ThetaPoint Blog

Sessionize Heterogeneous Event Types With This One Weird Trick

Context makes all of the difference for alert disposition and adjudication. Having all related events readily available shortens the decision cycle and eases the cognitive load associated with finding sufficient evidence to inform judgement. I have already discussed how important it is to front-load event processing inside the utility stack, but have not shown how you can connect those two goals to make it possible. How I Learned to Stop Worrying and Love the community_id Analysts typically rely on comparisons of equality (or approximate equality) for stitching more than one record together to form context around an…