SIEM Correlation and Alert Triage
Key Takeaways
- A SIEM collects and correlates events from many sources to support detection, investigation, and reporting.
- Correlation rules combine multiple signals, such as suspicious login plus privileged group change.
- Alert triage determines severity, scope, confidence, and next action.
- Enrichment adds context such as asset criticality, identity role, threat intelligence, and geolocation.
- Triage should separate true positives, false positives, benign positives, and events needing more evidence.
SIEM Correlation and Alert Triage
A security information and event management system, or SIEM, collects logs from multiple sources, normalizes fields, correlates events, and generates alerts or dashboards. A SIEM does not make the environment secure by itself. Its value depends on useful data, well-designed detections, and disciplined triage.
Correlation Example
A single failed login may not matter. A failed login pattern, followed by a success, followed by a privileged change, is different.
2026-04-29T03:14:02Z idp user=tcole result=fail source_ip=203.0.113.80 reason=bad_password
2026-04-29T03:14:07Z idp user=tcole result=fail source_ip=203.0.113.80 reason=bad_password
2026-04-29T03:15:18Z idp user=tcole result=success source_ip=203.0.113.80 mfa=success device=new
2026-04-29T03:17:44Z directory actor=tcole action=add_member target_group=Cloud-Admins target_user=tcole result=success
2026-04-29T03:20:10Z cloud actor=tcole action=CreateAccessKey target=tcole result=success
Possible SIEM rule:
IF user has repeated failed logins from one source
AND the same user has a successful login from a new device
AND the same user is added to a privileged group within 15 minutes
THEN create high-severity identity compromise alert
Triage Questions
| Question | Why it matters |
|---|---|
| What triggered the alert? | Prevents blind escalation |
| Which user, host, or application is involved? | Defines scope |
| Is the asset critical? | Changes priority |
| Is the behavior expected for this user? | Helps identify false positives |
| What happened before and after? | Reveals attack chain |
| Is there containment needed now? | Drives response urgency |
Enrichment
Enrichment adds context to raw events. For example, a source IP can be enriched with geolocation, reputation, ASN, or VPN status. A hostname can be enriched with owner, business function, criticality, and exposure. A username can be enriched with department, privileged role, and recent HR status.
Raw event:
user=tcole action=CreateAccessKey result=success
Enriched event:
user=tcole department=Marketing privileged=false action=CreateAccessKey result=success account_age=4y asset_context=cloud_identity severity=high reason="nontechnical user created cloud access key after risky login"
The enriched event is easier to triage because it explains why the behavior is unusual.
Triage Outcomes
| Outcome | Meaning | Example |
|---|---|---|
| True positive | Malicious or policy-violating activity occurred | Compromised account created access key |
| False positive | Detection fired but condition was not actually suspicious | Geolocation database mislabeled corporate VPN |
| Benign positive | Detection was accurate but expected | Scheduled scanner triggered port-scan rule |
| Needs investigation | Evidence is incomplete | Suspicious login with no endpoint data yet |
Common Traps
- Escalating only because severity is high without reading the events.
- Closing an alert as false positive without documenting why.
- Ignoring what happened after the triggering event.
- Treating threat intelligence matches as proof without local context.
- Building rules that alert on noisy normal behavior without tuning.
Which SIEM correlation is most concerning?
What does enrichment add to SIEM events?
A vulnerability scanner triggers a port-scan alert during its approved maintenance window. What is the best triage outcome?