Glossary

This glossary provides terms and definitions for IBM Security QRadar Suite products.

The following cross-references are used in this glossary:

See refers you from a non-preferred term to the preferred term, or from an abbreviation to the spelled-out form.
See also refers you to a related or contrasting term.

A

alert: A message or object that contains one or more events that meet a set of specified criteria. When an alert is included in a case, it is referred to as a finding.
artifact: An entity that is used by or produced by a software or systems development process. Examples of artifacts include designs, requirements, source files, plans, scripts, simulations, models, test plans, and binary executable files.
asset: A manageable object that is either deployed or intended to be deployed in an operational environment.

case: The work that is associated with a story that must be completed by an analyst. Each case has one story that is assigned to it. Case management tracks the status, tasks, assignee, and reporting information.
correlation: The process of using rules to process alerts from your sources and decide which suspicious events to consider as threats. Correlation analyzes the incoming events for known states by using rules and relationships.

data source: A source of data and the connection information necessary for accessing the data.

enrichment: Information that uses different data points or sources to add additional context to a finding and create a severity score for it.
event: An occurrence of significance to a task or system. Events can include completion or failure of an operation, a user action, or the change in state of a process.
evidence: A collection of artifacts that support a case. See also artifact, observable.

finding: Any group of suspicious or malicious events or flows that is deemed to be significant. Findings help to build the story of an attack as it happens, and are chronologically displayed in the incident timeline of a case.
flow: A single transmission of data that passes over a link during a conversation.

incident: An event that is not part of the standard operation of a service and causes or can cause a disruption to or a reduction in the quality of services and customer productivity. See also event.

offense: An alert that generates when one or more rules trigger for the same network observable. Offenses correlate together any events or flows that are associated with them, and the correlation continues as long as the rules are triggering.
observable: An object that represents an attribute of computer and network activities and entities that can be observed for the presence of security threats. Examples of observables are files, HTTP sessions, certificates, or the name of a Windows registry key.

playbook: A set of conditions, business logic, and tasks that are used to respond to a case.
potential finding: A finding that might be related to a case. See finding.
priority: A rank that is assigned to a task that determines its precedence in receiving system resources.

severity: A measure of the relative threat that a source poses on a destination.
snapshot: In threat hunting, a data set that represents entities and associated records at a given point in time. A snapshot is used by a subsequent threat hunting step and is saved as evidence that can be referenced.
status: The current condition or state of a program or device, for example, the status of a printer.
story: A collection of alerts that are correlated by the product.

task: A unit of work to be accomplished by a user, device, or process. Tasks are created when a user adds an observable to a case in order to take an associated action.
threat hunt: A proactive investigation of an unknown threat to prove or disprove a hypothesis. A hunt comprises threat hunt steps (questions), variables (answers), and snapshots (evidence).
threat hunt step: A specific threat hunt instruction to either gather data or apply analytics to a snapshot to progress the investigation.

workflow: A sequence of activities and tasks that define work, such as a business process, case, or workstream. Workflows can contain steps that are automated or performed by people.