1,A.2,A.3,A.4,A.5,A.6,B,B.1,B.2,B.3,B.4,B.5,C,C.1,C.2,C.3,C.4,D,D.1,D.2,D.3,D.4,D.5,E,E.1,E.2,E.3,E.4,E.5,E.6,E.7 internal-link,font-color:white; class Top cssClassL0; classDef cssClassL0 fill:black,stroke:black,stroke-width:4px,font-size:15px,font-color:white; class A,B,C,D,E cssClassL1; classDef cssClassL1 fill:darkblue,stroke:darkblue,stroke-width:4px,font-size:15px,font-color:white; class A.1,A.2,A.3,A.4,A.5,A.6,B.1,B.2,B.3,B.4,B.5,C.1,C.2,C.3,C.4,D.1,D.2,D.3,D.4,D.5,E.1,E.2,E.3,E.4,E.5,E.6,E.7 cssClassL2; classDef cssClassL2 fill:blue,stroke:blue,stroke-width:4px,font-size:15px,font-color:white; class E.1 cssClassCurrent; classDef cssClassCurrent fill:#2f9503,stroke:#2f9503,stroke-width:4px,font-size:15px,font-color:white; ``` ## Definition > [!success] Definition > **Alert Correlation** is the ability to collect alerts and correlate them to detect suspicious and abusive behaviors of an attack on an intended target quickly for the purpose of identifying a case and potentially incident that may require response. ## Goals >[!cm-goal] Goal 1 >**Rapid Identification** - Resource is detected quickly to reduce the potential for unauthorized access to grow laterally and/or achieve an adversary's objective. >[!cm-goal] Goal 2 >**Detect Abuse Patterns** - Alerts are defined to identify abuse which requires investigation to reduce the potential for unauthorized access to achieve an adversary's objective. >[!cm-goal] Goal 3 >**Predict Potential Incident** - By using thresholds and timing, alert correlation aids in predicting and eradicating a potential incident before it achieves unauthorized access or attempts to move lateral within the environment. >[!cm-goal] Goal 4 >**Prioritize Investigations** - Identify correlated alerts which could meet the definition of a case and require additional investigation to ensure proper handling and enforcement of controls. ## Scope The scope of Alert Correlation covers all assets with a defined defensive model which require monitoring to detect bad and suspicious behavior which may require further investigation. ## Process ```mermaid flowchart LR A1[Adversary Patterns] A2[Exploitable <br /> Opportunities <br /> Feed] A3[Threat Intel] A4[Event Definitions] A[Define Alerts] B1[Bad Behavior] B2[Suspicious Behavior] B3[Good Behavior] B[Alerts] C[Collect and <br /> Store Alerts] D[Triage Alerts] E[Identify <br /> Potential Cases] F[Send Potential Cases <br /> to Stakeholders] A1 --> A A2 --> A A3 --> A A4 --> A A --> B1 A --> B2 A --> B3 A --> E B1 ~~~ B2 ~~~ B3 B1 --> B B2 --> B B3 --> B B --> C C --> D D --> E E --> F ``` ## Metrics >[!cm-metric] Metric: [[% of Abnormal Events vs. Normal Events]] >[!cm-metric] Metric: [[% of Alerts vs. Cases]] >[!cm-metric] Metric: [[% of Alerts vs. Total Events]] >[!cm-metric] Metric: [[Mean Time to Detect a Case]] >[!cm-metric] Metric: [[% of Cases with Alert Rules]] >[!cm-metric] Metric: [[% of Active Alert Rules]] >[!cm-metric] Metric: [[% of Alerts above system thresholds]] > [!cm-metric] Metric: [[% of False Positives Reduced]] > [!cm-metric] Metric: [[% of Correlated Alerts Leading to Incident Response]] ## Inspiration & Resources + [MITRE ATT&CK®](https://attack.mitre.org/) + [xdralliance.com](https://www.xdralliance.com/) + [Alert Correlation (arxiv.org)](https://arxiv.org/pdf/1811.00921) + [tdsc04_correlation.pdf (ucsb.edu)](https://sites.cs.ucsb.edu/~chris/research/doc/tdsc04_correlation.pdf) + [How alert correlation helps Dev and Ops work better together (atlassian.com)](https://www.atlassian.com/blog/it-teams/alert-correlation-devops-better-together) + https://dl.acm.org/doi/10.1007/978-3-030-65726-0_4 + https://www.sciencedirect.com/science/article/abs/pii/S1389128612004124 ## Release Notes + [[WIP - Q4 2024 Release]] ## [Cyber City Map](https://cybercitymap.com/) © 2023-2024 by [ThirdScore, Inc.](https://thirdscore.com/) All Rights Reserved.