ASSURED

Attack chains and multi-event correlation

How attack-chain correlation works

A correlation engine watches a continuous stream of events from many sources (endpoints, network, identity, cloud) and looks for sequences that match known adversary patterns. The engine maintains a model of how attacks unfold over time and flags combinations of events that together describe one of those patterns, even when each individual event looks benign on its own.

Most attacks are not a single dramatic action. They are a sequence of small actions that together describe a progression: reconnaissance, then Initial Access The first step of a breach, where attackers gain a foothold in the environment through phishing, exploits, credential abuse, or exposed services. , then Privilege Escalation Gaining access at a higher trust level than the actor originally held, by any means: exploiting a bug, abusing a misconfiguration, stealing credentials, impersonating a token, or socially engineering an elevation. , then Lateral Movement Adversary traversal from the initial-access host to other hosts inside the environment. Each hop expands the blast radius and adds new entities for Subject analysis. Often piggybacks on legitimate authentication, which is what makes it hard to detect. , then Exfiltration The unauthorized transfer of data from a system or network, often as part of a data breach or espionage operation. . Multi- Event Correlation The process of analyzing multiple events across different sources to identify relationships and determine if they are part of a larger security incident. is the validation strategy designed to catch that shape, not just the single suspicious moment in the middle.

The dimensions of correlation

Correlation engines operate across four dimensions simultaneously. A useful chain typically involves at least two of them.

๐Ÿ• Time

Events grouped within a window. The window can be minutes for fast attacks like ransomware staging, or hours-to-days for slow-and-low intrusions. The engine maintains state across the window so events arriving late still get linked.

๐Ÿ“ Assets

Events that touch the same host, account, segment, or service. The correlation graph is built around entities the events share, so a lateral movement chain shows the host and account hops in order.

๐Ÿ› ๏ธ Technique

Events that map to the same MITRE ATT&CK technique or category. Differentiates living-off-the-land behavior from custom malware. Helps attribute a chain to a campaign.

๐ŸŽฏ Targeting

Events that focus on a department, a data type, or a class of user. Helps the analyst recognize when a chain is an opportunistic intrusion versus a targeted one.

Representative platforms: IBM QRadar Enterprise SIEM with real-time correlation, ML-assisted prioritization, and broad ecosystem integration. , Exabeam Next-gen SIEM with built-in UEBA; user-behavior timelines and automated investigation workflows. Fusion, Google Chronicle Cloud-native security analytics platform from Google Cloud; high-speed search and threat detection at petabyte scale. , Splunk Enterprise Security Premium SIEM on the Splunk platform; correlation searches, ML, prebuilt content for SOC workflows. , Microsoft Sentinel Cloud-native SIEM/SOAR; AI-driven analytics across on-prem, cloud, and hybrid with rich connector library. correlation rules.

Example: an Office macro chain reconstructed

Case study

A document, a shell, and an outbound connection

Three alerts fire on the same finance team workstation within four minutes. None of the three is decisive on its own.

The three events the correlation engine links:

08:32:14  Office process spawned a child shell
          Parent: winword.exe   Child: cmd.exe

08:32:21  Encoded PowerShell invocation
          cmd.exe spawned powershell.exe with -EncodedCommand

08:33:42  Outbound TLS to an unfamiliar destination
          Source: powershell.exe   Destination: a domain registered 6 days ago

In isolation, each event is the kind that a SOC sees regularly. Word spawns shells for legitimate add-in installs. PowerShell A command-line shell and scripting language built on the .NET framework, commonly used for system administration and potentially for malicious purposes. uses encoded commands for ordinary administrative scripts. New Domain A unique name or identifier for a system, network, or organization on the internet. destinations appear during normal business as the organization adopts new services.

The chain is what gives them meaning. The same parent-child lineage starting from a Microsoft Office process, encoding immediately, and reaching a fresh domain within minutes maps to the classic phishing-with-macros An initial-access technique where the adversary delivers a Microsoft Office document containing a malicious macro. Opening the document triggers the macro, which usually executes a download cradle (often via PowerShell) to pull the next-stage payload from attacker-controlled infrastructure. initial-access pattern. The correlation engine recognizes the shape and produces a single alert describing the chain.

What the analyst checks next:

  • The originating document. The User An individual who interacts with a system, network, or application. โ€˜s mailbox in the relevant window will identify the inbound message, the sender, the subject, and other recipients.
  • The decoded PowerShell payload. The encoded command is the next investigative artifact. Decoding it (in a safe environment) reveals the download cradle.
  • The outbound destination. WHOIS Protocol and database of domain registration data; used to investigate suspicious domains and attribution. data, DNS prevalence, Threat An actor (or capability) with intent and means to cause harm. A vulnerability is what they exploit; risk is the product of threat, vulnerability, and impact. - Intelligence Information gathered and analyzed to understand and predict potential security threats. overlap, and certificate properties for the destination domain. New domains with low prevalence are a high-confidence signal.
  • Other recipients. A Phishing Deceptive messages (usually email; sometimes SMS, voice, or chat) that impersonate a trusted sender to lure the recipient into clicking, opening, or entering credentials. The bait is the email; the line is the impersonation; the catch is initial access. campaign rarely targets one user. The mail logs will identify others in the same window.
What makes the chain stronger than the parts

Each individual event in the example would be tuned out as noise at most SOCs. Office spawns shells thousands of times a day across a large environment, encoded PowerShell is sometimes used by legitimate scripts, and new domains appear all the time. The chain is stronger than the sum of the parts because the combination (Office โ†’ cmd โ†’ encoded PowerShell โ†’ new domain within minutes) almost never happens for legitimate reasons. Correlation is the strategy that surfaces these combinations without forcing the analyst to write a hand-crafted rule for every possible permutation.

Operational practice

  • Tune and validate correlation rules on a regular cadence. A correlation rule that worked well last quarter may fire on legitimate activity this quarter as the environment shifts.
  • Keep long-term retention and consistent Normalization The process of transforming data into a standard format to improve analysis and comparison. to support multi-step analysis. A four-hour chain requires four hours of consistently shaped data.
  • Integrate Endpoint A device that initiates network connections and runs user-facing software: laptop, desktop, server, phone, tablet. Endpoints are where most adversary tradecraft eventually shows up, which is why EDR exists. , network, and identity Telemetry Collection and transmission of security-relevant data from remote sources for monitoring and analysis. . Correlation lives at the seams between data sources. A chain that crosses three sources is far more informative than one within a single source.
  • Provide real-time processing capacity. Batch-only correlation misses the speed window during which response is most effective.

Next up

Asset and user criticality

The third strategy: weigh alerts by what they could affect and who is involved.

Read criticality