ELI5: What is Telemetry Correlation (XDR)?
XDR collects data from computers, networks, and cloud services, then connects the dots between them. Like a detective piecing together clues from the kitchen, the garage, and the backyard to solve one case.
Definition
Telemetry correlation in XDR (Extended Detection and Response) refers to the capability of XDR platforms to ingest and correlate security telemetry from multiple different security domains — endpoints, network, cloud infrastructure, identity, and email — to detect complex, multi-stage attacks that span across these domains. This cross-domain correlation is the key differentiator of XDR over traditional EDR.
Key Details
- XDR correlates: endpoint process data + network connections + cloud API calls + email click events + identity logs
- Detects attacks that span multiple domains: initial email phishing → endpoint execution → lateral network movement → cloud exfiltration
- Reduces mean time to detect (MTTD) by correlating signals that would appear unrelated in isolated tools
- Reduces alert fatigue: correlated incidents surface as single, rich incident rather than multiple unrelated alerts
- XDR platforms include Palo Alto Cortex XDR, Microsoft Defender XDR, CrowdStrike Falcon XDR
Connections
- Parent: edr-xdr — telemetry correlation is the defining capability of XDR platforms
- See also: behavioral-analysis