10. Glossary
- ALERTING
Enables detection of Sigflow signatures for a given protocol. If the latter is enabled for a protocol then the flow that is identified by a signature will raise an alert on the GCenter sid
- ANSSI
The National Authority for Security and Defence of Information Systems is a French Service with national competence responsible for IT security.
- CLI
The CLI (Command Line Interface) is the means used to administer and configure the GCap. It is the set of commands in text mode.
- CODEBREAKER
Scanning engine for detection of malicious shellcode and powershell.
- CRITICAL RISK
- Low Risk Definition: highly suspicious activity was detected. Hazardous activity was detected. There is a high probability that your organization is facing a serious threat and countermeasures should be taken immediately.For example, a user downloaded malware or an active element from the network contacted a known control and control domain.Color definition used for this type of alarms in Web UI : redLevel of risk in this category: 75-100%
- Engine hash
Name of 16 MALCORE antivirus engines
- GCap
GCap is the detection probe for the Aioniq solution. It retrieves the network flow from the TAP and reconstructs the files it sends to the GCenter.
- GCenter
The GCenter is the component that administers the GCap and performs the analysis of files sent by the GCap.
- GUM
The GUM (Gatewatcher Update Manager) is the service for the management of detection database updates, hotfix application and system updates
- HIGH RISK
- High Risk Definition: very suspicious activity has been detected. This type of event should be investigated promptly as it could be a sign of significant compromise.It is possible that this event is a false positive or related to a bad figuration in your network.Color definition used for this type of alarms in Web UI : orangeLevel of risk in this category: 50-74%
- LDAP
LDAP is a protocol for querying and modifying directory services (Active Directory for example)
- lOGGING
Enables metadata generation for a given protocol. Indeed, if the latter is enabled for a protocol then each observed session will generate metadata for that protocol on the GCenter side.
- LOW RISK
- Low risk definition: unusual activity detected. This could mean that you have unusual policies or network uses.These types of events should be mentioned last as they are not a direct sign of significant compromises.They can be used as good indicators to improve network policies and detect configuration errors.Color definition used for this type of alarms in Web UI : blueLevel of risk in this category: 0-24%
- MALCORE
Detection engine for malware detection and analysis
- MEDIUM RISK
- Medium Risk Definition: an activity that could be linked to a threat has been identified. Risk has been set at low values, because the potential threat does not appear critical or because the likelihood of forgery is high.Color definition used for this type of alarms in Web UI : yellowLevel of risk in this category: 25-49%
- Mitre
Knowledge base and behaviour model of cyber-adversaries, reflecting the phases of an adversary’s attack life cycle and the platforms it targets.
- MTU
The MTU (Maximum Transfer Unit) is the maximum size of a packet that can be transmitted at once (without fragmentation) over a network interface.
- OIV
Operators of Vital Importance
- OTP
The One Time Password (OTP) is a one-time password defined on the GCenter.
- RAID1
RAID 1 is the use of n redundant disks. Each disk in the cluster containing exactly the same data at any time, hence the use of the word «mirror» (mirroring).
- RAID5
The RAID 5 uses several hard drives (minimum 3) grouped in a cluster to form a single logical unit. The data is duplicated and distributed on 2 different disks among the present disks.
- setup
Account name for a system administrator to access the configuration menu
- SIEM
SIEM (Security Information and Event Management) is a centralized system of security events that provides total visibility on the activity of a network and thus allows to react to threats in real time.
- SIGFLOW
The detection engine (also called Sigflow) is responsible for reconstituting files and also one of the engines for analyzing all network traffic and can, according to rules, generate alerts, metadata or content.
- TAP
The TAP (Test Access Point) is a passive device that duplicates a network flow.