Context Is Everything

The Alert That Means Nothing — Until It Does

A Windows Event ID 4624 (successful logon) fires thousands of times per day in any enterprise environment. By itself, it's noise — users logging in is expected behavior. But add context and that same alert transforms:

• 4624 on a domain controller from an account that has never touched that server → Critical
• 4624 at 3:17 AM from an employee who has never worked outside business hours → High
• 4624 from Moscow for a user whose last logon was New York, 18 minutes ago → Critical — Impossible Travel
• 4624 from the VPN during a scheduled maintenance window by an IT admin → Expected — Close

The alert didn't change. The raw data is identical in structure. What changed is context — the information surrounding the event that tells you whether this is routine or the start of a breach.

In Lesson 4.1, you learned to classify alerts as true positives or false positives. That classification depends almost entirely on context. This lesson gives you the framework — five dimensions of context that every senior analyst evaluates, often unconsciously, on every alert they touch.

Click to enlarge

The Five Context Dimensions

Every alert exists at the intersection of five context dimensions. Experienced analysts evaluate all five in seconds. You'll build this instinct through practice, but first you need the explicit framework.

Missing even one dimension leads to misclassification. Let's examine each in depth.

Asset Context — Not All Systems Are Equal

The single most impactful context dimension is asset value. A brute-force attempt against a test VM and a brute-force attempt against a production database server produce identical alert signatures — but they demand completely different response urgencies.

The Crown Jewels Model

Every organization has systems that, if compromised, cause catastrophic damage. These are your crown jewels:

CMDB Integration in Practice

In a mature SOC, your SIEM enriches every alert with asset metadata from the Configuration Management Database (CMDB). When an alert fires on IP 10.0.5.22, the enrichment automatically tells you:

{
  "alert": "Multiple failed logons (Rule 5710)",
  "src_ip": "10.0.5.22",
  "asset_enrichment": {
    "hostname": "DC-PROD-01",
    "asset_tier": 1,
    "function": "Primary Domain Controller",
    "owner": "Infrastructure Team",
    "os": "Windows Server 2022",
    "last_patched": "2026-02-15",
    "criticality_score": 9.8
  }
}

Without CMDB enrichment, 10.0.5.22 is just a number. With it, you immediately know this is your production domain controller — and multiple failed logons against it demand instant attention.

User Context — Who Did This, and Should They?

The second dimension answers: who is the entity behind the action, and does this action make sense for their role?

Role-Based Expectations

Different users have different "normal" behaviors. What's expected for a sysadmin is suspicious for an accountant:

Privilege Amplifies Risk

The same suspicious action carries different weight depending on the user's privilege level:

Low-privilege user downloads a suspicious file:
  → Investigate, but likely contained to their workstation

Domain Admin downloads a suspicious file:
  → Escalate IMMEDIATELY — if this account is compromised,
    the attacker has keys to the entire kingdom

This is why privileged accounts should have separate, dedicated monitoring rules in your SIEM. In Wazuh, you can create rules that fire only when specific high-value accounts trigger certain events — turning routine events into high-priority alerts when the actor is a domain admin.

Temporal Context — Timing Changes Everything

When an event occurs relative to normal patterns is a powerful indicator. The same action at 10:00 AM on a Tuesday and at 2:37 AM on a Sunday carry very different risk profiles.

Business Hours vs. Off-Hours

Most legitimate business activity happens during business hours. Off-hours activity isn't automatically malicious, but it raises the bar for scrutiny:

Maintenance Windows

Scheduled maintenance windows are critical context that many junior analysts miss. A burst of privileged account logons across multiple servers at 2 AM on a Saturday looks terrifying — unless the change management calendar shows a planned infrastructure upgrade from 1 AM to 5 AM.

Always check the change calendar before escalating off-hours privileged activity. In a mature SOC, the SIEM ingests the maintenance schedule and automatically suppresses or de-prioritizes alerts during known windows.

Holiday and Seasonal Patterns

Attackers know that SOC staffing is thinnest during holidays. Major breach campaigns often launch on Friday evenings before holiday weekends, giving attackers 72+ hours of reduced monitoring. Be extra vigilant during:

• Major national holidays (Christmas, Thanksgiving, New Year)
• Company-specific shutdown periods
• Friday afternoons before long weekends
• End of financial quarters (when finance teams are distracted)

Geographic Context — Where in the World?

GeoIP analysis maps source IP addresses to physical locations. This is one of the most immediately actionable context dimensions because geographic anomalies are hard for attackers to explain away.

Impossible Travel

The signature geographic detection is impossible travel: a user authenticates from one location, then authenticates from a geographically distant location within a timeframe that makes physical travel impossible.

Event 1:  4624 — User jsmith — Source IP 72.45.12.88  (New York, NY)
          Timestamp: 2026-02-23 09:15:00 UTC

Event 2:  4624 — User jsmith — Source IP 185.220.101.3 (Moscow, Russia)
          Timestamp: 2026-02-23 09:33:00 UTC

Time Delta: 18 minutes
Distance:  ~7,500 km / ~4,660 miles

Verdict:   IMPOSSIBLE TRAVEL — Unless jsmith can fly at Mach 15,
           one of these logons is from a compromised credential.

Known Corporate Exit IPs

Maintain a list of your organization's known egress IPs — office locations, VPN concentrators, cloud NAT gateways. Authentications from these IPs are expected. Authentications from outside this set deserve additional scrutiny, especially from:

• Countries where you have no operations — if you have no employees in Eastern Europe and you see a logon from Romania, investigate
• Known hosting / anonymization providers — Tor exit nodes, bulletproof hosting, residential proxy networks
• High-risk geographies — countries frequently associated with state-sponsored or cybercriminal activity (use threat intelligence feeds for current data, not assumptions)

Geographic Context in Wazuh

Wazuh's GeoIP enrichment adds GeoIP.country_name, GeoIP.city_name, and GeoIP.coordinates to events with public IP addresses. You can build rules that fire when a logon originates from a country not in your allow-list:

<rule id="100510" level="12">
  <if_sid>60106</if_sid>
  <field name="win.eventdata.logonType">^10$</field>
  <geoip_not>US,GB,DE,JP</geoip_not>
  <description>Remote logon from non-corporate country</description>
</rule>

This rule fires on Windows remote interactive logons (type 10) from any country not in the allow-list. It doesn't mean the logon is malicious — but it means it needs a human to decide.

Behavioral Context — Deviation from the Baseline

The most sophisticated context dimension compares current activity against the entity's historical baseline. The question isn't "is this action bad?" but "is this action normal for this specific entity?"

What a Baseline Looks Like

A mature UEBA (User and Entity Behavior Analytics) system builds a profile for each user and device:

First-Time Events

Some of the most valuable behavioral alerts are first-time events — actions that an entity has literally never performed before:

• First time this user accessed this server
• First time this workstation ran PowerShell
• First time this service account logged in interactively
• First time this user downloaded a file over 1 GB
• First time this endpoint contacted this external IP

Peer Group Analysis

Behavioral context becomes even more powerful when you compare against peer groups. If one developer on the team downloads 200 MB of source code from the repo, that's normal. If every developer downloads ~200 MB but one downloads 15 GB, that outlier deserves attention — even though "downloading from the repo" is normal for the role.

Putting It All Together — Multi-Dimensional Triage

Real triage combines all five dimensions simultaneously. Here's how the same alert escalates or de-escalates across different context combinations:

Alert: Windows 4624 (Successful Logon) — Remote Interactive (Type 10)

Context Enrichment in Wazuh

In the Wazuh dashboard, every alert carries raw event data. Your job is to extract context from the fields available:

{
  "agent": {
    "name": "WIN-SERVER-01",
    "ip": "10.0.5.22"
  },
  "data": {
    "win": {
      "eventdata": {
        "targetUserName": "jsmith",
        "logonType": "10",
        "ipAddress": "185.220.101.3",
        "workstationName": "UNKNOWN"
      },
      "system": {
        "eventID": "4624",
        "computer": "WIN-SERVER-01.corp.local"
      }
    }
  },
  "GeoIP": {
    "country_name": "Russia",
    "city_name": "Moscow"
  },
  "timestamp": "2026-02-23T02:47:15.000Z"
}

From this single event, extract your five dimensions:

1. Asset: WIN-SERVER-01 — check your asset inventory for tier classification
2. User: jsmith — check HR directory for role, department, privilege level
3. Temporal: 02:47 UTC — convert to user's local time, check against their normal hours
4. Geographic: Moscow, Russia — check GeoIP against user's expected locations and corporate IPs
5. Behavioral: Query historical logs — has jsmith ever logged into WIN-SERVER-01 before? Has this IP appeared in prior events?

In Lab 4.2, you'll do exactly this. You'll receive a geo-anomaly alert on a Wazuh dashboard pre-loaded with contextual data across agents linux-web-01, WIN-SERVER-01, dns-server-01, and fw-edge-01. Your task: pivot through the data, apply all five context dimensions, and deliver a verdict.

What's Next

You now have the mental framework for evaluating context. In Lesson 4.3: Investigation Workflow, you'll learn the systematic pivot process — how to efficiently move from a single alert to a complete picture by pivoting on host, user, IP, and timeframe. Context tells you what to look for; the investigation workflow tells you how to find it.

But first, put your context skills to the test. In Lab 4.2 — Investigate a Suspicious Logon, you'll receive a geo-anomaly alert in a live Wazuh environment. The dashboard is pre-loaded with surrounding events from multiple agents. Your mission: apply all five context dimensions, pivot through the data, and deliver a verdict — is this a compromised account or an explainable anomaly?