Introducing Correlated Alerting. A new method of detection that optimizes for high signal alerts
Today RunReveal is announcing the beta release of correlated alerting, a new security alerting technique that is running for all customers today and is designed to deliver significantly higher signal for cloud detection and SIEM use cases.
Current stream processing techniques and log query languages are really bad at searching for threat actors. No single indicator or log can reliably indicate a compromise, yet all the log processing and search tools we have available to us today are built to look for one set of conditions at a time. The fact that most security teams struggle with alert fatigue is a direct result of this old paradigm, and the current set of vendors repeating this same old mistake.
The out of the box detections you get with RunReveal already use this technique. However, with this release we're also providing a framework for you to easily build your own correlated alerts! There's no magic when it comes to hard data problems however, so let's look at the details of how this works.
If you look at the baseline detections that your average SIEM comes with, they might have a few hundred that look something like this:
.svg)
