Skip to content

SOC / SIEM Glossary

For: anyone working with the stack or reading the documentation. Quick term reference — not a textbook.

Operations center & platforms

SOC (Security Operations Center)

Team + processes + tools that monitor infrastructure for threats 24/7. In our stack: the entire SIEM cluster (Wazuh, TheHive, Cortex, MISP, CrowdSec, Velociraptor, Shuffle).

SIEM (Security Information and Event Management)

Collects logs from all sources, correlates events, generates alerts. In our stack: Wazuh (Manager + Indexer + Dashboard).

SOAR (Security Orchestration, Automation and Response)

Automates routine SOC actions: alert arrives -> enrichment -> block -> notification — no manual intervention. In our stack: Shuffle (deployed, playbooks not yet written; custom scripts used meanwhile).

TIP (Threat Intelligence Platform)

Catalog of known malicious IPs, domains, file hashes, URLs. Syncs with CERT-UA and other feeds. In our stack: MISP.

DFIR (Digital Forensics & Incident Response)

Deep analysis of compromised machines: artifact collection, memory dumps, timeline reconstruction. In our stack: Velociraptor (server deployed, clients not yet).

Endpoint detection & protection

EDR (Endpoint Detection and Response)

Agent on every host: collects telemetry, detects threats, can isolate the machine. In our stack: Wazuh Agent (35 active) serves as EDR-light (FIM, SCA, vuln detection, active response).

XDR (Extended Detection and Response)

EDR + network telemetry + cloud + email — all correlated in one place. In our stack: approaching XDR once Suricata (NIDS) is added on top of Wazuh (host-based).

NIDS / IDS (Network Intrusion Detection System)

Analyzes network traffic for suspicious patterns (exploits, C2 communications, DNS tunneling). In our stack: Suricata (planned, Tier 3 roadmap — requires SPAN port).

Threat Intelligence

IOC (Indicator of Compromise)

A concrete sign of an attack: malicious IP address, domain, file hash, URL. In our stack: stored in MISP, checked via Cortex analyzers.

TTP (Tactics, Techniques, Procedures)

MITRE ATT&CK framework: not "what" (IOC) but "how" the adversary attacks. Example: T1110 Brute Force, T1059 Command-Line Interface. Wazuh rules map alerts to specific TTPs.

TLP (Traffic Light Protocol)

Confidentiality marking for threat intel: RED (recipient only), AMBER (limited sharing), GREEN (community), WHITE (public). Used in MISP events and TheHive cases.

PAP (Permissible Actions Protocol)

What you can do with a received IOC: RED (look only), AMBER (passive checks), GREEN (active scanning). Accompanies TLP in MISP / TheHive.

SOC Workflow

IR (Incident Response)

Process from threat detection to resolution: triage -> containment -> eradication -> recovery -> lessons learned.

Alert

A raw SIEM notification, not yet confirmed as a real attack. Could be noise (FP). In our stack: Wazuh generates -> TheHive queues -> Tier 1 triages.

Case

A confirmed incident from a triaged alert. Has assignee, tasks, observables, verdict. In our stack: created in TheHive via the "Import" button from an alert.

Triage

Rapid initial sorting of alerts: real or noise, critical or low-risk. Primary Tier 1 activity. Target: < 15 min per alert.

FP / TP (False Positive / True Positive)

FP = alert fired but no real threat (noise). TP = alert fired and the threat is real. FP rate > 50% = Wazuh rules need tuning.

Observable / Artifact

A concrete entity from an alert or case: IP address, domain, file hash, URL, email. In our stack: displayed in TheHive, enriched via Cortex.

Automation & tooling

Analyzer

A read-only Cortex module that checks an observable against external services (VirusTotal, AbuseIPDB, MISP) and returns a verdict. Changes nothing — only reads. In our stack: Cortex analyzers.

Responder

A write-action Cortex module: ban IP, disable user, isolate host. In our stack: responders not yet configured (active response runs via Wazuh / CrowdSec).

Playbook

A fixed sequence of steps for responding to a specific incident type. Example: "brute force detected -> enrich IP -> check MISP -> ban if toxic -> notify Teams". In our stack: intended for Shuffle (currently implemented as custom scripts).

Hunt

Proactive search for hidden threats that did not trigger an alert. Tier 3 / Threat Hunter runs hunts across all hosts. In our stack: Velociraptor (once clients are deployed).

Active Response

Wazuh automatically executes an action when a rule triggers: block IP via iptables, kill process, disable user. In our stack: Wazuh active response + CrowdSec decisions -> FortiGate DROP.

SOC Metrics

MTTD (Mean Time To Detect)

From the moment of attack to alert appearance. Target: < 5 min.

MTTR (Mean Time To Respond/Remediate)

From alert to full threat elimination. Includes triage + investigation + containment + eradication.

Wazuh-specific terms

CDB (Constant Database)

Wazuh key-value store for fast lookups: "is this IP in a threat feed?". Format: plain text file, one key:value per line. Used for MISP -> Wazuh IoC synchronization.

FIM (File Integrity Monitoring)

Wazuh Agent tracks changes to critical files (/etc/passwd, configs, binaries). Change = alert.

SCA (Security Configuration Assessment)

Wazuh Agent checks host compliance against a baseline (CIS benchmarks): is firewall enabled, is root password not "password", does SSH allow only keys.

SOC Roles

L1 / L2 / L3 (Tier 1 / 2 / 3) — SOC analyst tiers

  • Tier 1 — Triage analyst. Sorts alerts: real or noise. No deep investigation. Goal: speed.
  • Tier 2 — Incident analyst. Investigates cases from Tier 1. Deeper analysis, correlation, containment.
  • Tier 3 — Threat hunter / Senior analyst. Proactive threat hunting, forensics, rule tuning, malware analysis.

Last updated: 2026-04-16.