Terms

A campaign is a correlated set of incidents that affect one or more devices over a period of time.

An event represents a security-relevant activity that has occurred in the monitored network. An event may involve multiple data flows (for example, TCP connections), but it represents a single type of activity occurring over a short period of time (at most one hour). Multiple events are automatically correlated into incidents.

An incident represents a security-relevant activity that has occurred in the monitored network. An incident may consist of a single event, or a number of events that have been automatically correlated, and that have been determined to be closely related.

An infection is an incident that has been determined to be critical. Infections should be dealt with without delay.

A nuisance is an incident of low risk. This typically corresponds to potentially unwanted/risky activity that does not necessarily indicate a compromise or infection on the monitored network. Nuisances are tracked since they contribute to provide a more comprehensive network situational awareness.

A watchlist is an incident that has been determined to be of medium risk. Such incidents, while indicating a potential risk, do not need immediate attention; they are kept under close watch in case new evidence appears that modifies their status.

For example, an incident involving an inoperative command and control infrastructure will be classified as watchlisted.