Primary Investigator:
Dongyan Xu

Project Members
Cheng-Yun King Yang Christina Zhang Max Chen Dongyan Xu

Alert correlation is a critical process that transforms isolated detections into coherent attack narratives, enabling analysts to capture multi-stage intrusions that would otherwise surface as hundreds of unrelated, low-severity events. Microsoft’s Managed Extended Detection and Response (MXDR) facilitates this by automating alert grouping; however, it often exhibits systematic blind spots in complex scenarios. For instance, MXDR frequently fragments alerts into disconnected incidents when an attacker targets multiple users from a single IP or when identical malware re-executes on the same account. To bridge these gaps, we propose a daily AI agent pipeline that operates alongside MXDR. A correlation subagent first scans ingested alerts for shared entities — IPs, file hashes, and user accounts — across time windows, producing a structured analysis packet. An analysis subagent then interprets these packets, produces prioritized SOC reports, and feeds confirmed misses back into a rule refinement subagent—incrementally expanding correlation coverage with each iteration. Evaluated on real enterprise alerts, the system surfaced multi-day attack campaigns and recurring correlation patterns that MXDR consistently missed.