Ask Concord

Answers from our documentation

Ask anything about Concord. Every answer comes from our actual documentation.

IaxaIConcord

Surface: Semantic Alert Dedup

Five tools see one incident. Your analysts should triage it once.

Concord by IaxaI Semantic Alert Dedup uses entity resolution and the knowledge graph to merge duplicate alerts into a single investigative narrative, with every originating alert preserved as evidence. One incident. One ticket. Full receipts.

Buried under duplicate alerts?

The Problem

A phishing click fires the EDR, the firewall, the proxy, the identity provider, and the SIEM correlation rule.

Five tickets. Five queues. Five analysts pulling on the same thread. By the time one of them figures out it's the same user, the other four have already eaten an hour each. The industry calls this alert fatigue. Your analysts call it Tuesday.

The Outcome

One narrative card. Original five visible underneath. Provenance threaded through.

Concord collapses semantically duplicate signals into one Security Narrative. The five originating alerts sit inside the card as evidence. You can drill straight back to the raw payload from any vendor. Investigations stop being detective work and start being decisions.

How It Works

Translation. Identity. Knowledge graph. One narrative.

Step 1: every alert lands in OCSF

The Semantic Translation Engine maps every vendor signal (CrowdStrike, Splunk, Sentinel, Okta, Palo Alto, whatever the client runs) into the same canonical schema. Same incident now described in the same fields.

Step 2: entity resolution finds the same actor

The patent-pending Entity Resolution Engine recognizes that the user in the EDR alert, the SAM account in the AD log, and the email in the proxy event are the same person, even when the tools share no common identifier. Every match ships with a calibrated confidence score, not a black-box guess.

Step 3: the knowledge graph stitches the story

Resolved entities, time windows, and shared context get written to a per-tenant graph. When five alerts touch the same user, host, and 30-minute window, they collapse into one card. The graph keeps each contributing alert addressable for drill-down.

Step 4: drill-down preserves the raw truth

The Narrative is the top layer. Underneath sits a unified timeline keyed to OCSF, and underneath that the original vendor payload, verbatim. Your senior analysts get the shortcut. Your forensics team still gets the source.

What It Sits On

Powered by the Concord engine. Not a black box on top.

Consumes

Translation. Entity Resolution. Knowledge Graph.

Dedup is a surface, not a parser. It draws on the same engine outputs your analysts already trust, which means every merged narrative is reproducible and reviewable.

Produces

One Security Narrative per incident.

Originating alerts preserved as evidence. ER confidence scores surfaced inline. Every dedup decision signed and written to the audit ledger so a regulator or a senior engineer can replay how the merge happened.

Why It Matters

Dedup that an examiner, and your senior engineer, can defend.

Every credible SIEM and SOAR ships some flavor of correlation. Most of them rely on shared identifiers (a username, a host, a session ID) that the underlying tools never agreed on. When the firewall calls a user one thing and the EDR calls them another, naive correlation misses the link, and the "deduplication" doesn't happen. The five tickets stay open.

Concord deduplicates on the resolved entity, not the literal field. The Entity Resolution Engine recognizes the same person across tools that share nothing in common: multi-modal embeddings plus Bhattacharyya distance plus conformal calibration. Above the auto-merge threshold, the alerts collapse. In the middle band, they queue for an analyst's eyes. Below the floor, they stay separate. That governance is the difference between a feature an MSSP will run on a regulated client's data and a feature they'll quietly turn off after the first false merge.

Built so you can defend the merge.

Calibrated identity

Every entity match ships with a real probability, not a raw score. Auto-merge above the floor, queue in the middle band, reject below.

Nothing is silently dropped

Originating alerts stay attached as evidence. If the merge was wrong, the underlying tickets are still addressable. Never deleted, never lost.

Replayable on demand

Every dedup decision lands in the append-only audit ledger. Replay the merge from the original payloads, signed and timestamped.

Stop reconciling. Start trusting one timeline.

30-minute walkthrough. Your tools. Your tenants. Your audit cycle. We will show you exactly where Concord earns its keep.