This repository contains a proof of concept code for an entity-risk based system for correlation of security detections (threat indicators) coming from multiple sources (for XDR/SIEM) into multi-stage incidents. The code is written in C++23 and demonstrates some of the new features of the language, such as concepts, ranges, coroutines, and modules.
The motivation for this project is to explore how to implement a complex and scalable system that can handle large volumes of security data and provide meaningful insights for threat detection and response. The system is based on the idea of entity-risk, which is a measure of how likely an entity (such as a user, a device, or an IP address) is involved in a malicious activity, based on the detections associated with it. The system uses entity-risk to correlate detections from different sources and group them into multi-stage incidents, which represent a sequence of related events that indicate a potential attack. The calcualted risk scoring should also serve as source of information for Zero Trust platform. Done as an exercise to learn C++23 concepts on a practical case.