Every XDR pitch deck shows the same triumphant diagram: endpoint, network, identity, and cloud telemetry flowing into one platform, correlated automatically into a single incident. The part the deck skips is the unglamorous engine underneath — a data model that has to reconcile four incompatible worldviews of what an "event" even is. Get that model wrong and you have a very expensive log aggregator. Get it right and you have detection and response that actually understands the attack, not just the alerts.
Why the data model is the product
Vendors sell XDR on the strength of its detections, its dashboards, and its response playbooks. But every one of those capabilities is downstream of a decision made years earlier by a data engineering team: how raw telemetry from wildly different sources gets turned into a common representation. Detections are just queries and machine learning models running against that representation. If two events that describe the same login — one from a Windows Security log, one from an identity provider's audit trail — end up as unrelated rows with incompatible field names and mismatched timestamps, no amount of downstream cleverness will stitch them back together reliably. The correlation either happens at ingest time, in the data model, or it does not happen at all with any consistency.
This is why the industry conversation has shifted, over the last three years, from "does the product ingest EDR, NDR, identity, and cloud logs" to "how does the product normalize and relate them." Ingestion is a solved problem — everyone has connectors. Normalization at scale, across domains with genuinely different semantics, is where platforms differentiate. A SOC analyst investigating a suspected account compromise does not want four browser tabs and four field naming conventions. They want one entity — a user, a host, a workload — with a timeline that already merges what EDR saw, what the firewall saw, what the identity provider saw, and what the cloud control plane saw, in the right order, with consistent labels.
The stakes are operational, not academic. Analysts spend a measurable share of investigation time on manual pivoting — copying an IP address out of one tool, pasting it into another, translating a Windows event ID into a plain-English description, converting a UTC timestamp into local time by hand. Each of those steps is a place where a data model failure becomes an analyst tax. Organizations building or buying XDR detection and response capability should treat the schema and entity-resolution layer as the primary evaluation criterion, not a footnote after the detection catalog.
Four domains, four worldviews
Before talking about how to normalize telemetry, it is worth being precise about why it is hard. Endpoint, network, identity, and cloud telemetry are not just different formats of the same information — they represent fundamentally different observation models, sampling rates, and notions of identity.
Endpoint telemetry
EDR sensors observe the world at process granularity: process creation and termination, thread injection, file writes, registry modifications, module loads, and network socket calls made by a specific process. The natural key is a process GUID or PID plus start time, and the natural identity anchor is the host. Endpoint data is rich and causally precise — you can build a full process lineage tree — but it is expensive to collect at full fidelity and it says nothing about what happened on the wire or in a SaaS control plane.
Network telemetry
NDR and network flow data (NetFlow/IPFIX, full packet capture, DNS logs, TLS metadata) observe the world at the level of conversations between IP addresses and ports, with no native notion of "user" or "process" unless a proxy or firewall enriches it. Network data is comprehensive in coverage — nothing crosses a segment boundary unseen — but weak in semantic identity. An IP address is not a durable identity; it is reassigned by DHCP, shared behind NAT, and rotated by cloud load balancers within minutes.
Identity telemetry
Identity providers (Entra ID, Okta, Ping, on-prem Active Directory) and PAM systems observe authentication and authorization events: sign-ins, MFA challenges, token issuance, conditional access decisions, privilege elevation, group membership changes. The natural key is a user principal or service principal, and the natural clock is the IdP's own audit pipeline, which can lag real time by anywhere from seconds to several minutes depending on the provider's log delivery SLA. Identity data answers "who," but rarely "what happened next on the machine."
Cloud telemetry
Cloud control-plane logs (CloudTrail, Azure Activity Log, GCP Audit Logs) and workload telemetry (container runtime events, Kubernetes audit logs, serverless invocation logs) observe API calls against a resource graph that is itself ephemeral — instances, containers, and functions are created and destroyed continuously, and IAM roles are assumed and dropped in the same session. The natural key is a resource ARN or resource ID plus an assumed-role session, and identity here is doubly indirect: a human identity federates into a cloud identity, which assumes a role, which then acts on a resource.
Each of these domains was built by a different community, for a different purpose, with a different tolerance for latency and a different definition of "event." Forcing them into one schema is not a formatting exercise. It is a modeling exercise that has to preserve enough domain-specific detail to be useful for deep investigation while exposing enough common structure to be queried and correlated as one dataset.
Endpoint
Process lineage, file and registry activity, host-anchored identity, high fidelity, high volume.
Network
Flow and packet metadata, IP/port conversations, full coverage, weak native identity.
Identity
Authentication, authorization, and token events, user/service-principal anchored, provider-dependent latency.
Cloud
Control-plane API calls, ephemeral resource graph, double-indirection identity via assumed roles.
The normalization problem, precisely stated
"Normalization" gets used loosely to mean everything from field renaming to full semantic unification. It helps to break it into four distinct sub-problems, because each requires a different engineering solution and each fails in a different way.
Schema drift
The same logical field — a source IP address — shows up as src_ip, srcaddr, SourceAddress, clientIp, or nested three levels deep in a JSON blob depending on the vendor. Multiply this across dozens of log sources and thousands of possible field names, and you get a combinatorial parsing problem before any analysis can start. Schema drift also happens over time within a single source: vendors change their log formats between product versions, silently adding, renaming, or deprecating fields, and a parser tuned against last year's format degrades quietly until someone notices a detection stopped firing.
Semantic collisions
Two sources can use the same field name to mean different things. "User" in a Windows Security event can mean the account under which a process runs, which is not necessarily the human who logged in. "User" in an identity provider log is unambiguously the authenticated principal. "User" in a cloud audit log might be an assumed-role session name that maps to a human only through a separate STS AssumeRole event minutes earlier. A naive union of these fields into one "user" column silently merges concepts that are not the same thing, and any detection logic built on top inherits the error.
Temporal misalignment
Clocks lie. Endpoint agents batch and forward events with local buffering delays. Cloud audit logs have documented delivery lag — CloudTrail, for example, is typically delivered within 15 minutes but is not guaranteed, and multi-region trails can be delivered in a different order than they occurred. Identity provider logs may reflect the time the log was written, not the time the authentication decision was made. If a correlation engine assumes events across sources arrive in a tight, orderable window, it will either miss valid causal chains that span provider lag, or falsely merge chains that happen to land close together in ingest time. A model has to carry both event-time and ingest-time, and correlation logic has to be tolerant of asymmetric lag per source.
Identity fragmentation
The hardest problem, covered in its own section below: the same real-world entity — a laptop, a user, a workload — is referenced by a different identifier in every domain, and those identifiers change over time (DHCP leases, hostname changes, role reassumption, container churn).
A reference architecture for cross-domain normalization
A production-grade normalization pipeline generally has six stages, and it is worth being explicit about each because skipping one is where most in-house SIEM-to-XDR migrations quietly go wrong.
- Collection. Agents, syslog receivers, API pollers, and cloud-native log sinks land raw events, preserving the original payload verbatim for forensic replay. Nothing is discarded at this stage — discarding early is the single most common irreversible mistake in a telemetry pipeline.
- Parsing. Source-specific parsers (grok patterns, JSON path extraction, CEF/LEEF decoders, protobuf schemas for structured APIs) turn raw bytes into typed fields. Parsers are versioned per source and per source-version, because vendor log formats change.
- Schema mapping. Parsed fields are mapped onto a canonical event schema — this is where
SourceAddress,src_ip, andclientIpall become one field, with type coercion (string IPs to structured IP objects, epoch variants to a single UTC timestamp standard) and controlled vocabularies for categorical fields like event outcome or severity. - Entity resolution. Extracted identifiers (hostnames, IPs, user principals, resource ARNs, process GUIDs) are resolved against an entity graph that tracks current and historical bindings, so that a network flow, an EDR process event, and an identity sign-in can all be tagged as belonging to the same host or user even though each source names it differently.
- Enrichment. Threat intelligence matching, geo-IP, asset criticality tagging, vulnerability context, and identity risk scores are attached to the normalized event, turning a bare fact ("connection to 91.x.x.x") into an assessable one ("connection to an IP flagged in threat intel three hours ago, from a crown-jewel finance server, by a service account that normally never makes outbound connections").
- Correlation and indexing. Normalized, entity-resolved, enriched events are written to both a search-optimized store (for analyst query and threat hunting) and a graph or session store (for multi-hop correlation across entities and time), and detection logic runs against both.
The order matters. Entity resolution has to happen before correlation, not as part of it, because correlation logic that tries to do identity matching and behavioral matching in the same query becomes both slow and brittle. Enrichment should happen after entity resolution so that risk context attaches to the resolved entity, not to a transient raw identifier that will be gone in the next DHCP lease.
This pipeline underpins how a platform like Algomox structures the ingestion layer feeding both XDR detection and response and the broader AI-native platform stack: raw telemetry is never thrown away, canonical schema mapping happens once centrally rather than per-detection, and entity resolution is a first-class, continuously updated graph rather than a best-effort join performed at query time.
Entity resolution: the problem underneath the problem
Entity resolution is the process of deciding that a hostname in an EDR alert, an IP in a NetFlow record, a device ID in a conditional access log, and a private IP in a VPC flow log all refer to the same physical or logical asset at a given point in time. It sounds like a lookup table. In practice it is a continuously-updated probabilistic graph, because none of the individual signals is a stable, unique key on its own.
Consider a single laptop over one working day. It authenticates to the identity provider once at login, gets a DHCP-assigned IP that may or may not be static within the subnet, is known to the EDR agent by a persistent agent ID, connects to a VPN that assigns it a second, different IP, and shows up in cloud access logs under yet another network identity because of NAT at the corporate egress point. A correlation engine that keys purely on IP address will lose the thread the moment the VPN reassigns an address, will conflate two different laptops that get sequential DHCP leases in the same subnet within the lease overlap window, and will fail entirely to connect the cloud-side view to the endpoint-side view because the addresses never match.
A workable entity resolution layer needs several coordinated identity graphs, not one flat table:
- Host identity graph: binds hostname, agent ID, MAC address, and a time-bounded set of IP addresses, updated on every DHCP lease event, VPN connect/disconnect, and agent heartbeat, so a query for "who had this IP at this timestamp" returns a precise answer instead of a stale one.
- User identity graph: binds a human identity across every federated account — on-prem AD SID, cloud identity object ID, SaaS application account, service desk employee record — so an anomaly on a SaaS account and a privilege escalation on a domain account can be recognized as the same person's blast radius.
- Workload/resource identity graph: binds a container or serverless function instance to its parent deployment, the IAM role it assumed, and the node or host it ran on, with aggressive time-bounding because these entities can live for seconds.
- Session identity graph: binds an authentication event to the downstream actions taken under that session — the assumed-role session name, the OAuth token issued, the process spawned under those credentials — because in cloud and SaaS environments the session, not the underlying human account, is often the actual actor of record.
These graphs need to be time-versioned, not just current-state. An investigation opened three weeks after an incident needs to reconstruct "what IP did this host have at 03:14 UTC on the day in question," not "what IP does this host have now." Platforms that only maintain a current-state asset inventory cannot answer that question, and retroactive threat hunting against historical telemetry becomes unreliable exactly when it matters most, during a breach investigation with a multi-week dwell time.
Entity resolution accuracy is also the single largest lever on alert volume. When resolution is weak, the same real attack chain surfaces as three or four disconnected, low-confidence alerts across three or four tools, each triaged separately, none reaching the severity threshold that a unified view would justify. This is a primary driver of alert fatigue and is one of the core problems that AI-driven XDR alert triage is built to address — not by suppressing alerts more aggressively, but by ensuring the underlying entity graph is strong enough that related alerts merge into one incident before a human ever has to notice the pattern manually.
Schema choices: OCSF, ECS, CIM, and proprietary models
Once the pipeline stages are clear, the next decision is which canonical schema to normalize into. This is not a purely academic choice — it determines how portable your detections are, how easily you can bring in a new log source, and how much translation overhead exists between ingestion and detection logic.
Three schema families dominate current practice, plus the option every mature platform eventually builds: a purpose-fit internal model layered on top of one of them.
Open Cybersecurity Schema Framework (OCSF)
OCSF, originally driven by AWS and Splunk and now governed as an open project with broad industry participation, defines a structured, versioned, class-based event taxonomy (authentication, network activity, file activity, process activity, and so on), each with a strict attribute dictionary and enumerated values. Its strength is precision: because event classes are strongly typed, a "process activity" event has a well-defined shape regardless of source, and downstream detection logic can be written once against the class rather than once per vendor. Its cost is mapping overhead — getting a new, unusual log source cleanly into an OCSF class requires real schema engineering, and coverage of niche or legacy sources lags behind the schema's core classes.
Elastic Common Schema (ECS)
ECS, developed by Elastic, is a flatter, more pragmatic field-naming convention rather than a strict typed taxonomy. It is easier to adopt incrementally — you can map a handful of fields from a new source and get useful cross-source search immediately — but that flexibility means less semantic guarantee: two sources both populating event.action may still use different vocabularies for the value, so downstream detection logic still needs source-aware handling in places.
Common Information Model (CIM)
Splunk's CIM plays a similar role within the Splunk ecosystem — a set of field-naming conventions organized into data models (authentication, network traffic, endpoint, and so on) that Splunk's own detection content and accelerated searches are built against. It is effective inside a Splunk-centric stack but is not a neutral, portable standard the way OCSF aims to be.
Proprietary vendor models
Most established XDR and SIEM vendors still run on an internal, proprietary canonical schema that predates OCSF's maturity, often because it was purpose-built for their specific correlation engine's query patterns and cannot be swapped without a significant re-architecture. This is not automatically a red flag — a well-designed proprietary model tuned for graph-based correlation can outperform a generic open schema on latency and query ergonomics — but it does mean detection content and normalization mappings are not portable if you switch platforms, which is a real switching-cost consideration for buyers.
| Schema | Structure | Strength | Trade-off |
|---|---|---|---|
| OCSF | Strict typed classes, enumerated values, versioned | Portable detection logic across sources; strong semantic guarantees | Higher mapping effort for unusual or legacy sources |
| ECS | Flat field-naming convention | Fast incremental adoption; broad tooling support | Weaker semantic guarantees; source-aware logic still needed |
| CIM | Data-model-organized field conventions | Deep fit with Splunk-native detection content | Ecosystem-specific, not a neutral standard |
| Proprietary | Vendor-internal canonical model | Can be purpose-tuned for the vendor's correlation engine | Low content and mapping portability across vendors |
The pragmatic answer most mature platforms converge on is layered: ingest into a broad, tolerant intermediate representation close to ECS or OCSF's flat field set for fast onboarding of new sources, then materialize a stricter internal typed model — closer to OCSF's class discipline — for the specific event categories that detection and correlation logic actually depends on (authentication, process lineage, network connection, cloud API call, file operation). This gets fast source onboarding without sacrificing the semantic precision that graph-based correlation requires.
Correlation on normalized data: graphs, sequences, and windows
Normalization is a means, not an end. The payoff is correlation logic that can operate on the unified model without source-specific special-casing. There are three complementary correlation patterns worth distinguishing, because they solve different classes of detection and require different infrastructure.
Entity-centric aggregation
The simplest and most immediately useful pattern: given the entity graph, roll up every event across every domain that touches a given host, user, or resource into one timeline. This is what powers the single-pane investigation view analysts actually work from. It requires no sophisticated detection logic — just a correctly maintained entity graph and an indexed store that can efficiently retrieve by entity ID across all domains at once. Many organizations underestimate how much detection value comes purely from this rollup, independent of any machine learning: a human analyst looking at one coherent timeline spots attack patterns that four separate dashboards would have hidden.
Sequence and window-based detection
Attack chains follow temporal patterns — reconnaissance, then credential access, then lateral movement, then exfiltration — and many detections are naturally expressed as "event type A from domain X, followed within N minutes by event type B from domain Y, on the same entity." This requires the pipeline to guarantee that events from different domains, once resolved to the same entity, are placed on a shared, skew-corrected timeline. Building this reliably means the pipeline has to track each source's typical ingest lag and apply a rolling grace window per source rather than a single global window, or fast-arriving endpoint events will be compared against slow-arriving cloud audit events as if both were real-time, producing missed or reordered chains.
Graph-based multi-hop correlation
The most powerful and most infrastructure-intensive pattern: modeling entities as graph nodes and events as edges, then running graph algorithms — shortest path, connected components, community detection — to find multi-hop relationships that no fixed sequence rule anticipated. This is how "an identity anomaly on account A, a lateral RDP connection from A's host to host B, and a cloud API call from a role associated with B" gets recognized as one incident even though no analyst wrote a rule for that exact three-step chain. Graph correlation is what makes XDR meaningfully different from a SIEM with more connectors; it is also the most computationally expensive layer and the one most sensitive to entity resolution quality, because a single mis-resolved node either breaks a real chain or fabricates a false one.
In practice, production platforms run all three simultaneously against the same normalized store: entity rollup for analyst investigation, sequence detection for well-understood attack patterns with tight latency requirements (you want credential-stuffing-then-privilege-escalation caught in seconds, not after a batch graph job runs), and graph correlation for the harder, slower-moving multi-stage campaigns that benefit from a broader time window and richer context. This layered detection approach is central to how agentic SOC workflows prioritize which incidents get autonomous triage versus analyst escalation — the confidence score attached to an incident depends heavily on which correlation layer produced it and how many independent domains contributed corroborating evidence.
A worked example: tracing a lateral movement chain across four domains
Concrete example grounds the architecture. Consider a realistic intrusion sequence and how the normalized model carries it end to end.
03:12 UTC — Identity domain. The identity provider logs a successful sign-in for a marketing department user from an unfamiliar ASN, with MFA satisfied via a push notification the user did not consciously expect (a classic MFA fatigue pattern). In isolation, conditional access risk scoring flags this as medium risk — unfamiliar location, but MFA passed, so no block.
03:19 UTC — Endpoint domain. Seven minutes later, EDR on the user's laptop observes a PowerShell process spawned by the Office application, immediately followed by a LOLBin-style download using a signed system binary. Isolated, this is a moderate-confidence suspicious script execution alert, common enough to be a routine part of triage queues and easy to deprioritize without context.
03:24 UTC — Network domain. The same host initiates an SMB connection to a file server it has never contacted before, per historical baseline, followed within two minutes by an RDP connection to a domain controller. NDR flags the SMB anomaly at low confidence — new host-to-host connections happen constantly in a large environment and are not inherently malicious.
03:31 UTC — Cloud domain. A service account credential cached on the domain controller is used to assume an IAM role in the cloud environment, and CloudTrail (delivered with roughly ten minutes of lag, landing in the pipeline around 03:41 UTC) shows that role listing S3 buckets it has never accessed before, then initiating a large object download.
Four domains, four separate low-to-medium confidence signals, four different tools' native alerting logic, none individually severity-worthy. This is exactly the shape of alert that gets lost in a stack without strong cross-domain normalization — each SOC queue sees one moderate alert among hundreds of similar ones and triages it in isolation. With the entity graph correctly binding the user, the host, the service account, and the assumed-role session as one continuous chain, and with the pipeline correcting for the cloud domain's ten-minute delivery lag so the CloudTrail event is placed correctly on the shared timeline relative to the 03:31 event rather than its 03:41 arrival time, the four events resolve into a single incident: initial access via MFA fatigue, discovery and lateral movement via a LOLBin and SMB/RDP, credential reuse into the cloud control plane, and data staging for exfiltration, all within nineteen minutes of first observed activity.
The response decision changes entirely once this is one incident rather than four. A SOC that saw four separate medium alerts might isolate the endpoint hours later after a human finally connects the dots during a shift handover. A SOC operating on the correlated incident can trigger session revocation at the identity provider, host isolation at the endpoint, and IAM role suspension in the cloud environment within the same automated playbook, inside minutes of the graph correlation firing — the entire value of cross-domain detection and response is compressed into that gap between "four alerts" and "one incident, four corroborating domains."
Identity as the connective tissue, not just another domain
It is worth calling out identity separately from the other three domains, because in cross-domain correlation it behaves less like a peer data source and more like the connective tissue that makes the other three linkable at all. Endpoint data is anchored to a host; network data is anchored to an IP; cloud data is anchored to a resource and a role. None of those three, on their own, tells you which human or service is responsible. Identity events are what let a correlation engine answer "which person's blast radius does this span."
This has a direct architectural consequence: the identity graph needs to be the most tightly maintained and lowest-latency part of the entity resolution layer, because every other domain's correlation quality depends on it. If the binding between a cloud-assumed-role session and the human identity that triggered it is stale or wrong, the entire cross-domain chain breaks at that link regardless of how good the endpoint and network normalization is. This is also why identity security and XDR are converging operationally rather than remaining separate product categories — platforms built around identity and PAM controls and those built around cross-domain detection increasingly need to share the same entity graph rather than maintain two independent, inevitably diverging views of who a user is. Algomox's approach treats identity security telemetry as a first-class, high-priority input into the same normalization pipeline that feeds endpoint and network correlation, rather than a bolt-on integration queried separately during investigation.
Retention, tiering, and the economics of normalized telemetry
Cross-domain normalization has a cost problem that is easy to underestimate: a fully normalized, entity-resolved, enriched event is significantly larger and more expensive to store and index than the raw log line it came from, and the volume differential across domains is enormous. A single busy border firewall can produce more flow records in an hour than a mid-sized fleet's EDR agents produce process events in a week. Naively normalizing and hot-indexing everything at full fidelity is not economically sustainable past a fairly modest environment size.
The practical answer is tiered retention keyed to the pipeline stages described earlier, not a single retention policy applied uniformly:
- Raw/cold tier: unparsed original payloads retained in cheap object storage for the longest window (often 12 months or more for compliance and deep forensic replay), because you cannot re-derive information that was never captured, but query is slow and infrequent.
- Normalized/warm tier: the schema-mapped, entity-resolved canonical events, retained for a mid-length window (commonly 30 to 180 days depending on domain) in an indexed store optimized for analyst search and retroactive hunting.
- Correlated/hot tier: incident-level aggregates, entity timelines, and graph state kept fully hot and query-fast for the shortest window (typically 7 to 30 days) where active investigation and automated response actually happen.
Domain-specific tiering compounds the savings: high-volume, low-signal network flow data is often reasonable to normalize with lighter enrichment and shorter warm-tier retention, while lower-volume, high-signal identity and cloud control-plane events warrant full enrichment and longer warm-tier retention because they carry disproportionate investigative value per event. Getting this tiering wrong in either direction is expensive: over-retain everything hot and infrastructure cost spirals out of proportion to the security value; under-retain and a breach investigation six weeks after initial access finds the network telemetry needed to establish the intrusion timeline has already aged out of the queryable tier.
A buyer's guide: what to actually test before you commit
Vendor demos are built to make normalization look effortless, because the demo environment's data was curated for the demo. Evaluating the real data model requires a different kind of test, and it is worth structuring a proof-of-concept around specific, falsifiable questions rather than a feature checklist.
- Bring your own messy source. Do not evaluate normalization only against the vendor's best-supported connectors. Bring one genuinely awkward source from your own environment — a legacy on-prem application log, a niche SaaS audit export, an internally-built service's logs — and time how long it takes a vendor engineer, not a pre-built connector, to get it mapped into the canonical schema at usable fidelity.
- Test entity resolution across a DHCP boundary. Ask specifically how the platform handles an IP address reassignment mid-investigation: can it correctly attribute events before and after a lease change to the right host without manual correction? This single test exposes more about entity graph maturity than almost any other.
- Ask for the timestamp handling policy in writing. Get a specific answer on how the platform reconciles event-time versus ingest-time per source, and what grace window it applies for known-lag sources like cloud audit logs. A vague answer here predicts sequence-detection misses later.
- Run the four-domain worked-example pattern. Simulate (in a lab, not production) a benign version of the identity-endpoint-network-cloud chain described earlier and confirm the platform actually merges it into one incident rather than four alerts. This is the single most representative test of whether the data model delivers on the XDR promise.
- Check schema and detection portability. If the platform uses a proprietary canonical model, understand what happens to your custom detection content and historical normalized data if you ever migrate away. If it is OCSF-aligned, verify the alignment is deep (typed classes) rather than superficial (field renaming only).
- Validate retention economics against your actual volumes. Get concrete cost projections for your real telemetry volume across all four domains at your intended retention tiers, not a generic per-GB rate card, since the volume skew between network and identity data is large enough to make blended averages misleading.
Buyers evaluating platforms for hybrid, on-prem, or air-gapped environments should add one more test: confirm the normalization and entity resolution pipeline runs fully within the deployment boundary rather than depending on a cloud-hosted enrichment step, since sovereign and disconnected environments cannot tolerate a data model that silently degrades when it loses connectivity to a vendor's cloud backend.
Operational metrics: measuring whether the data model is actually working
Most XDR programs measure success with detection-facing metrics — mean time to detect, mean time to respond, alert volume. Those matter, but they are lagging indicators of data model health. A SOC that wants to know whether its normalization layer is actually functioning should track a smaller set of pipeline-facing metrics directly.
- Parse failure rate per source: the percentage of raw events from each source that fail schema mapping and land in an unparsed or partially-parsed bucket. A rising trend on any one source, especially after a vendor product update, is an early warning that a detection blind spot is forming silently.
- Entity resolution coverage: the percentage of normalized events successfully bound to a known entity in the graph versus left as an orphan record. Orphan events cannot participate in cross-domain correlation at all, so this number is a direct proxy for how much of your telemetry is actually usable for XDR-style detection versus functioning as isolated log search.
- Cross-domain corroboration rate: of incidents escalated to analysts, what fraction were corroborated by two or more independent domains versus surfaced from a single domain. A healthy, mature deployment should show this trending up over time as entity resolution and enrichment improve.
- Timestamp skew distribution per source: tracking the actual observed lag between event-time and ingest-time per source over time, to validate (and periodically re-tune) the grace windows used in sequence detection.
- Analyst pivot count per investigation: how many manual lookups (IP reputation checks, hostname-to-user lookups, cross-tool searches) an analyst performs per investigation. This is the most direct, human-facing measure of whether the unified data model is actually removing the manual correlation burden it is supposed to remove.
Tracking these alongside traditional SOC KPIs gives a much earlier warning system: detection metrics degrade weeks after a normalization problem starts, because alert volume and response time only shift once enough incidents have been affected to move the average. Pipeline health metrics catch the problem the week a vendor changes a log format or a new cloud region starts sending audit logs in an unexpected shape.
A practical implementation checklist for teams building or tuning this pipeline
For teams standing up or maturing a cross-domain normalization capability — whether building in-house on top of a SIEM, extending an existing XDR deployment, or evaluating continuous threat exposure management and detection tooling together — a few implementation habits consistently separate the deployments that deliver real cross-domain correlation from the ones that stall at "we ingest everything but still triage in silos."
- Never discard raw payloads at ingest, even after successful parsing; parser bugs and schema changes are discovered after the fact, and only a preserved raw record lets you re-parse retroactively.
- Version every source parser and canonical schema mapping explicitly, and treat a vendor log format change as a tracked engineering event with a rollout, not a silent hotfix.
- Build the entity graph as a genuinely time-versioned structure from day one; retrofitting temporal versioning onto a current-state-only asset inventory later is a substantially larger project than doing it up front.
- Treat identity telemetry as the highest-priority, lowest-latency domain in the pipeline, since it is the connective tissue every other domain's correlation depends on.
- Instrument the pipeline itself — parse failure rates, entity resolution coverage, timestamp skew — before instrumenting detection outcomes, since pipeline health is the leading indicator.
- Design retention tiers per domain based on actual volume and signal density, not a single blanket policy, and revisit the tiering as telemetry volumes shift with fleet growth or new cloud adoption.
- Validate sequence and graph correlation logic against deliberately lagged test data for slow-delivery sources like cloud audit logs, not just clean, synchronized synthetic data.
Key takeaways
- XDR's value is bounded by its normalization and entity resolution layer, not by the sophistication of its detection models — a weak entity graph breaks correlation regardless of how good the algorithms downstream are.
- Endpoint, network, identity, and cloud telemetry represent genuinely different observation models and identity semantics; naive field-name unification without semantic reconciliation silently corrupts correlation.
- A production pipeline needs six distinct stages — collection, parsing, schema mapping, entity resolution, enrichment, correlation — and entity resolution must precede correlation, not be folded into it.
- Entity resolution requires time-versioned graphs for hosts, users, workloads, and sessions, not a flat current-state asset table, because investigations often need historical identity bindings weeks after the fact.
- Identity telemetry functions as connective tissue across the other three domains and deserves the tightest latency and highest-priority treatment in the pipeline.
- Schema choice (OCSF, ECS, CIM, or proprietary) determines detection portability and onboarding speed; a layered approach — tolerant intermediate representation plus a strict typed model for core event classes — balances both.
- Correlation should run at three layers simultaneously: entity-centric rollup, sequence/window detection, and graph-based multi-hop correlation, each with different latency and infrastructure characteristics.
- Buyers should test messy real sources, DHCP-boundary entity resolution, and a simulated four-domain attack chain in a proof-of-concept, not evaluate the platform on a curated demo dataset.
Frequently asked questions
Is OCSF alignment enough to guarantee good cross-domain correlation?
No. OCSF standardizes field names and event classes, which is necessary but not sufficient. Correlation quality also depends on entity resolution accuracy, timestamp skew handling, and enrichment depth — all of which sit outside the schema definition itself. A platform can be fully OCSF-compliant and still correlate poorly if its entity graph is weak.
How much telemetry latency is acceptable before cross-domain correlation breaks down?
It depends on the source, not a single global number. Endpoint and network data typically arrive within seconds; identity provider and cloud audit logs can lag by minutes due to documented delivery SLAs. The pipeline needs source-specific grace windows for sequence detection rather than one global window, or fast sources will be compared against slow sources as if both were real-time, causing missed or misordered chains.
Should we normalize everything into one schema, or keep domain-specific detail?
Keep both. Preserve raw, domain-specific payloads for deep forensic detail, and materialize a canonical layer for cross-domain query and correlation. Over-flattening into a lowest-common-denominator schema loses the domain-specific fields (like full process lineage or cloud IAM condition context) that deep investigation ultimately needs.
How does this data model relate to exposure management and CTEM programs?
They share infrastructure. The same asset and entity graph that powers cross-domain detection is also the foundation for accurately scoping and prioritizing exposures in a continuous threat exposure management program — you cannot prioritize a vulnerability's real risk without knowing what identity, network path, and business criticality context surrounds the affected asset, which is exactly the context the normalization pipeline already assembles for detection purposes.
See the data model behind unified detection
Talk to Algomox about how endpoint, network, identity, and cloud telemetry get normalized, entity-resolved, and correlated into one incident view — across cloud, on-prem, and air-gapped deployments.
Talk to us