10. Glossary

Alerting: Enables detection of Sigflow signatures for a given protocol. If the latter is enabled for a protocol then the flow that is identified by a signature will raise an alert on the GCenter sid
ANSSI: The National Authority for Security and Defence of Information Systems is a French Service with national competence responsible for IT security.
CLI: The CLI (Command Line Interface) is the means used to administer and configure the GCap. It is the set of commands in text mode.
Codebreaker: Scanning engine for detection of malicious shellcode and powershell.
Critical risk: Low Risk Definition: highly suspicious activity was detected. Hazardous activity was detected. There is a high probability that your organization is facing a serious threat and countermeasures should be taken immediately.

For example, a user downloaded malware or an active element from the network contacted a known control and control domain.

Color definition used for this type of alarms in Web UI : red

Level of risk in this category: 75-100%
Engine hash: Name of 16 MALCORE antivirus engines
GCap: GCap is the detection probe for the Trackwatch/Aioniq solution. It retrieves the network flow from the TAP and reconstructs the files it sends to the GCenter.
GCenter: The GCenter is the component that administers the GCap and performs the analysis of files sent by the GCap.
GUM: The GUM (Gatewatcher Update Manager) is the service for the management of detection database updates, hotfix application and system updates
High risk: High Risk Definition: very suspicious activity has been detected. This type of event should be investigated promptly as it could be a sign of significant compromise.

It is possible that this event is a false positive or related to a bad figuration in your network.

Color definition used for this type of alarms in Web UI : orange

Level of risk in this category: 50-74%
LDAP: LDAP is a protocol for querying and modifying directory services (Active Directory for example)
Logging: Enables metadata generation for a given protocol. Indeed, if the latter is enabled for a protocol then each observed session will generate metadata for that protocol on the GCenter side.
Low risk: Low risk definition: unusual activity detected. This could mean that you have unusual policies or network uses.

These types of events should be mentioned last as they are not a direct sign of significant compromises.

They can be used as good indicators to improve network policies and detect configuration errors.

Color definition used for this type of alarms in Web UI : blue

Level of risk in this category: 0-24%
Malcore: Detection engine for malware detection and analysis
Medium risk: Medium Risk Definition: an activity that could be linked to a threat has been identified. Risk has been set at low values, because the potential threat does not appear critical or because the likelihood of forgery is high.

Color definition used for this type of alarms in Web UI : yellow

Level of risk in this category: 25-49%
Mitre: Knowledge base and behaviour model of cyber-adversaries, reflecting the phases of an adversary’s attack life cycle and the platforms it targets.
MTU: The MTU (Maximum Transfer Unit) is the maximum size of a packet that can be transmitted at once (without fragmentation) over a network interface.
OIV: Operators of Vital Importance
OTP: The One Time Password (OTP) is a one-time password defined on the GCenter.
RAID1: RAID 1 is the use of n redundant disks. Each disk in the cluster containing exactly the same data at any time, hence the use of the word «mirror» (mirroring).
RAID5: The RAID 5 uses several hard drives (minimum 3) grouped in a cluster to form a single logical unit. The data is duplicated and distributed on 2 different disks among the present disks.
setup: Account name for a system administrator to access the configuration menu
SIEM: SIEM (Security Information and Event Management) is a centralized system of security events that provides total visibility on the activity of a network and thus allows to react to threats in real time.
Sigflow: The detection engine (also called Sigflow) is responsible for reconstituting files and also one of the engines for analyzing all network traffic and can, according to rules, generate alerts, metadata or content.
TAP: The TAP (Test Access Point) is a passive device that duplicates a network flow.