Glossary¶
This glossary explains the most important technical terms related to Blue Team Operations and our SIEM Plus Managed Service.
A¶
Alert : A notification generated by the SIEM system when a security-relevant event is detected. Alerts have severity levels ranging from informational to critical.
Analyzer : A module in Cortex that checks a specific observable type against an external data source (e.g., the VirusTotal analyzer checks file hashes).
B¶
Blue Team : The defensive side of cybersecurity. The Blue Team is responsible for detecting, analyzing and defending against cyberattacks. Counterpart: Red Team (offensive security).
C¶
Case : A documented security incident in the Incident Management System (TheHive/IRIS). Contains all relevant information, observables, tasks and measures.
C2 Server (Command & Control) : A server used by attackers to remotely control malware on compromised systems.
Cortex : Enrichment & Response Engine. Automatically analyzes suspicious indicators against external data sources and provides assessments. → Cortex in Detail
CVE (Common Vulnerabilities and Exposures) : A standardized catalog of known security vulnerabilities in software. Each vulnerability receives a unique CVE number (e.g., CVE-2024-12345).
D¶
Decoder : A Wazuh component that transforms raw log data into structured fields so that rules can be applied.
E¶
Enrichment : Enhancement of security data with additional context. Example: A suspicious IP address is automatically checked against reputation databases.
Endpoint : A device on the network (PC, laptop, server, mobile device) that can be monitored with a Wazuh Agent.
F¶
False Positive : A false alarm – an alert that incorrectly indicates a threat when none exists. Rule tuning reduces false positives.
FIM (File Integrity Monitoring) : Monitoring of critical files for changes. A core feature of Wazuh for detecting unauthorized modifications.
G¶
GDPR (General Data Protection Regulation) : EU regulation governing the handling of personal data. SIEM systems support compliance evidence.
I¶
IDS / IPS (Intrusion Detection / Prevention System) : Systems for detecting (IDS) or actively preventing (IPS) network attacks.
IMS (Incident Management System) : System for structured handling of security incidents. In our stack: TheHive or IRIS. → IMS in Detail
Incident : A confirmed security event that must be investigated and handled.
IoC (Indicator of Compromise) : An indicator of a potential compromise. Examples: Malicious IP addresses, malware hashes, phishing domains. IoCs are managed via MISP.
IRIS : Incident Response Investigation System. An open-source platform for detailed incident response investigations.
ISAC (Information Sharing and Analysis Center) : Industry-specific organizations for sharing cyber threat information (e.g., Financial ISAC, Energy ISAC).
M¶
MISP : Malware Information Sharing Platform & Threat Sharing. Open-source platform for sharing threat information. → MISP in Detail
MITRE ATT&CK : A framework that catalogs attack techniques and tactics. Used for classifying threats and evaluating detection coverage.
MTTR (Mean Time to Respond) : Average time from incident detection to response. A key metric for SOC performance.
MTTD (Mean Time to Detect) : Average time from a security incident to its detection.
N¶
NIS2 : EU directive for network and information security. Extends cybersecurity requirements for many organizations and industries.
O¶
Observable : An observable indicator within a case (e.g., an IP address, a file hash, a domain). Observables can be sent to Cortex for analysis.
OpenSearch : The database engine behind the Wazuh Indexer. Stores and indexes all security events for fast search and analysis.
P¶
Playbook : An automated workflow in Shuffle (SOAR) that executes a defined sequence of actions for specific events.
R¶
Responder : A Cortex module that performs active response measures (e.g., block IP, lock account).
Rule : A detection rule in Wazuh that defines under which conditions an alert is triggered.
S¶
SIEM (Security Information and Event Management) : System for centralized collection, correlation and analysis of security-relevant data. In our stack: Wazuh. → Wazuh in Detail
Shuffle : Open-source SOAR platform for Security Orchestration, Automation & Response. → Shuffle in Detail
SLA (Service Level Agreement) : Agreement on guaranteed service levels (e.g., response times, availability).
SOAR (Security Orchestration, Automation and Response) : Platform for automating and orchestrating security processes. In our stack: Shuffle. → Shuffle in Detail
SOC (Security Operations Center) : A team (and its infrastructure) responsible for continuous monitoring and response to security incidents.
T¶
TheHive : Open-source Security Incident Response Platform for collaborative case management. → TheHive in Detail
Threat Intelligence : Processed information about current cyber threats (actors, tactics, indicators). Provided via MISP.
TIPL (Threat Intelligence Platform) : Platform for collecting, processing and sharing threat information. In our stack: MISP. → MISP in Detail
TLP (Traffic Light Protocol) : Classification for information sharing:
| Color | Sharing |
|---|---|
| **TLP:RED** | Named recipients only |
| **TLP:AMBER** | Within the organization only |
| **TLP:AMBER+STRICT** | Within the organization only, no sharing |
| **TLP:GREEN** | Within the community |
| **TLP:CLEAR** | Publicly shareable |
W¶
Wazuh : Open-source SIEM and XDR platform. Core of our SIEM Plus Managed Service. → Wazuh in Detail
Wazuh Agent : Software installed on monitored systems that collects and sends data to the Wazuh Manager.
Webhook : An HTTP-based mechanism through which systems automatically send notifications to other systems (e.g., Wazuh alert → Shuffle).
Y¶
YARA : A language for describing malware patterns. YARA rules are used in Cortex and MISP for detection.