Samurai Glossary of Terms
The definitions provided below are used within Samurai documentation, all legal terms can be found under Legal.
Advanced Analytics:
Detection capabilities, including machine learning, big data, and complex event processing analysis, that are included as part of the Threat Detection services.
Alert:
Security detection made by the Samurai platform or third party vendor where we are ingesting telemetry.
Boost Scoring:
Boost Scoring is a technique used by the Samurai platform which improves the ability to find Advanced Persistent Threats (APTs) by using a methodology which helps to link seemingly unrelated events.
Collector:
A Collector is responsible for ingesting telemetry (or logs) into the Samurai platform. There are three main types of Collector, namely Local Collectors, Cloud Collectors and Cloud Native Collectors.
A Local Collector is a virtual appliance which is deployed in your network. Typically you will use the Local Collector as the destination for syslog messages produced by your devices.
A Cloud Collector provides the ability to ingest telemetry from cloud platforms and services, and is hosted centrally as part of the Samurai platform. You do not need to do anything to deploy a Cloud Collector.
A Cloud Native Collector is used to monitor public cloud storage and pull data into the Samurai ingestion pipeline.
Correlation:
The ability for our systems to find a common linkage in Logs or Events (via source or destination IP address, Common Vulnerabilities and Exposures identifier, or other attributes) and combine them within one Event to add context to an Alert.
Enrichment:
The process of adding contextual information (such as geolocation, evidence from packet captures or other data) to log information, either programmatically, or by a Security Analyst.
Event:
All of the individual data points (Telemetry) ingested via Collectors into the Samurai platform are known as Events. Through the use of Advanced Analytics, our systems are able to generate Alerts from Events which indicate the presence of threat actor activity. All events are stored in our data lake, and can be queried using Advanced Query.
Global Threat Intelligence Center (GTIC):
The organization within NTT’s Security Holdings responsible for , threat research, vulnerability tracking and the development, aggregation and curation of threat intelligence.
Integration:
Integrations provide the mechanism to ingest telemetry (in other words logs and data) into the Samurai platform.
Managed Detection and Response (MDR):
Samurai Managed Detection and Response is a service that utilizes security alerts along with relevant contextual information identified by the Samurai platform. This information is analyzed by a skilled Security Analyst, who engages in threat hunting and validation activities to verify the threat, its impact, and to identify additional information associated with a potential breach. Once the threat is validated, the Security Analyst creates a detailed Security Incident Report for the Client and executes response actions as required.
MITRE ATT&CK Framework:
MITRE ATT&CK® is a globally-accessible knowledge base of adversary tactics and techniques based on real-world observations. The ATT&CK knowledge base is used as a foundation for the development of specific threat models and methodologies in the private sector, in government, and in the cybersecurity product and service community.
Threats detected by the Samurai platform are mapped against MITRE ATT&CK to assist in better understanding the nature of the activity detected, possible countermeasures and the urgency of response.
Samurai:
Samurai is a vendor-agnostic, cloud native, scalable, API-driven, advanced threat detection, and response platform.
SecOps:
Security Operations, also known as SecOps, is formed from a combination of security and IT operations teams is a highly skilled discipline focused on monitoring and assessing risk and protecting an organization’s assets, often operating from a security operations center, or SOC.
Security Incident:
A notable event in a Client environment detected and validated via automation or by Security Analysts. Security Incidents may require a response to mitigate or eliminate the identified event. Information related to Security Incidents are available via the Samurai MDR application and downloadable in PDF format as required.
Severity:
Severity is the term used to describe the potential magnitude of impact of a detected threat which is presented as a Security Incident. Severity is presented as Unknown, Low, Medium, High or Critical.
Telemetry:
In the context of Samurai, Telemetry refers to the data, usually in the form of logs, collected from different security solutions and other sources which is then ingested into the Samurai platform. This includes but is not limited to network, firewall , DNS, email, endpoint, server, and cloud workloads.
Each telemetry source contains different types of activity data. The Samurai platform is able to collect a wide variety telemetry in order to detect and hunt for unknown threats and assist in forensic analysis.
Tenant:
A tenant is the entity used to represent an organization using Samurai. Individual users can be invited to one or more tenants.