Attack Correlation
The attack correlation engine detects and visualizes cross-endpoint attack patterns. When an attack spreads laterally across multiple hosts, the correlation engine identifies the pattern and presents it as a connected graph.
How It Works
- Event Ingestion: EDR telemetry from all endpoints flows into the SIEM event store
- Pattern Detection: The correlation engine applies rules to detect cross-endpoint patterns
- Graph Construction: Matching events are linked into an attack graph
- Visualization: The graph is rendered in the operator console
Correlation Rules
Built-in Rules
| Rule | Description | MITRE |
|---|---|---|
| Lateral Movement | Same credentials used on multiple hosts within 10 minutes | T1021 |
| C2 Beaconing | Regular outbound connections to same external IP | T1071 |
| Data Staging | Large file transfers between internal hosts | T1074 |
| Privilege Escalation | Admin credentials used from non-admin workstation | T1078 |
| Pass-the-Hash | NTLM authentication from unexpected source | T1550 |
Custom Rules
Define custom correlation rules in YAML:
# infra/detections/correlation/custom-rule.yaml
name: "Suspicious Internal Scanning"
description: "Multiple connection attempts from single host to many internal IPs"
technique: "T1046"
window: 300 # seconds
conditions:
- source: "network_connections"
filter: "state = 'SYN_SENT'"
threshold: 50
group_by: "source_ip"
Visualization
The attack graph shows:
- Nodes: Endpoints involved in the attack
- Edges: Lateral movement paths with technique labels
- Colors: Risk level of each endpoint
- Timeline: Chronological progression of the attack
API
GET /api/v1/edr/investigation/attack-graph
?case_id=<case_id>
Returns a list of AttackCorrelation objects with source, target, technique, and confidence.