SOC.OS Alert Correlation and Prioritisation Engine

Product overview

Imagine you had a security analyst on your team who could analyse every single alert generated by your security tools 24 hours a day, 365 days a year, and based on external threat intelligence and business context, escalate only the most important ones to you for further review. That would be great, right?

SOC.OS is that analyst.

How it works

SOC.OS Engine showing alert collection from multiple security tools via syslog or API to the SOC.OS Cloud

Step One

Alert collection

On-premise security tools are configured to forward security alerts to a lightweight agent installed on your IT network.

Multiple source systems can be sent to a single agent – e.g. firewall IPS/IDS and endpoint protection devices. Once alerts are received by the agent, they are forwarded to the SOC.OS cloud platform. Additionally, the SOC.OS cloud platform can be configured with the appropriate credentials to collect alerts directly from the APIs of your cloud-based security tools.

SOC.OS is constantly developing integrations with new security devices. Click on the link below for full details.

View Compatible Tools

Alert enrichment with MITRE ATT&CK®, AbuseIPDB, AlientVault OTX and business context

Step Two

Enrichment with context

Once received, the alert data is cleansed, parsed and the MITRE ATT&CK® threat associated with the alert is identified. Alerts are then enriched with threat intelligence data from AbuseIPDB and AlientVault OTX (Open Threat Exchange) as well as your own business context, providing the analyst with rich and much needed context to enable data driven remediation decisions to be made quickly and effectively.

Within the tool, users have the ability to list critical business assets (e.g. an important web server or email address), such that when an alert contains these assets, it’s not only extremely easy to locate this asset very quickly, but they’re automatically scored higher and moved closer to the top of the priority ranked investigation workbench.

AbusedIP Logo

Every IP contained in all your alerts
is checked on AbuseIPDB

AlienVault OTX Logo

Alert enrichment with AlienVault OTX, which has access to 19 million threat indicators daily

Mitre Att&ck Logo

Alert mapping to a MITRE ATT&CK technique and/or tactic

Customised alert correlation and priortisation

Step Three

Triage. Correlate. Prioritise.

The enriched alerts are then correlated into related groups, or in SOC.OS language “clusters”, based on a number of rules. This ensures that, for example, alerts targeting the same part of your network with similar threat types would appear in the same cluster, and can be easily examined in one go. Each cluster consists of anywhere between 1 to 5,000 alerts.

These clusters are then ranked so that the ones deemed to require urgent investigation can be found easily on the SOC.OS workbench. Users also have the ability to specify high-importance assets in their network, with clusters containing these assets being moved further up the priority ranking.


SOC.OS works 24/7/365 analysing and enriching every alert it ingests


Clusters which contain your critical assets are prioritised higher than those that don’t

Alert correlation of similar entities and MITRE ATT&CK® threat types

Only alerts which share similar entities and MITRE ATT&CK threat types are grouped together

SOC.OS user workbench shows threat activity on networkover time

Step Four


Cluster investigation can then be completed entirely through the SOC.OS workbench – the original alerts, 3rd party threat feeds, custom business context enrichment and in-tool security training tips are all accessible using a single intuitive UI.

The clusters themselves are visualised using a bespoke data visualisation tool in a graphical way, allowing the analyst to understand in one quick glance, the MITRE ATT&CK® threat type, the incident timeline (which can span days, weeks and months) and the entities involved.

Once investigated, a cluster is never closed completely – it is archived and automatically re-opened if a new alert is correlated with this incident. Analysts are then shown the complete history of this cluster, so they immediately gain the insights from the previous investigation.


Investigate all of your alerts in a single platform


Simple and intuitive UI ideal for upskilling less experienced analysts


Accurately track (slower evolving) incidents through time

SOC.OS Dashboards & MITRE ATT&CK® Threat Coverage Reporting

Step Five

Dashboards & reporting

The enriched alerts are then correlated into related multiple dashboard widgets to give you a real time and consolidated view of your disparate data silos, and answer the following questions (not an exclusive set): “What are the most frequently occurring alert types being generated across all my tools?” “What are the most frequently occurring hosts and IP addresses contained within my alerts?” “What are the most frequently occurring MITRE ATT&CK tactics/techniques that my tools are detecting?”

Automated reports highlight your organisation’s MITRE ATT&CK threat coverage by showing you which techniques and tactics have been detected by each one of your security tools, as well as highlight operational metrics such as the number of alerts you are now able to analyse, triage and prioritise per month.


Dashboard widgets give a consolidated view of disparate data silos

Mitre Att&ck Logo

Automated reports highlight your organisation’s MITRE ATT&CK threat coverage and gaps

show_chart bar_chart

Automated reports highlight alert triage and correlation statistics

Premier Oil Logo

“Premier Oil looked at the current leading Gartner SIEMs and realised very quickly, as a medium size corporation, we lacked manpower and time to implement them. The investment of time we would need was just infeasible with traditional market leaders.

Fortuitously, as we started looking for alternatives, SOC.OS appeared over the horizon with their exciting new capability; allowing us to incrementally evolve and improve at our own pace. The integration of existing sensors and monitoring gives Premier Oil clear, concise and simple visibility worldwide through correlating of our network, server and end point events; whether current events or historic timelines.

The continual evolution of SOC.OS and its nascent capabilities is exciting and hugely beneficial, something Premier Oil is glad to be party to, as more and more data and events are drawn into the system, improving both the depth and breadth of Premier Oil’s cyber security.”

Vince Premier Oil Vince M.
Group Information Security Manager, Premier Oil