Overview

The Similar Alerts tab helps identify and analyze alerts that may be related to the current alert. This feature uses various correlation methods to find potential connections and patterns across your alert data.

Correlation Methods

Content-based Similarity

  • Title matching
  • Description analysis
  • Observable overlap
  • TTP correlation

Temporal Analysis

  • Time-based clustering
  • Frequency patterns
  • Sequence detection
  • Campaign timeline

Contextual Correlation

  • Source alignment
  • Target comparison
  • Attack pattern matching
  • Team/Organization context

Similarity Scoring

Score Components

  • Observable match percentage
  • TTP overlap
  • Temporal proximity
  • Source correlation
  • Target alignment

Score Interpretation

  • High confidence matches
  • Potential relationships
  • Weak correlations
  • False positives

Alert Management

Viewing Similar Alerts

  1. Sort by similarity score
  2. Filter by time range
  3. Group by correlation type
  4. Focus on specific attributes

Bulk Operations

  • Select multiple alerts
  • Create case from group
  • Merge alerts
  • Update status

Alert Comparison

  • Side-by-side view
  • Difference highlighting
  • Common attributes
  • Unique characteristics

Pattern Analysis

Campaign Detection

  • Alert clustering
  • Pattern identification
  • Campaign timeline
  • Attack progression

Threat Actor Analysis

  • Common TTPs
  • Observable patterns
  • Target profiles
  • Attack methodologies

Visualization

Timeline View

  • Chronological display
  • Frequency analysis
  • Pattern highlighting
  • Campaign mapping

Relationship Graph

  • Alert connections
  • Observable links
  • TTP relationships
  • Pattern visualization

Best Practices

  1. Analysis Workflow

    • Review highest scores first
    • Validate relationships
    • Document findings
    • Update correlation rules

  2. Pattern Recognition

    • Look for campaigns
    • Track progression
    • Note anomalies
    • Document insights

  3. Alert Management

    • Group related alerts
    • Create cases appropriately
    • Update statuses
    • Document relationships

Next Steps

AI Insights

Get AI-powered analysis

Alert Rules

Configure correlation rules