Using tunable metrics for iterative discovery of groups of alert types identifying complex multipart attacks with different properties

Tunable metrics are used for iterative discovery of groups of security alerts that identify complex, multipart attacks with different properties. Alerts generated by triggering signatures on originating computing devices are iteratively traversed, and different metrics corresponding to alerts and alert groups are calculated. The calculated metrics quantify the feasibility of the evaluation components (alerts and/or alert groups) for inclusion in tuples identifying multipart attacks with specific properties. Alerts and successively larger alert groups are iteratively joined into tuples, responsive to evaluation components meeting thresholds based on corresponding calculated metrics. Only those evaluation components that meet specific thresholds based on the calculated metrics are added to alert groups. Metrics are only calculated for those components that have met corresponding metric-based thresholds during prior iterations. Discovered tuples can be transmitted to multiple endpoint computing devices, where the tuples can be utilized as signatures to detect and defend against multipart attacks.