This glossary provides terms and definitions that are used in IBM Security QRadar Suite.

The following cross-references are used in this glossary:
  • See refers you from a nonpreferred term to the preferred term or from an abbreviation to the spelled-out form.
  • See also refers you to a related or contrasting term.


The function that a rule executes when the appropriate conditions are satisfied.
A message or other indication that signals an event or an impending event that meets a set of specified criteria.
alert data source
A source of alert data, and the connection information necessary for accessing the data.
An entity that is used or produced by a software or systems development process. Examples of artifacts include designs, requirements, source files, plans, scripts, simulations, models, test plans, and binary executable files. In an HTTP context, artifacts have a URI and are called resources.


See certificate authority.
The information that is contained within a database that pertains to a particular investigation.
See complex event processing.
certificate authority (CA)
A component that issues certificates to each computer on which components are installed.
certificate signing request (CSR)
An electronic message that an organization sends to a certificate authority (CA) to obtain a certificate. The request includes a public key and is signed with a private key; the CA returns the certificate after signing with its own private key.
common vulnerabilities exposure (CVE)
A reference of publicly known network vulnerabilities which is part of the National Vulnerabilities Database (NVD), maintained by the US National Institute of Standards and Technology (NIST).
complex event processing (CEP)
The processing of events that have rules that rely on the data and timing of more than one event.
The means by which a data source is connected to a product or service.
The process of using rules to process alerts from your sources and decide which suspicious events to consider as threats. Correlation analyzes the incoming events for known states, using rules and relationships.
See certificate signing request.
See cyberthreat intelligence.
custom task
A task that is performed as a result of external conditions that are not part of the regular task sequence. Custom tasks are created within a particular incident to capture task work that was not automatically added to the incident. A user can create these tasks and manually add them to a case. Custom tasks are not templated and are unique to the incident that they are created for.
See common vulnerabilities exposure.
cyberthreat intelligence (CTI)
Information about a cyberthreat that has been collected, evaluated in its context, and analyzed by experts to detect deception and help the customer learn more about a cyberthreat.


data source type
A code module that parses received events from multiple data sources and converts them to a standard taxonomy format that can be displayed as output. Each data source has a corresponding data source type.
The process of removing identical search results that were returned from one or more data sources.


The system that is the origin or destination of a session.
Information that uses different data points or sources to add additional context to a finding and create a severity score for it.
An occurrence of significance to a task or system. Events can include completion or failure of an operation, a user action, or the change in state of a process.
A collection of artifacts that support a case. See also artifact.


Any group of suspicious or malicious events or flows that is deemed to be significant. Findings help to build the story of an attack as it happens, and are chronologically displayed in the incident timeline of a case.
A single transmission of data passing over a link during a conversation.


identity provider

A provider who offers user authentication as a service. Authentication of a user's sign-in details is performed by the identity provider who creates, manages, and maintains the user's identity information. Identity providers enable users in an organization to single sign-on (SSO) to one or more systems.

The process of feeding data into the system to create its base of knowledge.
indicator of compromise (IoC)
Digital evidence from a security incident that can be used to provide information about an intrusion or issue.
information asset
A piece of information that is of value to the organization and can have relationships, dependencies, or both, with other information assets.
See indicator of compromise.


The process of restructuring a data model by reducing its relations to their simplest forms. It is a key step in the task of building a logical relational database design. Normalization helps avoid redundancies and inconsistencies in data. An entity is normalized if it meets a set of constraints for a particular normal form (first normal form, second normal form, and so on).


An object that represents an attribute of computer and network activities and entities that can be observed for the presence of security threats. Examples of observables are files, HTTP sessions, certificates, or the name of a Windows registry key.


A distinct part of a process in which related operations are performed.
A group of containers that are running on a Kubernetes cluster. A pod is a runnable unit of work, which can be a either a stand-alone application or a microservice.


risk profile
The user-configured information about a risk that sets threshold values for factors of various risk vectors to evaluate risk from multiple source products at the asset level.
risk score
A measure of how much risk an asset poses to a site, based on how critical the asset is and the amount and severity of attacks that are made against the asset.


A type of sensitive information, such as a password or an API key, that is used by an application to access a protected resource.
security information and event management (SIEM)
A service that consolidates security alerts, events, and data from thousands of devices, endpoints, and applications distributed through a network. It correlates raw data to identify security offenses, detect anomalies, uncover threats, and remove false positives.
See security information and event management.


A unit of work to be accomplished by a user, device, or process. Tasks are created when a user adds an observable to a case, in order to take an associated action.