Home > SOC Analysis

Correlation Rules

Correlation rules are one of the most powerful features of a SIEM. They allow the SOC to detect multi-stage attacks by linking multiple events from different sources into one meaningful security alert. Instead of treating every log independently, correlation rules look at relationships, patterns, timelines, and sequences across the entire environment.

Attackers rarely use a single action to compromise a system. They perform a chain of activities: reconnaissance, brute force, execution, persistence, lateral movement, and exfiltration. Correlation rules identify these chains.

This chapter explains correlation rules in full length, with real-world log examples, multi-source correlations, rule logic, detection strategies, and attack flows exactly as seen in enterprise SOCs.

What Correlation Rules Do

Correlation rules combine multiple logs into a single alert.
They answer questions like:

  • Did this login failure come from an IP that previously scanned the network?

  • Did a suspicious process run shortly after a risky authentication?

  • Did outbound traffic occur after PowerShell execution?

  • Did multiple unrelated systems show similar behavior in a short window?

Correlation rules connect events that appear harmless alone but dangerous when combined.

Why Correlation Is Critical

Single events often look normal:

  • One failed login

  • One PowerShell process

  • One denied firewall packet

  • One successful admin login

But correlation exposes the hidden attack:

  • 20 failed logins + 1 success = brute force

  • PowerShell after Word execution = macro malware

  • Outbound traffic after suspicious process = C2 beacon

  • New admin account + policy modification = privilege abuse

Correlation lets SIEM detect attacks that would otherwise go unnoticed.

Types of Correlation Rules

A mature SIEM uses several correlation strategies.

1. Many Events → One Alert

Multiple events from one source match a threshold.

Example:

  • 15 failed logins from same IP in 2 minutes
    Creates:

ALERT: Possible brute force attack

2. Event Sequence Correlation

Events must occur in a specific order.

Example:

  • Login success

  • Privilege escalation

  • LSASS access
    Indicates:

Credential dumping attempt

3. Cross-Device Correlation

Events from different devices correlate.

Example:

  • Windows log: user authenticated

  • Firewall log: same IP hits an internal server

  • EDR: suspicious execution
    This correlates into lateral movement detection.

4. Multi-Platform Correlation

Correlates Windows + Linux + Cloud + Firewall logs.

5. Behavioral Correlation

Compares events to baseline behavior.

Example:

  • User never logs in from outside India

  • Suddenly logs in from Russia
    Creates:

Impossible travel anomaly

Real Correlation Rule Examples (Practical)

Example 1: Brute Force → Successful Login

Raw logs

Windows:

4625 - Failed Logon (10 times)
4624 - Successful Logon

SIEM correlation logic:

If failed_logon > 5 AND followed by logon_success from same IP within 10 min
→ Alert: Possible Account Compromise

Example 2: Macro → PowerShell → Outbound Traffic

Word macro executed → PowerShell command → Network connection.

Logs:

Sysmon ID 1: WINWORD.EXE → powershell.exe
Powershell encoded command found
Firewall: outbound connection to 185.22.10.2

Correlation rule:

If parent_process = winword.exe 
AND process = powershell.exe 
AND network_connection to external IP
→ Alert: Possible Malware Execution via Macro

Example 3: Privilege Escalation Chain

Logs:

4624 - Logon Success
4672 - Special Privileges Assigned
Sysmon 10 - LSASS access

Rule:

logon_success + privilege_assigned + LSASS access → credential theft

Creates alert:

High Severity: Potential Mimikatz Activity

Example 4: Lateral Movement Detection

Logs:

4624 Logon Type 3 (network)
Sysmon 3 outbound connection to SMB port
Firewall log internal connection allowed
New connection to server that user never accessed before

Rule:

Network logon + SMB traffic + new host accessed → lateral movement

Example 5: Cloud Compromise Detection

CloudTrail:

ConsoleLogin from unknown country
IAM privilege escalation
New access keys created

Correlation:

Cloud login anomaly + privilege change + key creation → cloud account compromise

Example 6: Ransomware Activity Chain

Logs:

Mass file modifications from unknown process
CPU spike on file server
EDR detects process injecting into explorer.exe
Large number of file rename events

Rule:

Unusual file operations + process injection + rename storms → possible ransomware

Creates:

Critical Incident: Ransomware Activity Detected

Example 7: Reconnaissance → Exploit → Persistence

IDS:

Port scan detected from IP 203.99.44.2

Web server:

SQL injection attempt

Sysmon:

New scheduled task created by unknown user

Correlation:

Scan + Exploit + Persistence → Compromise confirmed

Building Correlation Rules (Technical Breakdown)

A correlation rule contains:

1. Data Sources

What logs must the rule look at?

  • Windows events

  • Sysmon

  • Firewall

  • EDR

  • Cloud logs

2. Conditions

Logical expressions:

failed_logon >= 10
encoded_command = true
new_admin_user = true

3. Time Window

When should events be considered related?

Within 5 minutes
Within 1 hour
Within same session

4. Relationships

Events linked by:

  • User

  • Host

  • Source IP

  • Process

  • Session ID

5. Output

Alert content:

  • Severity

  • Indicators

  • Summary

  • Suggested actions

How Analysts Use Correlated Alerts

Analysts open the SIEM alert to see:

  • Event chain

  • Timeline

  • Source systems

  • User involved

  • Host involved

  • Process tree

  • Network connections

  • Indicators of compromise

Example timeline from correlated alert:

10:32 — Failed logins (x14)
10:34 — Successful login (admin)
10:35 — PowerShell encoded command
10:36 — Outbound C2 connection
10:38 — File dropped in AppData

The SOC sees the entire attack as a clear story.

Multi-Stage Attack Example (Full Realistic Correlation)

Stage 1: Phishing

Email attachment: invoice.docm

Stage 2: Execution

WINWORD → powershell.exe (Sysmon)

Stage 3: Persistence

Scheduled task created (Sysmon ID 1 + ID 13)

Stage 4: Lateral Movement

4624 type 3 logon to server-02

Stage 5: Exfiltration

Firewall: 2.4GB to 91.22.113.44

SIEM generates:

ALERT: Multi-stage Attack Detected (Execution → Persistence → Lateral Movement → Exfiltration)
Severity: Critical

This is how correlation exposes the full kill chain.

Intel Dump

  • Correlation rules link multiple events into meaningful security alerts.

  • They detect multi-stage attacks across endpoints, networks, firewalls, and cloud.

  • Correlation uses sequences, thresholds, cross-device, and behavioral logic.

  • Real examples include brute force → success, macro → PowerShell → C2, privilege escalation chains, and ransomware patterns.

  • Rules include conditions, time windows, relationships, and output structure.

  • Correlation transforms scattered logs into complete attack narratives visible to the SOC.

HOME COMMUNITY CAREERS DASHBOARD