Incident Correlation
Correlation explains why alerts belong together:
- Primary signal anchors the incident.
- Supporting signals show matching fingerprints, service alignment, and environment consistency.
- Exclusions are listed to show what was ignored.
What to look for
- Primary vs supporting signals
- Confidence level based on supporting evidence
- Any excluded alerts and why they were skipped