Threat Correlation & Attack Chains

Individual alerts are useful, but correlation is what turns alerts into incidents. The 1SEC correlator links signals across modules into a single attack narrative.

Authoritative details live in Docs.

• Shared source IP across multiple categories
• Temporal proximity windows
• Known sequences (auth → network → runtime)

Chains model common multi-step intrusions (initial access, persistence, lateral movement, exfiltration). Correlated outputs include contributing alert IDs and summarized recommendations.

Correlation emits enriched threats and can trigger higher-severity escalation paths.