Common Terms

Glossary of Security Terms and Definitions

Objective: To standardize technical terminology within the Security Operations Center (SOC) and ensure accurate communication during endpoint investigations.

1. MD5 Hash (Message Digest Algorithm 5)

A unique 32-character cryptographic string used to represent a file’s digital identity. It serves as a fixed-length “fingerprint” that remains constant regardless of file name changes. It is the primary data point used to identify specific malicious binaries across the enterprise.

2. Endpoint (Managed Asset)

Any workstation, laptop, server, or mobile device that is managed and monitored within the organization’s infrastructure. In the context of investigations, an endpoint refers to any asset reachable by the centralized management console.

3. Remediation Actions: Quarantine Types

Endpoint Protection (AV) Quarantine: A localized security action where a specific file is isolated and prevented from executing. This is non-disruptive to the host’s network connectivity or the user’s workflow.
Network/Host Quarantine: A restrictive action that logically isolates the entire host from the enterprise network to prevent lateral movement.
- Standard Protocol: This action is reserved for high-severity incidents and requires authorization from a Senior Analyst or Incident Response Lead.

4. False Positive

A security event where a benign or authorized file is incorrectly identified as a threat by detection systems. Analysts should correlate global incidence counts with detection ratios to validate these occurrences before concluding an investigation.

5. Security Signature / Detection Name

A standardized naming convention assigned by security vendors (e.g., Microsoft, CrowdStrike) to identify known threat families or behaviors. Signatures allow for cross-platform log correlation between endpoint tools and the SIEM.

6. Tiered Escalation

The formal process of transferring an investigation to the appropriate team (e.g., Level 2 Analysis or Incident Response) when a threat is validated or exceeds the standard investigative scope of a Level 1 Analyst.

Analysis | Concepts | Knowledge Base | Platforms | Techniques | Threat Intelligence | Tools

The Triple Punch
By

Standard Endpoint Investigation Workflow Objective: To determine if a file is safe or malicious, find out who has it, and confirm if security controls (Antivirus) took action. Punch 1: The Inventory Hunt (Scope & Presence) Punch 2: The Reputation Check (Global Intel) Punch 3: The Log Audit (Security Action) Investigation Summary Checklist

Read More The Triple Punch
Analysis | Concepts | Knowledge Base | Techniques | Threat Intelligence | Tools

Endpoint Analysis 101
By

Endpoint Analysis & Asset Investigation — L1 SOC Analyst Guide Overview This guide covers the initial steps for investigating endpoint alerts for the L1 Analyst onboarding. The focus is on determining whether a known malicious hash exists in the environment and identifying the affected device and its user. By the end of this section you…

Read More Endpoint Analysis 101
Infrastructure | Knowledge Base

Cloud Computing
By

https://aws.amazon.com/compliance/shared-responsibility-model

Read More Cloud Computing
Hardware | Knowledge Base

Hard Drives
By

In the world of data storage, SSD and HDD are the two main technologies for storing your files. The difference primarily comes down to moving parts vs. flash memory. HDD (Hard Disk Drive) An HDD is the traditional storage technology. It uses physical, spinning magnetic platters and a moving “read/write head” to access data—much like…

Read More Hard Drives
Knowledge Base | Tools

DomainTools — Tool Overview
By

What is DomainTools? DomainTools is a domain and DNS-based cyber threat intelligence platform used by security teams to investigate suspicious domains, IP addresses, and internet infrastructure. It enables security practitioners to stop threats before they happen using internet intelligence data, detection and monitoring tools, and predictive risk scoring. For SOC analysts, DomainTools is primarily used…

Read More DomainTools — Tool Overview
Knowledge Base | Tools

ServiceNow (SNOW) — Tool Overview
By

What is ServiceNow? ServiceNow (commonly referred to as SNOW) is a cloud-based IT service management (ITSM) platform used to manage assets, users, incidents, and service requests across the organization. For SOC analysts, ServiceNow serves as a central source of truth for asset and personnel context during an investigation. Key Features Relevant to SOC Operations Asset…

Read More ServiceNow (SNOW) — Tool Overview