> ## Documentation Index
> Fetch the complete documentation index at: https://mintlify.com/iLotuus/Enterprise-SOC-Architecture/llms.txt
> Use this file to discover all available pages before exploring further.

# Glossary

> Comprehensive glossary of security terms, acronyms, and technologies used in the Enterprise SOC Architecture

This glossary provides definitions for key security operations, technologies, and concepts used throughout the Enterprise SOC Architecture documentation.

## A

<Accordion title="API (Application Programming Interface)">
  A set of protocols and tools that allows different software applications to communicate with each other. In the SOC context, APIs enable integrations between security tools like TheHive, Cortex, Wazuh, and Elasticsearch.
</Accordion>

<Accordion title="Alert">
  A notification generated when a security system detects suspicious activity or a policy violation. Alerts are typically generated by IDS/IPS, SIEM, or monitoring systems and require investigation.
</Accordion>

<Accordion title="Analyzer">
  In Cortex, an analyzer is a module that performs automated analysis of observables (IPs, domains, file hashes) using external services like VirusTotal, MISP, or custom threat intelligence feeds.
</Accordion>

## C

<Accordion title="Case Management">
  The process of tracking, managing, and documenting security incidents from detection through resolution. TheHive provides case management capabilities in the SOC architecture.
</Accordion>

<Accordion title="Correlation">
  The process of identifying relationships between multiple security events to detect complex attack patterns. SIEM systems like Wazuh perform event correlation to reduce false positives and identify sophisticated threats.
</Accordion>

<Accordion title="Cortex">
  A SOAR (Security Orchestration, Automation and Response) platform that works with TheHive to automate security incident analysis and response actions through analyzers and responders.
</Accordion>

## D

<Accordion title="Dashboard">
  A visual interface displaying security metrics, alerts, and system status. Wazuh, Prometheus, and Zabbix all provide dashboards for monitoring different aspects of the SOC infrastructure.
</Accordion>

<Accordion title="Deception Technology">
  Security systems like honeypots designed to detect attackers by luring them to interact with fake assets. The SOC roadmap includes honeypots as a long-term component.
</Accordion>

## E

<Accordion title="EDR (Endpoint Detection and Response)">
  Security technology that continuously monitors endpoint devices (workstations, servers) to detect and respond to threats. Wazuh provides EDR capabilities through its agent-based architecture.
</Accordion>

<Accordion title="Elasticsearch">
  A distributed search and analytics engine used in the SOC architecture for storing, searching, and analyzing large volumes of security events and logs in near real-time.
</Accordion>

<Accordion title="Event">
  Any observable occurrence in a system or network, such as a user login, network connection, or file modification. Security events are collected, normalized, and analyzed to detect threats.
</Accordion>

<Accordion title="EVE JSON (Extensible Event Format)">
  A JSON-based log format used by Suricata IDS to output alerts and network metadata. EVE JSON makes it easy to integrate Suricata with log processing pipelines like Logstash.
</Accordion>

## F

<Accordion title="False Positive">
  An alert that incorrectly identifies benign activity as malicious. Tuning security rules and correlation logic helps reduce false positive rates in SOC operations.
</Accordion>

<Accordion title="Firewall">
  A network security device that monitors and controls incoming and outgoing traffic based on security rules. OPNsense is planned as the perimeter firewall in the long-term roadmap.
</Accordion>

<Accordion title="Fluentd">
  An open-source data collector for unified logging layer. Fluentd (alternative to Logstash) aggregates logs from multiple sources and routes them to destinations like Elasticsearch.
</Accordion>

## H

<Accordion title="Honeypot">
  A decoy system designed to attract attackers and collect information about attack techniques. The SOC roadmap includes Proxmox-based honeypots for threat intelligence gathering.
</Accordion>

## I

<Accordion title="IaC (Infrastructure as Code)">
  The practice of managing infrastructure through code and automation rather than manual processes. Terraform and PyInfra provide IaC capabilities for the SOC infrastructure.
</Accordion>

<Accordion title="Incident">
  A security event or series of events that indicates a potential compromise or policy violation requiring investigation and response. TheHive manages incident workflow.
</Accordion>

<Accordion title="IDS (Intrusion Detection System)">
  A security system that monitors network traffic or system activity for malicious behavior or policy violations. Snort and Suricata serve as IDS in the architecture.
</Accordion>

<Accordion title="IPS (Intrusion Prevention System)">
  An active security system that not only detects but also blocks malicious traffic. Suricata can operate in IPS mode to prevent attacks in real-time.
</Accordion>

<Accordion title="Indexing">
  The process of organizing data to enable fast search and retrieval. Elasticsearch indexes security events to allow rapid querying across millions of log entries.
</Accordion>

## L

<Accordion title="Log Aggregation">
  The process of collecting logs from multiple sources into a centralized location for analysis. Logstash and Fluentd handle log aggregation in the SOC pipeline.
</Accordion>

<Accordion title="Logstash">
  A server-side data processing pipeline that ingests, transforms, and forwards log data. Logstash normalizes data from various sources before sending to Elasticsearch.
</Accordion>

## M

<Accordion title="MISP (Malware Information Sharing Platform)">
  An open-source threat intelligence platform for sharing, storing, and correlating indicators of compromise. Can be integrated with Cortex analyzers.
</Accordion>

<Accordion title="Metrics">
  Quantitative measurements of system performance, security posture, or operational efficiency. Prometheus collects and stores time-series metrics.
</Accordion>

## N

<Accordion title="Normalization">
  The process of converting log data from different sources into a consistent format. Logstash normalizes events so they can be analyzed uniformly.
</Accordion>

## O

<Accordion title="Observable">
  An artifact or indicator from a security event that can be investigated, such as an IP address, domain name, file hash, or email address.
</Accordion>

<Accordion title="OPNsense">
  An open-source firewall and routing platform planned for the SOC architecture to provide perimeter security and network segmentation.
</Accordion>

## P

<Accordion title="Playbook">
  A documented procedure for responding to specific types of security incidents. Cortex executes automated playbooks as part of incident response.
</Accordion>

<Accordion title="Prometheus">
  An open-source monitoring and alerting system that collects time-series metrics from infrastructure components and applications.
</Accordion>

<Accordion title="PyInfra">
  A Python-based infrastructure automation tool used for configuration management and deployment automation in the SOC environment.
</Accordion>

## R

<Accordion title="Responder">
  In Cortex, a responder is a module that executes automated response actions such as blocking IPs, isolating endpoints, or sending notifications.
</Accordion>

<Accordion title="Retention">
  The duration that log data is stored before deletion or archival. Elasticsearch retention policies balance storage costs with forensic investigation needs.
</Accordion>

## S

<Accordion title="SIEM (Security Information and Event Management)">
  A platform that provides real-time analysis of security alerts generated by network hardware and applications. Wazuh serves as the SIEM in the architecture.
</Accordion>

<Accordion title="SOAR (Security Orchestration, Automation and Response)">
  Technology that enables organizations to collect security data and automate responses to security incidents. Cortex provides SOAR capabilities.
</Accordion>

<Accordion title="SOC (Security Operations Center)">
  A centralized team and facility that monitors, detects, analyzes, and responds to cybersecurity incidents using a combination of technology and processes.
</Accordion>

<Accordion title="Snort">
  A widely-used open-source intrusion detection system that uses rule-based detection to identify malicious network traffic patterns.
</Accordion>

<Accordion title="Suricata">
  A high-performance, multi-threaded IDS/IPS engine capable of protocol identification, file extraction, and advanced threat detection.
</Accordion>

<Accordion title="Syslog">
  A standard protocol for sending log messages across IP networks. Many SOC components use syslog for log transmission.
</Accordion>

## T

<Accordion title="Tailscale">
  A mesh VPN service built on WireGuard, planned for secure remote access to SOC infrastructure in the long-term roadmap.
</Accordion>

<Accordion title="Terraform">
  An infrastructure as code tool for building, changing, and versioning infrastructure safely and efficiently across multiple cloud providers.
</Accordion>

<Accordion title="TheHive">
  An open-source security incident response platform designed for SOC teams to manage and investigate security incidents collaboratively.
</Accordion>

<Accordion title="Threat Intelligence">
  Information about current or potential cyber threats, including indicators of compromise, attack techniques, and threat actor profiles.
</Accordion>

<Accordion title="Tuning">
  The process of adjusting detection rules and alert thresholds to reduce false positives while maintaining detection effectiveness.
</Accordion>

## V

<Accordion title="VPN (Virtual Private Network)">
  An encrypted network connection that provides secure remote access. Tailscale VPN is planned for SOC infrastructure access.
</Accordion>

<Accordion title="VirusTotal">
  A free online service that analyzes files and URLs for malware. Commonly used as a Cortex analyzer for investigating suspicious observables.
</Accordion>

## W

<Accordion title="Wazuh">
  A unified XDR and SIEM platform that provides threat detection, integrity monitoring, incident response, and compliance capabilities. Central component of the SOC architecture.
</Accordion>

<Accordion title="Webhook">
  An HTTP callback that allows systems to send real-time data to other applications. Used for integrations between Wazuh, TheHive, and Prometheus.
</Accordion>

## X

<Accordion title="XDR (Extended Detection and Response)">
  A security approach that unifies threat detection and response across multiple security layers (network, endpoint, cloud). Wazuh provides XDR capabilities.
</Accordion>

## Z

<Accordion title="Zabbix">
  An enterprise-class open-source monitoring solution for networks, servers, and applications, providing availability and performance metrics.
</Accordion>

<Accordion title="Zero-Day">
  A previously unknown vulnerability or attack that exploits a security flaw before the vendor has released a patch. SOC detection capabilities help identify zero-day attacks through behavioral analysis.
</Accordion>

## Related Terms

<CardGroup cols={2}>
  <Card title="Technology Stack" icon="layer-group" href="/reference/technology-stack">
    View complete list of technologies used in the SOC architecture
  </Card>

  <Card title="Integrations" icon="plug" href="/reference/integrations">
    Learn how these components integrate with each other
  </Card>

  <Card title="Data Flow" icon="diagram-project" href="/reference/data-flow">
    Understand how data flows through the SOC pipeline
  </Card>

  <Card title="Roadmap" icon="map" href="/reference/roadmap">
    See the implementation timeline and future plans
  </Card>
</CardGroup>
