Powered by

# Glossary

# Detection Levels Definitions

Full
Logging, detection, or alerts were observed during the test.
None
Logging, detection, or alerts were not observed during the test.
Partial
Logging, detection, or alerts were only generated for a subset of the environment or unit test variations.
Untested
The unit test has not been performed.

# Visibility Levels Definitions

Logged
Logs are records of events. They often include network, application, database, and endpoint events. Without proper logging, detections and alerts cannot be created for incident response teams.
Detected
Refers to any event that has been identified as anomalous or possible malicious behavior. However, some detections may not generate an alert or response.
Alerted
Refers to any event that has been identified as malicious and requires triage from the incident response team based on criteria defined by the security operations runbooks.
Responded
Refers to the ticket or email generated by an alert that triggers the incident repsonse team to begin triaging the event.
Prevented
To what degree did the controls prevent potentially malicious behaviors/events from occurring based on detections.

# Miscellaneous A-Z Definitions

Accepted Risk
A finding can be marked as an "Accepted Risk" and will no longer appear as a threat in need of remediation.
Agent
NetSPI's Breach and Attack Simulation agent is a non-persistent piece of software that runs in-memory. It is used to run the plays and playbooks.
Alerted
An alert refers to any event that has been identified as malicious and requires triage from the ​incident response team based on criteria defined by the security operations runbooks.​
Default Operation
By default, an operation called "All Procedures" is created. This operation contains all current, as well as future, procedures.
Detected
A detection refers to any event that has been identified as anomalous or possible ​malicious behavior. However, some detections may not generate an alert or response.​
Heatmap
The heatmap dashboard is designed to present the tactics, techniques, and procedures ​associated with your operation in the context of a more traditional ​MITRE ATT&CK heatmap format.​
Logged
Logs are records of events. They often include network, application, database, and endpoint events. Without proper logging, detections and alerts cannot be created for incident response teams.​
Malware
Malicious software designed to disrupt, damage, or gain unauthorized access to a computer system or network.
Operation
Operations define the scope of plays, playbooks, and the agents they run on.​ They also define the scope of the detective control coverage tracking.​
Play
Automation for a specific manual procedure.​
Playbook
A collection of plays that can be executed in a predefined order to simulate threats.​
Prevented
To what degree did the controls prevent potentially malicious behaviors/events from ​occurring based on detections. ​
Procedure
This refers to the sequence of actions performed to execute a technique. The procedure involves detailed descriptions of the procedure, manual attack instructions, detection and prevention recommendations, other educational content and references.
Responded
This refers to the ticket or email generated by an alert that triggers the incident response team​ to begin triaging the event.
Tactic
The threat actor's intended goal and reason for performing an action.
Technique
The broad description of how a threat actor accomplishes their goal.
Threat Actor
An individual or group that intentionally cause harm to digital devices or systems.
Timeline
The timeline dashboard is designed to help you track your detective control coverage ​for an operation over time. Here you can see where you have gotten better and worse.​
Workspace
The workspace is designed to provide insights into your current detective control coverage. ​It helps you learn about, test, measure, and track all the tactics, techniques, and procedures ​associated with your operation.​

© Copyright 2024. All rights reserved.