Concepts and Terminology

Sift Security is a graph analytics platform for security operations and incident response.

When it ingests data, it represents the data in two different ways: as a security event graph and in a searchable index.

A graph is a relationship-centric data structure. It represents a relationship as an edge connecting two nodes, which we call entities. We have defined graph models for a wide variety of security event types, enabling them to be mapped into the graph. The graph enables rapid fulfillment of common investigative queries, interactive visualization, and advanced alert prioritization.

Terminology

Alert Cluster
A collection of alerts identified by our graph prioritization algorithms. These are ranked based on the sources and types of alerts they contain, and how those alerts are related.
Analytics rule
A rule that defines a feature to be used by our analytics engine. Many are provided out of the box to support common use cases. Features are defined as a series of aggregations, and generate alerts based on a collection of automatically extracted machine learning models. Alerts include spikes, rare events, time of day anomalies, and contextual anomalies.
Edge
A relationship in the security event graph graph. These are assigned categories and types. For example, “association” is a category and “user authenticated to host” is a type within that category.
Entity
A node in the security event graph. These represent things observed in security events, like users, hosts, and IP addresses.
Detection rule
A user customizable, threshold-based rule that generates an alert when its threshold is crossed. Many detection rules are provided out of the box for common use cases, and a User Interface (UI) is provided for creating new rules.
Graph Canvas
Where graphs are rendered in the UI, providing a visual depiction of one or more security events.
Index
A database of security event data represented in the Sift Information Model that
Security Event Graph
Representation of security events as a graph that can be visualized in the graph canvas.
Sift Information model
An information model that defines which fields should be present in supported event types. When incoming data are mapped into the data model, are detection, analytics, and visualizations are automatically applied.