Ad Image

SIEM Defined: Glossaries and More All in One Resource!

How is SIEM defined? Why should you work to ensure you have SIEM defined? Having a hard time keeping up with InfoSec jargon? We’ve got you covered. Solutions Review’s A to Z SIEM and Security Analytics glossary has definitions for over 60 of the most popular terms and acronyms. Be sure to bookmark this page and check back on a regular basis as this page will see ongoing updates. And don’t forget to check out our 2017 SIEM and Security Analytics Buyer’s Guide for a complete market overview of the top 24 SIEM vendors, available here.


Active Directory

A directory service that Microsoft developed for Windows domain networks.

A network node that is responsible for management tasks.

Active Response is a mechanism that provides a system with the capability to respond to an attack when it has been detected.

An advanced persistent threat (APT) is a type of network attack in which an unauthorized entity gains access to a network and stays there, undetected, for an extended amount of time. Usually, the perpetrator of an APT wants to escalate their privileges to steal data, rather than damaging the network, which would likely blow their cover.

The discovery of meaningful patterns in data, usually revealed by an analytics software solution.

A set of subroutine definitions, protocols, and tools for building application software. These include, but aren’t limited to, Microsoft Windows API, C++ Standard Template Library, and Java APIs.

A security audit is a systematic evaluation of a company’s network and information security practices and policies.


A measurement of the number of bits conveyed or processed (bit-rate) that are available or consumed in metric multiples of bits per second.

Extensive data sets that may be analyzed to reveal patterns and trends and that are typically too complex to be dealt with using traditional processing techniques.

The analysis of large volumes of data, or big data, pulled from a wide range of sources. In a security context, Big Data Analytics tools are used to discover patterns and connections within a network to find discrepancies that could reveal intruders.

A hacker with malicious intent.

A bot is a computer that is being controlled by a remote attacker.

A botnet is a network of infected computers controlled by a remote attacker.

An incident that results in the disclosure of potential exposure of data.


The Information System Security Professional Certification is a vendor-neutral independent certification, offered by the International Information System Security Certification Consortium (ISC2). A CISSP is a security professional who has attained that certification.

A senior executive in an enterprise responsible for the information technology and computer systems that support enterprise goals.

A senior-level executive within an organization responsible for establishing and maintaining the enterprise vision, strategy, and program to ensure that information assets and technology are protected.

In IT and data storage terminology, compliance refers to organizational compliance with government regulations regarding data storage and management and other IT processes.

The Computer Fraud and Abuse Act (CFAA) of 1986 is United States legislation that made it a federal crime to access a protected computer without proper authorization.

A database containing all necessary information about an organization’s IT systems, the components of those systems, and their relationships. In the context of a CmDb, all components of an IT system (software, hardware, personnel, etc.) are referred to as configuration items (CI) and are tracked by a configuration management process.

The practice of using preventative and reactive methods to protect networks and information from being attacked and compromised.


A tool that is used to create, deploy and analyze information. Typically, a dashboard will consist of a single screen and show various reports and other metrics that the organization is studying.

A collection of data that is purposefully arranged for fast and convenient search and retrieval by business applications and Business Intelligence software.

Data aggregation is a process by which information (data) from disparate sources is gathered and expressed in one group for purposes of statistical analysis.

The unauthorized transfer of data from a computer.

Gathering information about a program’s possible values, then using a control flow graph to determine optimization methods for the program.

DLP products are tools that help network administrators prevent data loss (duh) by controlling which data end users may transfer.

Data Migration is the process of moving data between two or more storage systems, data formats, warehouses or servers.

Transforming numerical data into a visual or pictorial context to assist users in better understanding what the data is telling them.

In a distributed denial-of-service (DDoS) attack, a large number of compromised systems target a single system and overload its servers, causing a denial of service for legitimate users of the targeted system.

A network packet filtering process that examines data contained in a packet for non-compliance, viruses, malware, or other unwanted components.


The process of transforming data into an unintelligible form so the original data either cannot be obtained or can be obtained only by using a decryption process.

An endpoint is any internet-connected device on a network.

An action or the result of an action. Events are often logged and monitored for security purposes.

Event correlation is a technique for making sense of a large number of events and pinpointing the few events that are important in that mass of information. In a security context, correlation is the act of linking multiple events together to detect strange behaviors.

A term for any method used by hackers to gain unauthorized access to a network.


A false positive is normal behavior on a network that is identified as malicious. Too many false positives can drown out true alerts.

FERPA is an acronym for the Family Educational Rights and Privacy Act (also referred to as the Buckley Amendment, a federal law designed to protect the privacy of student education records. FERPA compliance is a necessity for schools and other educational institutions.

A process that validates the integrity of operating system and application software files using a verification method between the current file state and a known baseline state.

The Federal Information Security Management Act (FISMA) is a United States Law, signed into law in 2002, that defines a framework to protect US government digital information, operations, and assets against threats.

A single transmission of data passing over a link during a conversation.

A collection of flow records.

The origins from which flow is captured. A flow source is classified as internal when flow comes from hardware installed on a managed host or it is classified as external when the flow is sent to a flow collector.


A device or program used to connect networks or systems with different network architectures.

The Gramm-Leach-Bliley Act (GLBA) is an act of US Congress that repealed part of the Glass-Steagall Act, and which regulates the collection and disclosure of private financial information.

The Good Practices Guide 13 is a UK regulation that stipulates that HMG organizations must follow protective monitoring processes for their HMG ICT systems to gain access to the UK Government Connect Secure Extranet (GCSX).

Governance, Risk and Compliance.


A hacker is an individual that uses illicit system access methods and exploits to gain access to computer systems and networks, often for the purpose of sabotage and theft.

A network that connects devices with different operating systems (Apple, Microsoft, Linux, Toshiba, etc).

HIPAA is the acronym for the Health Insurance Portability and Accountability Act that was passed by Congress in 1996.

A trap set to detect, deflect or in some manner, counteract attempts at unauthorized use of information systems. Consists of computer data or a network site that appears to be part of a network but is actually isolated and monitored.

An organization manages (IT) resources, some in-house but uses cloud-based services for others.


Identification is the process by which an entity’s information is gathered and verified for accuracy.

An organizational approach to addressing and managing the aftermath of a breach or attack (AKA an incident). An Incident Response Plan aims to limit damages incurred by an incident and bring down recovery time and costs.

Defined by the SANS Institute as ” the processes and methodologies which are designed and implemented to protect print, electronic, or any other form of confidential, private and sensitive information or data from unauthorized access, use, misuse, disclosure, destruction, modification, or disruption.”

Information technology (IT) infrastructure is a combined set of hardware and virtual resources that support an overall IT environment.

The principal communications protocol for sending and receiving datagrams across network boundaries, connecting multiple networks together across the Internet.

Intrusion Detection and Prevention Systems are network security appliances that monitor network and/or system activities for malicious activity.


An old or outdated software tool.

A computer network that connects devices within a limited space (schools, college campuses, office buildings, etc.)

Files that record either events that occur in an operating system or software or messages happening on communication software. For example, when a failed login to an E-mail system occurs, a log file is created to record that even.

The act of keeping a log for an extended period.

The practice of collecting log data in a centralized location where it can be analyzed more effectively.

The workflow, devices, procedures, policies and other systems in place governing the collection, aggregation, and analysis of network log data.

Either the security equipment or the network equipment from which an event log originates.


A type of artificial intelligence that provides computers with the ability to learn without being explicitly programmed to do so, focusing on the development of computer applications that can teach themselves to change when exposed to new data.

Any software that is intended to damage or disable computers and computer systems.

Describes other data within a database and is responsible for an organization while an end-user sifts through collected data.


The North American Electric Reliability Corporation Critical Infrastructure Protection plan (NERC CIP) is a set of requirements designed to secure North America’s bulk electric system.

The continuous monitoring of a network for unusual events or trends. NBAD offers security in addition to that provided by traditional anti-threat applications such as firewalls, intrusion detection systems, antivirus software and spyware-detection software.

Using a system to constantly monitor a computer network(s) for hinderances or failures in the network’s components, which are then notified to network administrators for quick remediation.

A procedure for identifying active hosts on a network, either for the purpose of attacking them or for network security assessment.

A term that describes that the policies and procedures implemented to avoid the hacking and exploitation of a network and its resources.

A Next Generation Firewall is an integrated network platform that combines a traditional firewall capabilities with other filtering functionalities such as deep packet inspection (DPI), an intrusion prevention, and other techniques.

An active electronic device that is attached to a network, and it’s capable of creating, receiving, or transmitting information over a communications channel.


A conceptual model that characterizes and standardizes the communication functions of a telecommunication or computing system without regard to their underlying internal structure and technology. It’s presented in seven abstraction layers:

  1. Physical: Transmits and receives streams of binary sequences over a physical medium.
  2. Data Link: Two nodes connected by a physical layer reliably transmits data frames.
  3. Network: Structures and manages the addressing, routing, and traffic control of a multi-node network.
  4. Transport: Through segmentation, acknowledgment, and multiplexing, data segments between points on a network are reliably transmitted.
  5. Session: Manages communication sessions through recipient transmissions between two nodes.
  6. Presentation: The translation of data between a networking service and an application.
  7. Application: High-level Application programming interfaces (APIs)

A process that involves the identification and protection of generally unclassified critical information or processes that can be used by a competitor or adversary to gain real information when pieced together.


The process of dividing a data packet into smaller units for transmission over the network, and this usually happens at Layer 4 of the OSI model.

The Payment Card Industry Data Security Standard (PCI DSS) is a proprietary information security standard for organizations that handle branded credit cards from the major card schemes including Visa, MasterCard, American Express, Discover, and JCB.

Penetration testing, or pentesting is the act of testing a system, network, or applications for flaws and vulnerabilities.

The perimeter of a network is the boundary between the private and locally managed-and-owned side of a network and the public and usually provider-managed side of a network.

A utility to determine whether a specific IP Address is available.

Solutions that help the user discover patterns in large data sets to predict future behavior.


A type of malware that weaponizes encryption to block access to a computer system or service until a ransom is paid.

The ability to use all available enterprise data as needed and usually involves streaming data that allows users to make decisions on the fly.

A piece of software used to remotely access or control a computer.

The collection of data from various sources and software tools for presentation to end-users in a way that is understandable and easy to analyze.

A rootkit is a toolkit, or a collection of programs, that allows administrator-level access to a network.

A network monitoring technology \developed to analyze the routing protocols and structures in meshed IP Networks.

How routers communicate with each other, distributing information that enables them to select routes between any two nodes on a computer network.


A sandbox is a security mechanism for separating running programs. It is often used to execute untested code, or untrusted programs from unverified third parties, suppliers, untrusted users and untrusted websites.

The industry standard for transmitting secure data over the Internet. It is based on a system of trusted certificates issued by certificate authorities and recognized by servers.

Security Information and Event Management or SIEM (pronounced ‘sim’ as in SIMcard, or SimCity) is a term for software and services that combine security information management (SIM) tools, which are geared towards log collection and report generation, with security event management (SEM) tools, which focus on real-time event analytics, correlation, and alerting. SIEM solutions are complex systems that help organizations decrease the impact of advanced cyber attacks by proactively monitoring the network for irregular activity in real-time.

SEM solutions are software tools that centralize storage and interpretation of logs and events generated on a network. SEM is the real-time event monitoring, correlation, and notifications that most compliance regulations want you to have.

SIM solutions are tools that automate the collection, monitoring, and analysis of security-related data from computer logs.

An international, vendor-neutral professional certification provided by CompTIA for IT professionals who want to become certified in IT security.

A security incident, or a security event, is any notable change in the normal operations of a network. This could be a breach, a failure of a security policy, or merely a warning that there may be a threat to information or computer security.

A person that takes on security management tasks.

A security policy is a written document in an organization outlining how to protect the organization from threats, including computer security threats, and how to handle situations when they do occur.

A contract between a service provider or vendor and the customer that defines the level of service expected. SLAs are service-based and precisely define what the customer can expect to receive.

A software delivery model in which software is licensed on a subscription basis and is centrally hosted and typically accessed by end-users using a client via a web browser.

Sarbanes–Oxley, Sarbox or SOX, is a United States federal law that set new or expanded requirements for all U.S. public company boards, management, and public accounting firms.SOX requires that all publicly held companies must establish internal controls and procedures for financial reporting to reduce the possibility of corporate fraud.

These are used to connect enterprise networks over large geographic distances, including data centers and branch offices of a company.

Software that allows a malicious actor to covertly gather information about another user’s computer activities by transmitting data from their device.


A cyberattack that aims to breach the security network of a specific organization.

Information about current or potential attacks on an organization.

In information security, a Trojan is a piece of malware disguised as a harmless program.


According to Gartner, Unified threat management (UTM) is “a converged platform of point security products, particularly suited to small and midsize businesses (SMBs). Typical feature sets fall into three main subsets, all within the UTM: firewall/intrusion prevention system (IPS)/virtual private network, secure Web gateway security (URL filtering, Web antivirus [AV]) and messaging security (anti-spam, mail AV).”

UBA is defined by Gartner, as a cybersecurity process aimed at the detection of insider threats, targeted attacks, and financial fraud via the analysis of patterns of human behavior. UBA solutions analysis large volumes of data about users on a network and then apply algorithms and statistical analysis to detect meaningful anomalies from those patterns, which could alert administrators to an imminent threat.


A self-replicating piece of code that is loaded onto a computer without its owner’s knowledge, typically for negative purposes.

A vulnerability, or vuln, is a term referring to a flaw in a system, program, or network that can leave it open to attack. A vulnerability may also refer to a weakness in security procedures or even personnel.

Vulnerability scanning is the act of scanning or inspecting a network for possible vulnerabilities, exploits, or security holes.


A computer system that processes requests via Hypertext Transfer Protocol (HTTP), the basic network protocol used to distribute information on the internet.

A white hat is a hacker who finds and discloses vulnerabilities before they can be used with malicious intent.

A network that extends over a larger geographical distance.


A zero-day is an exploit that utilizes a vulnerability on the same day that the vulnerability becomes known. Ie., There have been zero days between the discovery of the vulnerability (by information security professionals) and its exploitation.