Samurai Glossary of Terms
The definitions provided below are used within Samurai documentation, all legal terms can be found under Legal.
Advanced Analytics:
Detection capabilities, including machine learning, big data, and complex event processing analysis, that are used by the Samurai platform.
Alert:
Security detection made by the Samurai platform or third party vendor where we are ingesting telemetry.
Boost Scoring:
Boost Scoring is a technique used by the Samurai platform which improves the ability to find Advanced Persistent Threats (APTs) by using a methodology which helps to link seemingly unrelated events.
Collector:
A Collector is responsible for ingesting telemetry (or logs) into the Samurai platform. There are three main types of Collector, namely Local Collectors, Cloud Collectors and Cloud Native Collectors.
A Local Collector is a virtual appliance which is deployed in your environment. Typically you will use the Local Collector as the destination for syslog messages produced by your devices.
A Cloud Collector provides the ability to ingest telemetry from cloud platforms and services, and is hosted centrally as part of the Samurai platform. You do not need to do anything to deploy a Cloud Collector.
A Cloud Native Collector is used to monitor public cloud storage and pull data into the Samurai ingestion platform.
Correlation:
The ability for our systems to find a common linkage in Logs or Events (via source or destination IP address, Common Vulnerabilities and Exposures identifier, or other attributes) and combine them within one Event to add context to an Alert.
Enrichment:
The process of adding contextual information (such as geolocation, evidence from packet captures or other data) to log information, either programmatically, or by a Security Analyst.
Event:
All of the individual data points (Telemetry) ingested via Collectors into the Samurai platform are known as Events. Through the use of Advanced Analytics, our systems are able to generate Alerts from Events which indicate the presence of threat actor activity. All events are stored in our data lake, and can be queried using Advanced Query.
Global Threat Intelligence Center (GTIC):
The organization within NTT’s Security Holdings responsible for, threat research, vulnerability tracking and the development, aggregation and curation of threat intelligence.
Integration:
Integrations provide the mechanism to ingest telemetry (in other words logs and data) into the Samurai platform.
Managed Detection and Response (MDR):
Samurai Managed Detection and Response is a service which delivers cybersecurity insights, advanced threat detection, response, and protection capabilities via the ingestion of varied telemetry sources including cloud, network, compute and mobility sources. Supported telemetry combined with our proprietary Advanced Analytics, analyst threat hunting, and AI-based threat detection capabilities translate to faster, more accurate detections and most importantly reduced business risk.
MITRE ATT&CK Framework:
MITRE ATT&CK® is a globally-accessible knowledge base of adversary tactics and techniques based on real-world observations. The ATT&CK knowledge base is used as a foundation for the development of specific threat models and methodologies in the private sector, in government, and in the cybersecurity product and service community.
Threats detected by the Samurai platform are mapped against MITRE ATT&CK to assist in better understanding the nature of the activity detected, possible countermeasures and the urgency of response.
Samurai plaform:
Samurai is a vendor-agnostic, cloud native, scalable, API-driven, advanced threat detection, and response platform.
Samurai Hunting Engine
Intelligence-driven detection engine based on the Sigma project but customized by NTT with additional detection capabilities. The Samurai hunting engine performs automated threat hunting to idenfiy and alert on possible adversary activity.
Samurai Real-time Engine
Proprietary NTT developed detection engine that leverages behaviour modeling, machine learning, and the latest threat research to automatically identify suspected threats during real-time analysis of ingested telemetry into Samurai.
Security Incident:
A notable threat to a client environment detected and validated via automation or by Security Analysts. Security Incidents may require a response to mitigate or eliminate the identified threat. Information related to Security Incidents are available via the Samurai MDR portal and downloadable in PDF format as required.
Severity:
Severity is the term used to describe the potential magnitude of impact of a detected threat which is presented as a Security Incident. Severity is presented as Unknown, Low, Medium, High or Critical.
Telemetry:
In the context of Samurai, Telemetry refers to the data, usually in the form of logs, collected from different security solutions and other sources which is then ingested into the Samurai platform. This includes but is not limited to network, firewall , DNS, email, endpoint, server, and cloud workloads.
Each telemetry source contains different types of activity data. The Samurai platform is able to collect a wide variety telemetry in order to detect and hunt for unknown threats and assist in forensic analysis.
Tenant:
A tenant is the entity used to represent an organization using Samurai. Individual users can be invited to one or more tenants.