Concepts and terminology

This topic explains key concepts for Investigator.

Alert Catalog

The Alert Catalog is a list of all alert categories in the system. From the Alert Catalog, you can view details about each alert category, pivot to logs, customize severity scores, and define entities to exclude from a category.

alert category

A classification assigned to a type or nature of security alert. The category helps organize and categorize the alerts based on their characteristics, severity, and relevance to specific security concerns. By organizing alerts into categories, security teams can better manage and respond to potential threats, ensuring that the most critical alerts receive immediate attention and appropriate action.

detection

Aggregation of security alerts from an entity for an alert category. You can perform actions on detections, such as user assignment, status updates, annotation, filtering and sorting.

entity

A system impacted by an alert and identified by an IP address or domain name.

log

Computer-generated data that contains information about usage patterns, activities, and operations within an operating system, on the network, in an application, server or another device.

Examples:

  • A user logs into a system

  • An application started

  • TCP communication between host A and host B observed

security alert

A notification of a security event or a series of security events. Not every event demands an alert – just those that require action.

If you set your threshold too low, you’ll be buried in alerts and won’t see real issues through the noise. If you set the threshold too high, you won’t have enough warning to take preventative action.

Examples:

  • Malware download detected

  • Privilege escalation attempt by unauthorized user

  • Port scanning identified

  • Malicious domain queried

  • The authentication server is down

security event

A change in the normal behavior of a given system, process, environment or workflow. It is something that occurs somewhere on a network or computer system, and can be extracted from log data.

An event can be either positive or negative. An average organization experiences thousands of events every day. These security events can be as small as an email, or as large as an update to your firewalls.

Examples:

  • An employee flags a suspicious email

  • Someone downloads software (authorized or unauthorized) to a company device

  • A known user escalates privileges on a system

security incident

An event that negatively affects the confidentiality, integrity, and/or availability at an organization in a way that impacts the business.

A security incident is created after a thorough review of the underlying security alerts/events by an analyst. The security incident could be a combination of one or more security alerts and events.

Examples:

  • Attacker posts company credentials online

  • Attacker steals customer credit card database

  • Worm spreads through network

severity score

A number ranging from 1 to 10 with more severe threats having a higher score. The overall score for the entity is the highest value of the detected alert categories.