The definitions provided below are used within Samurai XDR documentation, all legal terms can be found under Legal.
Advanced Analytics:
Detection capabilities, including machine learning, big data, and complex event processing analysis, that are included as part of the Threat Detection services.
Alert:
Security detection made by the Samurai platform or third party vendor where we are ingesting telemetry.
Boost Scoring:
Boost Scoring is a technique used by Samurai XDR which improves the ability to find Advanced Persistent Threats (APTs) by using a methodology which helps to link seemingly unrelated events.
Collector:
A Collector is responsible for ingesting telemetry (or logs) into Samurai XDR. There are two main types of Collector, Secure Syslog and Cloud. A Secure Syslog Collector provides an encrypted transport facility deployed in our network. Typically you will use the Secure Syslog Collector as the destination for all syslog messages produced by your devices. Many security devices support sending Syslog over TLS (transport layer security). If you have standard Syslog, that is, unencrypted, we highly recommend using a secure method to forward logs.
A Cloud Collector provides the ability to ingest telemetry from cloud platforms and services, and is also hosted centrally as part of Samurai XDR. You do not need to do anything for a Cloud Collector. The integration will guide you through a simple setup which will likely require some API secret key and other information.
Confidence:
Confidence provides a measure of how certain our systems are that an Alert is accurate and represents malicious activity. Confidence levels are shown as Unknown, Low, Medium, High or Maximum. For more information, please see the article about Alerts.
Correlation:
The ability our systems to find a common linkage in Logs or Events (via source or destination IP address, Common Vulnerabilities and Exposures identifier, or other attributes) and combine them within one Event to add context to an Alert.
Enrichment:
The process of adding contextual information (such as geolocation, evidence from packet captures or other data) to log information, either programmatically, or by a Security Analyst.
Event:
All of the individual data points (Telemetry) ingested via Collectors into Samurai XDR are known as Events. Through the use of Advanced Analytics, our systems are able to generate Alerts from Events which indicate the presence of threat actor activity. All Events and Alerts can be further analyzed using Advanced Query.
Global Threat Intelligence Center (GTIC):
The organization within NTT’s Security Holdings responsible for threat research, vulnerability tracking and the development, aggregation and curation of threat intelligence.
Integration:
Integrations provide the mechanism to ingest telemetry (in other words logs) into Samurai XDR.
Investigation:
An Investigation enables a Samurai XDR application user to aggregate related alerts together for further analysis to assess a potential threat. Each investigation has a lifecycle with stages based on the current state of the investigation e.g. open, closed, snooze. When creating an investigation you can set a priority, assign/un-assign to users within your tenant, as well as update the status depending on what action needs to be taken.
MITRE ATT&CK Framework:
MITRE ATT&CK® is a globally-accessible knowledge base of adversary tactics and techniques based on real-world observations. The ATT&CK knowledge base is used as a foundation for the development of specific threat models and methodologies in the private sector, in government, and in the cybersecurity product and service community.
Threats detected by Samurai XDR are mapped against MITRE ATT&CK to assist the user in better understanding the nature of the activity detected, possible countermeasures and the urgency of response.
Samurai XDR:
Samurai XDR is a vendor-agnostic, cloud native, scalable, API-driven, advanced threat detection, and response platform.
SecOps:
Security Operations, also known as SecOps, is formed from a combination of security and IT operations teams is a highly skilled discipline focused on monitoring and assessing risk and protecting an organization's assets, often operating from a security operations center, or SOC.
Security Incident:
A notable event in a Client environment detected and validated via automation or by Security Analysts. Security Incidents may require a response to mitigate or eliminate the identified event.
Severity:
Severity is the term used to describe the potential magnitude of impact of a detected threat which is presented as an Alert. Severity is presented as Unknown, Low, Medium, High or Critical. For a description of Alert Severity, please see the article on Alerts.
Telemetry:
In the context of XDR, Telemetry refers to the data, usually in the form of logs, collected from different security solutions and other sources which is then ingested into Samurai XDR. This includes but is not limited to network, firewall , DNS, email, endpoint, server, and cloud workloads.
Each telemetry source contains different types of activity data. Samurai XDR is able to collect a wide variety telemetry in order to detect and hunt for unknown threats and assist in forensic analysis.
Tenant:
A tenant is the entity used to represent an organization using Samurai XDR. Individual users can be invited to one or more tenants.