Concepts and Terminology¶
Sift Security is a graph analytics platform for security operations and incident response.
When it ingests data, it represents the data in two different ways: as a security event graph and in a searchable index.
A graph is a relationship-centric data structure. It represents a relationship as an edge connecting two nodes, which we call entities. We have defined graph models for a wide variety of security event types, enabling them to be mapped into the graph. The graph enables rapid fulfillment of common investigative queries, interactive visualization, and advanced alert prioritization.
- Alert Cluster
- A collection of alerts identified by our graph prioritization algorithms. These are ranked based on the sources and types of alerts they contain, and how those alerts are related.
- Analytics rule
- A rule that defines a feature to be used by our analytics engine. Many are provided out of the box to support common use cases. Features are defined as a series of aggregations, and generate alerts based on a collection of automatically extracted machine learning models. Alerts include spikes, rare events, time of day anomalies, and contextual anomalies.
- A relationship in the security event graph graph. These are assigned categories and types. For example, “association” is a category and “user authenticated to host” is a type within that category.
- A node in the security event graph. These represent things observed in security events, like users, hosts, and IP addresses.
- Detection rule
- A user customizable, threshold-based rule that generates an alert when its threshold is crossed. Many detection rules are provided out of the box for common use cases, and a User Interface (UI) is provided for creating new rules.
- Graph Canvas
- Where graphs are rendered in the UI, providing a visual depiction of one or more security events.
- A database of security event data represented in the Sift Information Model that
- Security Event Graph
- Representation of security events as a graph that can be visualized in the graph canvas.
- Sift Information model
- An information model that defines which fields should be present in supported event types. When incoming data are mapped into the data model, are detection, analytics, and visualizations are automatically applied.