A
API (Application Programming Interface)
API (Application Programming Interface)
A set of protocols and tools that allows different software applications to communicate with each other. In the SOC context, APIs enable integrations between security tools like TheHive, Cortex, Wazuh, and Elasticsearch.
Alert
Alert
A notification generated when a security system detects suspicious activity or a policy violation. Alerts are typically generated by IDS/IPS, SIEM, or monitoring systems and require investigation.
Analyzer
Analyzer
In Cortex, an analyzer is a module that performs automated analysis of observables (IPs, domains, file hashes) using external services like VirusTotal, MISP, or custom threat intelligence feeds.
C
Case Management
Case Management
The process of tracking, managing, and documenting security incidents from detection through resolution. TheHive provides case management capabilities in the SOC architecture.
Correlation
Correlation
The process of identifying relationships between multiple security events to detect complex attack patterns. SIEM systems like Wazuh perform event correlation to reduce false positives and identify sophisticated threats.
Cortex
Cortex
A SOAR (Security Orchestration, Automation and Response) platform that works with TheHive to automate security incident analysis and response actions through analyzers and responders.
D
Dashboard
Dashboard
A visual interface displaying security metrics, alerts, and system status. Wazuh, Prometheus, and Zabbix all provide dashboards for monitoring different aspects of the SOC infrastructure.
Deception Technology
Deception Technology
Security systems like honeypots designed to detect attackers by luring them to interact with fake assets. The SOC roadmap includes honeypots as a long-term component.
E
EDR (Endpoint Detection and Response)
EDR (Endpoint Detection and Response)
Security technology that continuously monitors endpoint devices (workstations, servers) to detect and respond to threats. Wazuh provides EDR capabilities through its agent-based architecture.
Elasticsearch
Elasticsearch
A distributed search and analytics engine used in the SOC architecture for storing, searching, and analyzing large volumes of security events and logs in near real-time.
Event
Event
Any observable occurrence in a system or network, such as a user login, network connection, or file modification. Security events are collected, normalized, and analyzed to detect threats.
EVE JSON (Extensible Event Format)
EVE JSON (Extensible Event Format)
A JSON-based log format used by Suricata IDS to output alerts and network metadata. EVE JSON makes it easy to integrate Suricata with log processing pipelines like Logstash.
F
False Positive
False Positive
An alert that incorrectly identifies benign activity as malicious. Tuning security rules and correlation logic helps reduce false positive rates in SOC operations.
Firewall
Firewall
A network security device that monitors and controls incoming and outgoing traffic based on security rules. OPNsense is planned as the perimeter firewall in the long-term roadmap.
Fluentd
Fluentd
An open-source data collector for unified logging layer. Fluentd (alternative to Logstash) aggregates logs from multiple sources and routes them to destinations like Elasticsearch.
H
Honeypot
Honeypot
A decoy system designed to attract attackers and collect information about attack techniques. The SOC roadmap includes Proxmox-based honeypots for threat intelligence gathering.
I
IaC (Infrastructure as Code)
IaC (Infrastructure as Code)
The practice of managing infrastructure through code and automation rather than manual processes. Terraform and PyInfra provide IaC capabilities for the SOC infrastructure.
Incident
Incident
A security event or series of events that indicates a potential compromise or policy violation requiring investigation and response. TheHive manages incident workflow.
IDS (Intrusion Detection System)
IDS (Intrusion Detection System)
A security system that monitors network traffic or system activity for malicious behavior or policy violations. Snort and Suricata serve as IDS in the architecture.
IPS (Intrusion Prevention System)
IPS (Intrusion Prevention System)
An active security system that not only detects but also blocks malicious traffic. Suricata can operate in IPS mode to prevent attacks in real-time.
Indexing
Indexing
The process of organizing data to enable fast search and retrieval. Elasticsearch indexes security events to allow rapid querying across millions of log entries.
L
Log Aggregation
Log Aggregation
The process of collecting logs from multiple sources into a centralized location for analysis. Logstash and Fluentd handle log aggregation in the SOC pipeline.
Logstash
Logstash
A server-side data processing pipeline that ingests, transforms, and forwards log data. Logstash normalizes data from various sources before sending to Elasticsearch.
M
MISP (Malware Information Sharing Platform)
MISP (Malware Information Sharing Platform)
An open-source threat intelligence platform for sharing, storing, and correlating indicators of compromise. Can be integrated with Cortex analyzers.
Metrics
Metrics
Quantitative measurements of system performance, security posture, or operational efficiency. Prometheus collects and stores time-series metrics.
N
Normalization
Normalization
The process of converting log data from different sources into a consistent format. Logstash normalizes events so they can be analyzed uniformly.
O
Observable
Observable
An artifact or indicator from a security event that can be investigated, such as an IP address, domain name, file hash, or email address.
OPNsense
OPNsense
An open-source firewall and routing platform planned for the SOC architecture to provide perimeter security and network segmentation.
P
Playbook
Playbook
A documented procedure for responding to specific types of security incidents. Cortex executes automated playbooks as part of incident response.
Prometheus
Prometheus
An open-source monitoring and alerting system that collects time-series metrics from infrastructure components and applications.
PyInfra
PyInfra
A Python-based infrastructure automation tool used for configuration management and deployment automation in the SOC environment.
R
Responder
Responder
In Cortex, a responder is a module that executes automated response actions such as blocking IPs, isolating endpoints, or sending notifications.
Retention
Retention
The duration that log data is stored before deletion or archival. Elasticsearch retention policies balance storage costs with forensic investigation needs.
S
SIEM (Security Information and Event Management)
SIEM (Security Information and Event Management)
A platform that provides real-time analysis of security alerts generated by network hardware and applications. Wazuh serves as the SIEM in the architecture.
SOAR (Security Orchestration, Automation and Response)
SOAR (Security Orchestration, Automation and Response)
Technology that enables organizations to collect security data and automate responses to security incidents. Cortex provides SOAR capabilities.
SOC (Security Operations Center)
SOC (Security Operations Center)
A centralized team and facility that monitors, detects, analyzes, and responds to cybersecurity incidents using a combination of technology and processes.
Snort
Snort
A widely-used open-source intrusion detection system that uses rule-based detection to identify malicious network traffic patterns.
Suricata
Suricata
A high-performance, multi-threaded IDS/IPS engine capable of protocol identification, file extraction, and advanced threat detection.
Syslog
Syslog
A standard protocol for sending log messages across IP networks. Many SOC components use syslog for log transmission.
T
Tailscale
Tailscale
A mesh VPN service built on WireGuard, planned for secure remote access to SOC infrastructure in the long-term roadmap.
Terraform
Terraform
An infrastructure as code tool for building, changing, and versioning infrastructure safely and efficiently across multiple cloud providers.
TheHive
TheHive
An open-source security incident response platform designed for SOC teams to manage and investigate security incidents collaboratively.
Threat Intelligence
Threat Intelligence
Information about current or potential cyber threats, including indicators of compromise, attack techniques, and threat actor profiles.
Tuning
Tuning
The process of adjusting detection rules and alert thresholds to reduce false positives while maintaining detection effectiveness.
V
VPN (Virtual Private Network)
VPN (Virtual Private Network)
An encrypted network connection that provides secure remote access. Tailscale VPN is planned for SOC infrastructure access.
VirusTotal
VirusTotal
A free online service that analyzes files and URLs for malware. Commonly used as a Cortex analyzer for investigating suspicious observables.
W
Wazuh
Wazuh
A unified XDR and SIEM platform that provides threat detection, integrity monitoring, incident response, and compliance capabilities. Central component of the SOC architecture.
Webhook
Webhook
An HTTP callback that allows systems to send real-time data to other applications. Used for integrations between Wazuh, TheHive, and Prometheus.
X
XDR (Extended Detection and Response)
XDR (Extended Detection and Response)
A security approach that unifies threat detection and response across multiple security layers (network, endpoint, cloud). Wazuh provides XDR capabilities.
Z
Zabbix
Zabbix
An enterprise-class open-source monitoring solution for networks, servers, and applications, providing availability and performance metrics.
Zero-Day
Zero-Day
A previously unknown vulnerability or attack that exploits a security flaw before the vendor has released a patch. SOC detection capabilities help identify zero-day attacks through behavioral analysis.
Related Terms
Technology Stack
View complete list of technologies used in the SOC architecture
Integrations
Learn how these components integrate with each other
Data Flow
Understand how data flows through the SOC pipeline
Roadmap
See the implementation timeline and future plans