Alert ingestion and correlation

The ingestion pipeline

Alerts enter through the Ingestion Gateway and travel via Kafka through sequential consumers: normalization, enrichment and routing to the right stores.

Correlation strategies

The correlation engine groups N alerts into M incidents (M << N) applying five strategies in priority order:

• Deduplication: groups identical repeated alerts.
• Time window: groups events close in time.
• Graph: uses topology to relate resources.
• Rule: conditions defined by the implementer.
• Regex: pattern matching on the message.

A good rule configuration is the main lever to reduce NOC noise.