# Correlation [![[Pasted image 20251104230335.png]]](https://soc-expert.de/From+Logging+to+Alerting+and+Beyond) **Correlation** refers to the process of **analyzing and linking multiple log events across different systems and sources** to identify patterns that may indicate a security incident or suspicious activity. Correlation is about **connecting the dots** between seemingly unrelated events to uncover meaningful security insights. A single log entry might not be suspicious on its own, but when combined with other events, it could reveal a threat. > [!note] Why Is Correlation Important? > > - **Reduces noise** by filtering out benign events and focusing on meaningful patterns. > - **Detects complex attacks** that span multiple systems or timeframes. > - **Improves incident detection** by identifying behaviors that individual systems might miss. > - **Supports forensic investigations** by showing how events are related. ## Types of Correlation in SIEM | Type | Description | Example | | ---------------------------- | --------------------------------------- | ------------------------------------------------- | | **Temporal Correlation** | Links events based on time proximity | 5 failed logins within 2 minutes | | **Spatial Correlation** | Links events based on shared attributes | Same IP address used in multiple events | | **Cross-source Correlation** | Combines logs from different systems | VPN login + file access + data exfiltration | | **Behavioral Correlation** | Detects deviations from normal behavior | User downloads 10x more data than usual | | **Rule-based Correlation** | Uses predefined logic or rules | If A and B happen within X minutes, trigger alert | | | | | ### Example Scenario **Without Correlation**: - A firewall logs a connection from an external IP. - A server logs a failed login attempt. - An endpoint logs a file access. **With Correlation**: - SIEM links these events and identifies a potential **brute-force attack followed by lateral movement**. ## How SIEMs Use Correlation - **Correlation Rules**: Define the logic for linking events. - **Correlation Engines**: Continuously process incoming data to apply rules. - **Alerting**: When a rule is matched, an alert is generated for investigation.