Concepts & glossary
This page defines the building blocks you work with in Jutsu and how they relate. Learn these terms once and the rest of the docs read clearly.
Events vs alerts
An event is a raw security record ingested from a source — a single Wazuh alert, a Google Workspace activity, a syslog line. Events are the unprocessed input to the pipeline.
An alert is a normalized, scored detection. After ingestion and triage, an event becomes an alert: a structured document stored in OpenSearch with a severity, a score, and enrichment context. Alerts are what analysts and the correlation engine reason over.
In short: every alert starts as an event, but not every event becomes a meaningful alert.
Incidents
An incident is a correlated group of related alerts — an attack chain. The incident-correlation agent groups alerts that belong to the same activity and creates an incident with a business key (such as INC-XXXX), a severity, a confidence score, and a correlation reason. Incidents capture the bigger picture: rather than triaging dozens of isolated alerts, you investigate one incident that ties them together. Incidents can be linked to each other through shared alerts, a common attack chain, or the same campaign.
Cases
A case is an analyst-driven investigation. When an alert or incident needs human attention, it is escalated into a case with a case number, severity, priority, and status. A case holds the investigation record: evidence (files, alerts, or events), a comment thread, an assignee, and an escalation reason. Cases progress through a lifecycle — open, in progress, pending, resolved, and closed.
Detections & playbooks
A detection is the logic that turns events into scored alerts. A playbook is an AgentSOAR response capability instance — a concrete, executable response action (for example, blocking an IP or disabling an account) bound to your connected provider. When the response agent decides to act, it runs the matching playbook and records the execution.
AI agents
AI agents are autonomous workers that each handle one stage of the pipeline. The platform runs agents for detection and normalization, enrichment, triage, response, reporting, and learning. They operate continuously and within a single organization's boundary. See the Architecture overview for how they connect.
Key metrics
Two metrics measure how well the SOC performs.
| Metric | Meaning |
|---|---|
| MTTD | Mean time to detect — how long from when activity occurs to when it is detected. |
| MTTR | Mean time to respond — how long from detection to a response being taken. |
Detections and incidents are mapped to the MITRE ATT&CK framework using tactic and technique identifiers (for example, technique T1078), which gives a shared language for describing adversary behavior.
Glossary
| Term | Definition |
|---|---|
| Event | A raw security record ingested from a source, before normalization or scoring. |
| Alert | A normalized, scored detection stored as an OpenSearch document. |
| Incident | A correlated group of related alerts representing an attack chain. |
| Case | An analyst-driven investigation with evidence, comments, and escalation. |
| Detection | The logic that turns events into scored alerts. |
| Playbook | An AgentSOAR response capability instance — an executable response action. |
| AI agent | An autonomous worker that handles one stage of the pipeline. |
| MTTD | Mean time to detect — interval from activity to detection. |
| MTTR | Mean time to respond — interval from detection to response. |
| MITRE ATT&CK | A knowledge base of adversary tactics and techniques used to classify activity. |
| SIEM | Security Information and Event Management — log collection, search, and detection. |
| SOAR | Security Orchestration, Automation, and Response — automated response workflows. |
| SOC | Security Operations Center — the team and tooling that monitor and defend an environment. |
| RBAC | Role-Based Access Control — permissions granted by role within an organization. |
| Multi-tenant | An architecture where each organization's data and access are isolated from others. |