ASSURED

Correlation and the timeline

The data-sources page tells you where evidence lives. This page teaches what you actually do with it: the mechanics behind sentences like “firewall logs show outbound TLS at 09:11:43, exactly correlated with the PowerShell PID.” That correlation did not happen by staring. It happened because two events shared a join key, their clocks were trustworthy enough to order them, and the analyst was testing a specific hypothesis when they ran the query.

Join keys: how two events meet

Two events from different sources correlate when they share an identifier inside a plausible time window. These are the keys, and each has a trap:

Host

Hostname, asset ID, or agent ID ties endpoint, network, and directory events together.

Trap: IP is not host identity. DHCP reassigns, VPN pools rotate, NAT aggregates. Join on IP only inside a window where you have verified the lease, or prefer the asset ID.

User

Account name or directory SID joins authentication, endpoint, email, and SaaS events.

Trap: the account is not the person. Shared accounts, service accounts, and a second account for the same human all break the assumption. Subject-phase entity work is what keeps this join honest.

Process

PID plus host plus time window joins an EDR process event to the network connections and file writes it caused.

Trap: PIDs are recycled. A PID is only unique per boot, per host, while the process lives. Prefer the EDR’s globally unique process identifier when the console exposes one.

Logon and session IDs

Windows logon IDs, IdP session IDs, and cloud session names tie every action inside one session to the authentication that started it.

Trap: sessions outlive credential changes. A reset password does not kill an already-issued session token, so “we reset the account” does not end this join.

Network tuple

Source IP:port to destination IP:port, inside a time window, joins host telemetry to firewall, proxy, and flow logs.

Trap: proxies and NAT collapse many hosts into one source IP. The proxy log, not the firewall log, holds the original client.

Artifact hash

A file hash joins sightings across every host and the sandbox report, regardless of filename.

Trap: ubiquity cuts both ways. A hash seen on 4,000 hosts is probably a legitimate binary being abused, not 4,000 infections. Prevalence is context, not a verdict.


Clock skew: order is evidence, and clocks lie

Whether the login preceded the download or followed it can decide a verdict, so the ordering itself is evidence, and it is only as good as the clocks that produced it.

01

Normalize everything to UTC first. Appliances log local time, cloud logs UTC, endpoints follow their user’s timezone. A timeline mixing conventions manufactures false sequences. Convert at the moment you copy the event out, not later.

02

Use event time, not ingest time. The SIEM’s index timestamp records when the log arrived, and forwarders batch, retry, and fall behind. Sorting by ingest time can order a Tuesday event after a Wednesday one.

03

Pick a spine clock. Choose the best-synchronized source that spans the case (usually EDR or the cloud provider) as the timeline’s backbone, and hang other sources’ events off it. Note which source provided each timestamp.

04

Treat near-ties across sources as unordered. Two events from different sources a second apart are simultaneous for reasoning purposes unless you have verified both clocks. If a conclusion depends on which came first inside the skew window, the conclusion needs different evidence.


The timeline is the artifact

Correlated evidence goes into one place: a running timeline you build as you investigate, not a cleanup task performed at the end. Memory does not preserve ordering; the artifact does.

Every entry carries the same fields:

Time (UTC)SourceEntityWhat happenedConfidence
09:02:11Email gatewaydlinDelivery of invoice-themed message with attachmentConfirmed
09:11:38EDRFIN-LT-0219powershell.exe spawned with encoded commandConfirmed
09:11:43FirewallFIN-LT-0219Outbound TLS to newly registered domain, joined on host + time to the PowerShell PIDCorroborated
09:12 to 09:23(none)FIN-LT-0219No proxy telemetry for this host: logging gap, not verified quietGap

Three habits make the artifact trustworthy. Label confidence on every row using the same scale the transition page demands at handoff: confirmed by the source, corroborated across sources, single-source, or inferred. Record gaps as rows: “no telemetry between X and Y” is a finding, and hiding it makes the narrative look more complete than the evidence is. And never let a row smuggle in a conclusion; “attacker exfiltrated data” is a hypothesis, “7.2 GB outbound to unknown host over 40 minutes” is an event.


Pivot discipline: the hypothesis ledger

A pivot is a query run to test a hypothesis. That definition is the discipline: if you cannot name the hypothesis your current query tests, you are browsing, not investigating.

The working tool is a hypothesis ledger kept next to the timeline. Each hypothesis gets a line: what you think happened, the evidence for it, the evidence against it, and its status.

HypothesisForAgainstStatus
Macro in the attachment launched the PowerShell stagewinword.exe parent; decode matches cradleSupported
Attacker moved laterally to a second hostNo new logons from host; no SMB/WMI to peers in windowRefuted
Cloud finance session was attacker-drivenTiming proximity to C2No token-theft evidence yetOpen
Cheapest, most specific query first. The narrow EDR lookup that can kill a hypothesis in one result runs before the broad SIEM sweep. Expensive queries are for windows that cheap queries have already narrowed.
Negative results get recorded. “Queried DNS logs for the domain across the fleet, zero other hosts” moves a hypothesis to refuted and defends the close later. An unrecorded negative result is work that evaporates.
Refuted stays in the ledger. The hypothesis you killed is part of the deliverable, the same doctrine that makes a false-positive close a finding rather than a shrug. The Risk phase needs to see what was ruled out, not just what survived.
New leads become hypotheses, not detours. Something interesting but unrelated to any open hypothesis gets one ledger line and no queries yet. It is triaged like everything else, not chased because it sparkled.

When to stop

The intro names rabbit-holes as a defining junior failure, and Uncover is where they happen. Stopping is a rule-driven decision, not a feeling:

🧱 The Scope boundary holds

The entity, time, and infrastructure lines drawn in the Scope phase are the outer wall. Evidence pointing past them is grounds for a documented scope expansion decision, not silent drift into new territory.

📉 Marginal return

When consecutive pivots stop producing rows for the timeline or movement in the ledger, that thread is dry. Two empty pivots on the same hypothesis is a defensible place to draw the line and move on.

⚖️ Verdict stability

When new evidence no longer changes any hypothesis status, Uncover has done its job. More queries buy confidence theater, not confidence. Write the narrative and hand off to Risk.

🚨 An escalation trigger fires

Hitting an escalation criterion ends Uncover immediately, mid-thread if necessary. Confirmed active compromise belongs to incident response; continuing to dig solo delays the people who own containment.

The rabbit-hole test

At any moment you should be able to answer one question: which open hypothesis does the query on my screen test? A clear answer means you are investigating. No answer means you are exploring, and exploring during triage is time taken from the queue. Log the curiosity as a hunt idea and return to the ledger.

See it run

The Uncover worked example is this page in motion: joins on host, PID, and session across EDR, firewall, DNS, and identity sources; negative results recorded; and a false-positive scenario closed with the same rigor as the true positive.

Key Takeaway

Correlation is joining events on real keys within honest clocks; the Timeline A chronological record of events, actions, or decisions related to a security incident or event. is the running, confidence-labeled artifact that holds it; the hypothesis ledger keeps every pivot pointed at a question; and the stopping rules end the phase on evidence rather than exhaustion. This is the verb the rest of the chapter’s nouns exist to serve.

Next up

Threat intelligence

Indicator matching, attribution, TTP-driven hunting, validation. How to use intel as a hypothesis source, not a verdict.

Read threat intelligence