Glossary#

Key terms used throughout this guide.

Alert. A security event normalized, enriched, scored, and flagged by the AI pipeline. The full pipeline has run before it appears in your queue.

AI Processing Pipeline. The seven-step automated chain: Ingest, Normalize, Enrich, Triage, Correlate, Respond, Report.

AI Verdict. The plain-language narrative the AI writes for each alert: what it found, why it scored it that way, and what it recommends.

Asset. A system, server, host, endpoint, or user that Jutsu/AgentSOC is monitoring or aware of.

Attack Timeline. A chronological sequence of events leading to an alert, showing exactly what happened and when.

Blast Radius. How many systems or network areas could be affected if a detected threat is real and spreading.

Case. A formal human investigation task created when the AI escalates an alert. Always links to exactly one underlying alert.

CISA KEV. U.S. Cybersecurity and Infrastructure Security Agency's Known Exploited Vulnerabilities catalog. A match means real attackers are actively exploiting that vulnerability right now.

Confidence. How certain the AI is about its verdict, as a percentage. Below 60% means treat the verdict as a working hypothesis.

Contributing Evidence. Factors that increased the AI's confidence -- e.g. three independent TI sources confirming the same IP is malicious.

Correlation. Connecting multiple related alerts into one Incident based on shared patterns: attacker, target, or technique.

CVE. Common Vulnerabilities and Exposures. A standardized ID for a known software security flaw.

Enrichment. Automatically querying external threat intelligence databases to add context to an alert.

Escalated to Human. An alert the AI could not resolve with sufficient confidence. Creates a Case for human investigation.

Event. A single raw log entry -- one login, one network connection, one file access. Raw material before AI processing.

False Positive. An alert that turns out to be benign. The activity was normal, not a threat.

File Hash. A unique mathematical fingerprint for a file, used to identify known malware regardless of filename.

Global Sync. Toggle in the time range selector that applies your chosen window to every page simultaneously.

Incident. A group of related alerts the AI determined belong to the same attack campaign.

Incident Report. A structured downloadable document generated automatically for each incident: campaign analysis, executive summary, next steps, audit trail.

IOC (Indicator of Compromise). Observable evidence of a potential attack: malicious IPs, suspicious file hashes, known malicious domains.

L1/L2/L3 Analyst. Tiered analyst roles. L1: first-line triage. L2: escalated case investigation. L3: complex cases and high-impact action approval.

Missing Evidence. Information the AI lacked that would have changed its verdict. Tells you exactly what to look for.

MITRE ATT&CK. A public framework cataloguing every tactic (attacker goal) and technique (method) used by real-world attackers.

MTTD. Mean Time to Detect. Average time from threat occurrence to alert generation. Lower is better.

MTTR. Mean Time to Resolve. Average time from alert detection to case closure. Lower is better.

NACL. Network Access Control List. An AWS firewall rule controlling traffic into or out of a subnet.

Not Sure. The AI's verdict when it found something suspicious but could not classify it confidently. Requires human judgment.

Playground. The response action library in AgentSOAR. Actions execute against live infrastructure -- not a sandbox.

Revert. The undo operation in AgentSOAR Containment. Makes the reverse API call to restore the prior state.

Risk Score. 0-100 combining how serious the threat appears and how confident the AI is. Higher = more serious and more certain.

Security Incident Report. The structured PDF generated for each incident: executive summary, next steps, correlation analysis, audit trail.

SIEM. Security Information and Event Management. Collects security logs from your organization. Wazuh is the primary SIEM for Jutsu/AgentSOC.

SOAR. Security Orchestration, Automation, and Response. Lets Jutsu/AgentSOC take automated defensive actions. AgentSOAR is the built-in module.

True Positive. An alert confirmed to be a real threat.

Verdict. AI classification: True Positive, False Positive, or Not Sure.

Worker Monitor. Admin-only page in Settings showing health of all seven AI processing workers, with controls to restart stalled workers.