Can't find the term you are looking for? Contact us at support@socos.io and we'd be happy to add it.
SOC.OS Term | Also Known As | Definition | Additional Information |
---|---|---|---|
Log | Event Log | A single record representing a happening/event taking place within an IT system. It represents a single piece of point-in-time intelligence that on its own is not an immediate cause of concern for an analyst. This is not likely to lead to further investigation, and therefore should not be ingested by SOC.OS. | - How is this different to an event log? |
Alert | Threat Log | A single record indicative of activity pointing to a potential security threat. It often represents a grouping of event logs. Alone, it represents actionable intelligence that would be an immediate cause of concern for an analyst. This is likely to lead to further investigation and therefore should be ingested by SOC.OS. | - What is an Alert? - Alert Collection |
Entity | Indicator | A resource involved in an alert, such as an IPv4 Address, Domain, or SHA256 Hash. | - What is an Entity? |
Cluster | Incident | A cluster represents a group of alerts that have been correlated together because they share a common set of features (including entities) that would suggest they are part of the same incident. | - What is a cluster and what's the benefit? - Cluster Visualisation - Cluster Data View - Cluster Status |
Attributes | Alerts, Entities and Clusters hold attributes which provide further context about that object. | - Entity Attributes | |
Enrichment | Enrichment adds further context to an alert by querying threat intelligence sources and adding it as attributes to entities. This allows analysts to make data driven remediation decisions quickly and effectively. | - Enrichment - Entity Enrichment - Custom Enrichment |
|
MITRE ATT&CK® | MITRE ATT&CK® is a freely and globally accessible framework of known adversarial methods, built from historical attack data and updated every quarter by MITRE researchers and industry contributors. MITRE ATT&CK® is natively incorporated into SOC.OS and is the backbone of the correlation engine. As SOC.OS processes alerts, it automatically classifies the alert message and translates this to the MITRE ATT&CK framework. | - MITRE ATT&CK - MITRE ATT&CK Website |
|
Incident | Cluster | A cybersecurity event, triggered by an alert or group of alerts, requiring further investigation and remediation. In SOC.OS, these are represented as Clusters. | - What is a cluster and what's the benefit? |
External/ Internal (Entity) | Public/ Private | In SOC.OS, an entity is classed as either external or internal. An internal entity is owned, managed, or under the responsibility of the organisation using SOC.OS. This often includes private IP addresses, but might also include public IP addresses or domain names that they own. An external entity is anything that isn't an internal entity, such as unknown URLs or IP addresses. | - What is an Entity? - Entity Attributes |
Source System | Security Tool, Integration | A source system produces cybersecurity alerts and can be on-premise or cloud-based. | - Compatible Tools - Integrating your Tools |
Agent | Syslog Forwarder | The SOC.OS Agent is software that forwards syslog alerts from on-premise security tools (source systems) up to the SOC.OS platform for processing. Once installed, it listens on the set of assigned ports for syslog alerts sent over UDP, TCP or TLS protocol. Each open port is designated to a different source system. | - Installing the SOC.OS Agent |
Cluster Visualisation | The SOC.OS cluster visualisation allows an analyst to quickly understand the high-level overview of an alert cluster. Once an analyst understands the overall picture, the visualisation enables fast access to key details. It is designed to mimic how an experienced cybersecurity analyst thinks about an incident. | - Interpreting the cluster visualisation | |
Filtering | All data sent to SOC.OS will be subject to filtering, with the aim of only allowing security alerts (not unwanted logging) to be processed and clustered by the system. The filter is configured using a set of filter rules. | - Filtering | |
Scoring | A score is calculated when a new cluster is created or a new alert correlates with an existing cluster. This score can be used to rank clusters so that those needing urgent investigation can be easily found on the SOC.OS workbench. | - Scoring - Prioritisation |
|
Workbench | Search | The workbench allows users to quickly find interesting clusters and thoroughly investigate the underlying data using the search capability. This functionality allows users to build powerful, no-code queries, based on the different entities and attributes of alert clusters. | - Using Search - Advanced Search |