Security Operations
Glossary.

Collects log data from across the environment (endpoints, firewalls, identity, cloud) and correlates it to generate alerts and investigations. The SIEM is usually the first place a Tier 1 analyst looks when an alert comes in. It's good at seeing the big picture but needs other tools to dig into the details. Real-world examples: Splunk, Microsoft Sentinel, Elastic SIEM.

An agent installed on endpoints (laptops, servers, workstations) that monitors process activity, network connections, file changes, and memory. EDR can detect malicious behavior like LSASS dumps, encoded PowerShell, and C2 beaconing that signature-based antivirus would miss. It also lets you isolate a host, pull a memory snapshot, and view a full process tree. Real-world examples: CrowdStrike Falcon, Microsoft Defender for Endpoint, SentinelOne.

A firewall that goes beyond port/protocol filtering to inspect traffic at the application layer. An NGFW can identify and block specific applications, detect known attack patterns with IPS rules, enforce geo-blocking, and log all traffic for analysis. It sits at the perimeter and between network segments. Real-world examples: Palo Alto Networks, Fortinet FortiGate, Cisco Firepower.

Sits in front of the mail server and scans inbound and outbound email for phishing, malware, BEC patterns, and policy violations. Can quarantine messages, strip attachments, block sender domains, and flag messages for manual review. A mail gateway is often the first control to catch a phishing campaign. Real-world examples: Microsoft Defender for Office 365, Proofpoint, Mimecast.

Manages user identities, authentication, and authorization across the organization. In a security context it provides sign-in logs, risk scores, conditional access policies, MFA events, and alerts for things like impossible travel, leaked credentials, and suspicious inbox rules. Also includes PIM (Privileged Identity Management) for controlling time-limited elevated access. Real-world examples: Microsoft Entra ID (Azure AD), Okta, Ping Identity.

Continuously scans assets for known vulnerabilities, scores them using CVSS, and tracks remediation. In incident response, VM is used after a breach to identify what vulnerabilities the attacker may have exploited and to prioritize patching on affected systems. It's not a detection tool but a risk management tool. Real-world examples: Tenable Nessus, Qualys, Rapid7 InsightVM.

Automates response actions across multiple tools using playbooks. When an alert fires, a SOAR playbook can automatically isolate a host in EDR, block an IP in the firewall, revoke sessions in identity, and quarantine a mailbox, all without a human having to log into each tool separately. It also manages cases and tracks the status of ongoing incidents. Real-world examples: Palo Alto XSOAR, Splunk SOAR, Microsoft Sentinel automation.

Aggregates threat intelligence from multiple feeds, enriches it with context, and makes it searchable. Analysts use it to look up IOCs (indicators like IPs, domains, file hashes), research threat actors, and understand the broader campaign context behind an incident. A good TIP helps you answer "who is doing this and why?" not just "what is happening?". Real-world examples: Recorded Future, MISP, ThreatConnect, OpenCTI.

Sits between users and cloud services to enforce security policies. Used to discover shadow IT (apps being used without IT approval), detect data exfiltration through cloud storage, enforce DLP policies, and block high-risk applications. Particularly useful for catching exfiltration through services like Dropbox, Google Drive, or Telegram that bypass perimeter controls. Real-world examples: Microsoft Defender for Cloud Apps, Netskope, Zscaler CASB.

Tracks incidents, tasks, and projects across the security team. In a SOC context this is where you manage the people and process side of incident response: who is working on what, what's been done, what's still open, and what the post-incident review found. Every major incident should have a ticket. Real-world examples: Jira, ServiceNow, PagerDuty.

A phishing technique where the attacker puts a reverse proxy between the victim and the real website. The victim sees the real login page and authenticates normally, but the attacker captures both the credentials and the session token, bypassing MFA entirely. The attacker doesn't crack the password, they steal the authenticated session. Used in IRON CHIMNEY against marcus.chen.

Sending a large number of MFA push notifications to a target in a short window, hoping they approve one just to make them stop. Often paired with social engineering: the attacker may call the victim pretending to be IT support and say "you'll keep getting requests until you approve one." Used against m.blake in ATO-002.

Extracting password hashes or plaintext credentials from memory or the registry. LSASS (Local Security Authority Subsystem Service) is a Windows process that holds credential material in memory. Tools like Mimikatz read from it. Once an attacker dumps LSASS, they can use the harvested credentials to move laterally or authenticate to other systems. This is detected in IRON CHIMNEY as EDR DET-0040.

Moving from one compromised system to other systems on the same network, using stolen credentials or exploitation. A common technique is SMB lateral movement using the Admin$ share, which lets an attacker copy files to and execute code on a remote Windows system. In IRON CHIMNEY, the attacker moves from PIONEER-WS-01 to RESEARCH-STATION-01 using stolen credentials from the LSASS dump.

Regular outbound HTTP or DNS requests from a compromised host to attacker-controlled infrastructure. The beacon "checks in" at regular intervals to receive commands. Beaconing is detectable by looking for periodic, consistent outbound connections to unusual external IPs. In IRON CHIMNEY, svc32.exe beacons to 185.220.101.47 every few minutes.

Malware that encrypts files on a system and demands payment for the decryption key. Modern ransomware operators (RaaS groups) typically exfiltrate data first and then deploy ransomware as a second-stage impact. In IRON CHIMNEY, 547 MB and 14.7 GB are exfiltrated before the ransomware renames 847 files with the .IRONLOCK extension and deletes volume shadow copies.

A business model where ransomware developers license their malware to affiliates who carry out the attacks and split the ransom payment. The affiliate doesn't need to write their own ransomware, just find targets and deploy it. TA-001 IRON CHIMNEY is an Eastern European RaaS group.

An attack where the attacker impersonates a trusted person (usually an executive, vendor, or IT) to trick employees into transferring money, sending credentials, or sharing sensitive data. BEC doesn't require malware. It relies on social engineering and lookalike email addresses. In BEC-001, the attacker impersonates the CEO via a Gmail address to request a $47,500 wire transfer.

A domain that replaces a character with one that looks nearly identical: acme-industr1al.com uses a numeral "1" instead of a lowercase "L". Homoglyphs are hard to spot at a glance, especially in email clients that don't render URLs clearly. Used by TA-002 COBALT MANTIS in VF-001. The related concept "typosquatting" uses common typos instead of identical-looking characters.

A rule set on a compromised mailbox that automatically forwards emails matching certain keywords to an attacker-controlled address. Used for reconnaissance to understand financial workflows, vendor relationships, and ongoing deals before launching a fraud attempt. In BEC-001, j.whitfield's account had a rule forwarding emails with "invoice", "wire", "payment", and "transfer" to an external address.

A specific artifact that indicates a system has been compromised or is communicating with malicious infrastructure. Examples: a file hash, an IP address, a domain name, a registry key, a URL. IOCs are useful for blocking and detection but have a short shelf life because attackers rotate their infrastructure. TTPs (tactics, techniques, and procedures) are a better long-term detection strategy.

How an attacker operates: their goals (tactics), the methods they use (techniques), and the specific tools and steps they follow (procedures). MITRE ATT&CK is a framework that catalogs TTPs. Detecting TTPs is more durable than detecting IOCs because the behavior stays consistent even when an attacker changes their infrastructure.

Cloud apps and services used by employees without IT's knowledge or approval. Common examples: personal Dropbox, WhatsApp, Telegram, or browser-based AI tools. Shadow IT is a data loss risk because company data moves into systems that haven't been reviewed or secured. CASB is the primary tool used to discover and govern shadow IT.

Policies and controls that detect and prevent sensitive data from leaving the organization through unauthorized channels. A DLP policy might flag large file uploads to personal cloud storage, block emails with credit card numbers in the body, or alert when a sensitive document is printed. In foyl Learn, CASB includes a DLP module that catches the data exfiltration in IRON CHIMNEY and VF-001.

The team and facility responsible for monitoring, detecting, investigating, and responding to security incidents. A SOC runs 24/7 in large organizations and uses a combination of tools, processes, and human judgment to identify threats and limit damage.

The first line of alert triage in a SOC. L1 analysts monitor the alert queue, do initial investigation, determine if an alert is real or a false positive, and escalate to Tier 2 when they find something that needs deeper analysis. L1 analysts often work from runbooks and SOPs.

Handles escalated incidents from L1 and does deeper investigation: correlating events across multiple tools, writing and running detection queries, analyzing malware, and leading containment for active incidents. L2 analysts typically have more security experience and tool depth than L1.

Proactively searches for threats that haven't triggered alerts. Instead of waiting for the SIEM to fire, a threat hunter uses hypothesis-driven investigations across endpoint telemetry, network logs, and threat intelligence to find adversaries that have bypassed detection. Usually the most senior technical role in a SOC.

The structured process of detecting, containing, eradicating, and recovering from a security incident. Standard IR phases: preparation, identification, containment, eradication, recovery, and lessons learned (post-incident review). The foyl Labs walk through IR process across multiple scenarios.

Stopping an active incident from spreading further. Containment actions include isolating a compromised host from the network, revoking active sessions, blocking attacker IPs and domains, and quarantining affected mailboxes. In IRON CHIMNEY, containment is handled by SOAR playbook PB-001.

A documented and often automated set of steps to respond to a specific type of security incident. In a SOAR context, a playbook is a workflow that runs automatically (or semi-automatically) when triggered by a specific alert or condition. Playbooks reduce response time and ensure consistent actions are taken every time.

A manual version of a playbook: a step-by-step document that a human analyst follows. Runbooks are used when a playbook hasn't been automated yet or when the situation requires judgment at each step. They're a good starting point before investing in automation.

A retrospective after an incident is resolved. Also called a post-mortem or after-action review. The goal is to understand what happened, what worked, what didn't, and what changes should be made to prevent recurrence or improve response. A good PIR is blameless and focuses on process and systems, not individual mistakes.

The average time from when an incident is detected to when it's fully contained. A key SOC metric. In the IRON CHIMNEY terminal simulation on the foyl Learn homepage, MTTR is shown as 00:08:42, which is an aspirational benchmark for an automated SOAR response. In practice, complex incidents take hours or days.

A standardized score from 0 to 10 that rates the severity of a software vulnerability based on factors like exploitability, impact, and whether it requires authentication. Scores above 9.0 are Critical; 7.0-8.9 are High. Used by the VM tool to prioritize which vulnerabilities to patch first.

A system for managing and auditing elevated access to sensitive systems. Instead of giving an admin permanent Global Administrator rights, PIM requires them to request elevated access for a specific time window, which then expires automatically. This limits the damage if an admin account is compromised. Available in the foyl Identity tool under the PIM page.