Glossary
This glossary provides terms and definitions for the IBM QRadar Security Intelligence Platform software and products.
The following cross-references are used in this
glossary:
- See refers you from a non-preferred term to the preferred term, or from an abbreviation to the spelled-out form.
- See also refers you to a related or contrasting term.
A
- anomaly
- A deviation from the expected behavior of the network.
- attack
- Any attempt by an unauthorized person to compromise the operation of a software program or networked system. See also attacker.
- attacker
- A user (human or computer program) that attempts to cause harm to an information system or to access information not intended for general access. See also attack.
B
- Boolean operator
- A built-in function that specifies a logical operation of AND, OR or NOT when sets of operations are evaluated. The Boolean operators are &&, || and !.
- breadcrumb
- A web interface element that displays the user's position within a site. It is usually a series of hyperlinks appearing across the top or bottom of the page. These links indicate pages that have been viewed and enable the user to navigate back to the starting location.
C
- capture device
- See packet capture appliance.
- case
- The information that is contained within a database that pertains to a particular investigation.
- category
- A set of items that are grouped according to a specific description or classification. Categories can be different levels of information within a dimension.
- centering identifier
- The category item with which all other identifiers have interacted. The centering identifier is the central item in an investigation.
- collection
- A distinct named set of data that is associated with a case. For example, an ordered set of captured network packets.
- continuously collected electronic presence
- An attacker's online identity as a collection of digital impressions that are linked.
- conversation
- A forensically reconstructed flow of data between two or more network endpoints. For example, a social network conversation.
D
- decapping
- The process by which the packet capture data is decompiled so that all of the ingested data is produced as a results report.
- digital impression
- A report consisting of tagged identifiers that are related to each other within an individual case.
- digital impression relationship
- A relationship between tagged identifiers related to a case.
- domain inspector
- A specialized inspector that is designed to deconstruct and extract forensics data from specific domain websites such as Facebook or Gmail.
E
- encryption
- In computer security, the process of transforming data into an unintelligible form in such a way that the original data either cannot be obtained or can be obtained only by using a decryption process.
F
- flow record
- A record of the conversation between two hosts.
- forensic investigator
- The user who extracts relevant data from network traffic and documents in the forensic repository.
H
- hypothesis
- A proposed explanation for an incident that is based on the available evidence collected in a case. A hypothesis must be testable and falsifiable.
I
- identity
- A collection of attributes from a data source that represent a person, organization, place, or item.
- incident
- See security incident.
- ingested network traffic
- Captured network traffic that has been processed by the forensics decapping process.
M
- metadata
- Data that describes the characteristics of data; descriptive data.
- metadata relational map
- A map that displays related metadata from case documents.
O
- offense
- A message sent or an event generated in response to a monitored condition. For example, an offense will provide information on whether a policy has been breached or the network is under attack.
P
- packet capture appliance
- A stand-alone appliance that intercepts and logs traffic data.
- packet capture information
- The traffic data information that is collected by a capture device.
- protocol inspector
- A specialized inspector that is designed to extract forensic data from network protocols such as HTTP or FTP.
R
- recovery job
- A process that recovers queried capture data and forwards it to the decapper device for ingestion.
S
- security incident
- An event in which the normal network operations are violated, compromised, or attacked.
- superflow
- A single flow that is comprised of multiple flows with similar properties in order to increase processing capacity by reducing storage constraints.
- surveyor tool
- A tool that displays the chronological sequence of activities in a security incident in a visualizer.
T
- traffic
- In data communication, the quantity of data transmitted past a particular point in a path.
- trail
- Digital impressions that connect individuals involved in a case to individuals outside of the case.
V
- vulnerability
- A security exposure in an operating system, system software, or application software component.