Skip to main content
Skip table of contents

‎Event-Incident Correlation

LAST UPDATED: FEB 10, 2025

Event-incident correlation entails evaluating D3 events against a set of criteria, and linking them to a D3 incident when the criteria are met. These criteria are tailored to the client’s specific needs.

For example, phishing mitigation may focus on identifying email addresses or subject lines that contain, do not contain, start with, or end with specific keywords; denial-of-service prevention may examine specific IP addresses matching certain values; and malware investigations may target hostnames or file hashes with a specific reputation level.

Correlation.drawio (4)-20250107-010442.png

RELATED RESOURCE

Create Incident with Conditions

Automating Event-Incident Correlation

D3 supports manual escalation but its true power lies in automating the process.

Manual Escalation

Method 1

  1. Navigate to the incident workspace of an incident.

    Frame 28 (9)-20241217-034243.png

    1. Navigate to the Investigation Dashboard.

    2. Open the Incidents accordion, then click on All Incidents.

    3. Select a table row to access the incident workspace for that incident.

Frame 29 (11)-20241217-035916.png

  1. Click on the Events navigation item.

  2. Click on the Link Event(s) button.

Frame 31 (9)-20250107-012556.png

  1. Select one or more events from the dropdown menu.

  2. Click on the Save button.

Frame 32 (7)-20250107-013354.png

These events will now be included in the Events Summary widget.

Method 2

  1. Select an event.

    Frame 21 (19)-20241217-013213.png

    1. Navigate to the Investigation Dashboard.

    2. Click on the All Open open under Events.

    3. Click on a table row to select an event.

  2. Select related events to escalate simultaneously.

    Frame 26 (16)-20241217-013645.png

    1. Click on the Event/Incident Correlation tab.

    2. Click on the icon for the relevant events to escalate.

  3. Click on the Escalate button once all selected relevant events appear within the second table.

    Frame 27 (7)-20241217-014005.png

  4. Fill in the incident form, then click on the Escalate button.

  5. Click on the Ok button.

  6. Click on the newly associated incident number at the top.

    Frame 22 (13)-20241217-014439.png

  7. Scroll down to the Events Summary widget to view the associated events for this incident.

    Frame 23 (25)-20241217-014903.png

AUTOMATION PREREQUISITES

  1. Prepare and submit an investigation playbook, titled Demo Investigation Playbook.

  2. Build the following preprocessing playbook::

    Group 1 (1).png

READER NOTE

  • For simplicity, the step of evaluating D3 events against escalation criteria has been omitted.

Preprocessing playbook configuration

Conditional Task

  1. Enter Escalate or Dismiss? as the task name, then ensure that auto run is enabled.

    image-20250108-232922.png

  2. Navigate to the Condition Settings tab, select Dynamic Input using the dropdown, then enter {{"Escalate"}} or {{"Dismiss"}} based on the intended test in step 3.

    Group 2 (1).png

  3. Navigate to the Branch Settings tab, then add an Escalate branch and a Dismiss branch.

    Frame 39 (10)-20250108-232318.png

Escalate Task

  1. Enter Escalate Event as the task name.

    Group 5 (1).png

  2. Enter the required inputs.

    Group 3.png

  3. Ensure that auto run is enabled, then click the Group 7 (2).png button to save the task.

    Group 6.png

Dismiss Task

  1. Enter Dismiss Event as the task name.

    Group 8.png

  2. Ensure that Auto Run is enabled, then click the Group 10 (1).png button to save the task.

    Group 9 (1).png

  1. Perform test runs on this preprocessing playbook to ensure that all task can run to completion.

Group 11.png

Escalation

Group 12 (1).png

Dismissal

  1. Submit the tested preprocessing playbook.

    Frame 48 (10)-20250109-004305.png

  2. Navigate to the Data Ingestion module and schedule a data ingestion, attaching the tested preprocessing playbook.

    Frame 46 (13)-20250109-001725.png

  3. Allow the data ingestion process to proceed and monitor the creation of events.

    Frame 47.png

  4. Monitor data ingestion progress, event statistics (i.e. ingested events, new events and incidents created), and any stalled tasks or errors within the event playbook viewer (rebranded as preprocessing playbook viewer).

Frame 240-20250210-192546.png

Escalated Events

Frame 241 (1)-20250210-193245.png

Dismissed Events

  1. View the incident of escalated events in the investigation dashboard.

Navigating to the incident

  1. Navigate to the escalated events.

    Frame 54.png

    1. Click on the Investigation Dashboard navigation link.

    2. Click on the Events > All Escalated accordion item.

    3. Click on an event of interest.

  2. Click on the incident number to enter the incident workspace (customizable via the incident workspace builder).

    Frame 55 (8)-20250109-021850.png

FAQ

How many events can be associated with a single incident?

Multiple D3 events may escalate into the same D3 incident.

JavaScript errors detected

Please note, these errors can depend on your browser setup.

If this problem persists, please contact our support.

Contact Support Close