NEXUS
Documentation menu

Docs · SecOps

XDR — Correlation

The rule engine is per-event; XDR is the layer above it. It groups alerts that belong together — across time and across sources — into a single incident that tells the whole kill-chain story.

Best-of
Microsoft Defender XDR · Palo Alto Cortex XDR
Module
nexus_secops/correlate.py
Edition
Free (runs on every ingest)
API
/api/v1/xdr/incidents · /xdr/incident · /xdr/ack

What it does

A brute-force alert and a suspicious-process alert on the same host, minutes apart, are not two problems — they are one intrusion. XDR correlation watches a time window per entity (by default the agent) and, when a defined sequence or set of signals all appear, raises a single incident with a kill-chain timeline, the union of MITRE techniques, and a remediation.

How to use it

1
It runs automatically
Correlation runs on every ingest — you don't trigger it. New and updated incidents are produced as alerts arrive.
2
Review incidents
Open the dashboard XDR view and click an incident to see its timeline, or call the API.
bash
curl -H "X-Admin-Token: $TOKEN" http://<manager>:8765/api/v1/xdr/incidents
curl -H "X-Admin-Token: $TOKEN" "http://<manager>:8765/api/v1/xdr/incident?id=<id>"
3
Acknowledge / resolve
Mark an incident as you work it. A resolved incident re-opens automatically if fresh signals for the same entity arrive.
bash
POST /api/v1/xdr/ack   { "id": "<incident-id>", "status": "resolved" }

Built-in correlations

Each correlation is a sequence (ordered) or set (any order) of stages within a time window:

  • XDR-INTRUSION-001 — brute-force → suspicious process (possible compromise).
  • XDR-WEBCHAIN-001 — web exploit → sensitive-file change.
  • XDR-RECON-EXPLOIT-001 — scanner recon → exploitation on the same target.
  • XDR-EXPOSED-ATTACK-001 — risky exposed port + brute-force on that service.
  • XDR-C2-001 — known-IOC contact + suspicious process.
  • XDR-NDR-001 — network threat (beaconing) + process/IOC on the same host (C2 confirmed).
  • XDR-UEBA-001 — behavioral anomaly + an attack signal (possible account/host takeover).
  • XDR-VULN-EXPLOIT-001 — a high-severity CVE on an asset that is being actively attacked.

Correlations are data, so you can extend them with your own stages.

How it feeds the pipeline

XDR consumes alerts from every detector — the rule engine, Threat Intel, EDR, UEBA, NDR and Cloud — and emits incidents that the AI then triages and SOAR can respond to. It is the hub that turns a flood of alerts into a handful of stories.

Tips

  • Incidents are de-duplicated per (rule, entity) — you get one incident per attack, not one per alert.
  • Open the timeline before responding: it shows exactly which alerts, in what order, built the case.
  • Let the AI triage page rank incidents by priority so you work the worst first.
Stories, not alerts. XDR exists to kill alert fatigue. If you find yourself reading raw alerts all day, start from the incidents instead.
PreviousSIEM — Search & AnalyticsNext EDR — Process Tree