Skip to content
Log in

Alert correlation

Definition

The process of grouping multiple related events or alerts into a single higher-level alert representing one attack sequence. A correlation rule might group a failed-login burst followed by a successful login from the same IP as a single brute-force alert rather than hundreds of individual login-failure alerts.

Related terms

Alert fatigue
The condition in which analysts receive more alerts than they can meaningfully review, leading to delayed responses, dismissed true positives, and reduced...
EDR (Endpoint Detection and Response)
An agent-based security tool deployed on individual endpoints (workstations, servers, mobile devices) that monitors process execution, file changes, network connections, and registry...
IDS/IPS (Intrusion Detection/Prevention System)
Network or host-based systems that inspect traffic or system calls for known attack patterns. An IDS generates alerts without blocking; an IPS...
Indicator of Compromise (IoC)
An observable artefact that suggests a system has been involved in a malicious event. Static analysis produces file-based IoCs: cryptographic hashes, embedded...
SIEM (Security Information and Event Management)
A platform that aggregates log and event data from systems, networks, and applications across an environment, correlates events against detection rules, generates...

Explained in

  • Detection Sources and Alert PipelinesThe process of grouping multiple related events or alerts into a single higher-level alert representing one attack sequence. A correlation rule might group a f...

Your journey to becoming a forensic professional starts here.

Practice with mock tests, learn from structured notes, and get your questions answered by a global forensic community, all in one place.

Continue learningCreate Your Account