This blog explains how we used event correlation in OpenSearch to move from isolated event detection to incident-driven security monitoring.

HaloDoc is a healthcare technology platform that offers telemedicine services, online pharmacy, and health information resources to users in Indonesia. Through its platform, HaloDoc aims to improve access to healthcare services, empower patients to take control of their health, and facilitate collaboration between healthcare providers. Developers can learn from HaloDoc's innovative use of technology to address healthcare challenges, leveraging telemedicine, artificial intelligence, and data analytics to enhance patient care and outcomes.

Halodoc

Event correlation in OpenSearch transforms isolated security alerts into meaningful incidents by linking related events across systems, entities, and time windows. By correlating signals from identity systems, cloud platforms, and applications, security teams can detect multi-step attacks that would otherwise remain hidden. The approach uses query-level monitors with composite aggregations to group events by shared identifiers like IP addresses and user emails within defined time windows. Implementation at Halodoc reduced Mean Time to Detect from approximately 5 hours to 90 minutes (70% reduction) by consolidating thousands of raw events into actionable correlated findings, reducing investigation noise and false positives while surfacing previously hidden attack patterns.

From Events to Security Incidents: Leveraging Correlation in OpenSearch

What Does Correlation Mean in OpenSearch?

Impact: MTTD (Mean Time To Detect) Reduction