Terminology

Following is a list of commonly used terms in the DTACT universe.

Event

Something that happened at a certain moment in time. An event in itself is not automatically suspicious but can act as evidence or raw material for further enrichment and correlation. When received events match a certain pattern this could lead to an alert.

Brick

An event-driven processor with one specific function, varying from collecting a Twitter-feed, enriching data with machine learning, to storing data inside a specific database.

Bricks are the building blocks of flows. Bricks communicate in a classic publish-subscribe manner. You can script the behaviour of a brick yourself or use one of the many bricks that are readily available in Raven.

Observable

Something that has been observed during a certain event, or that is derived from an event through correlation with other data sources (for example, a WHOIS database). In cybersecurity, observables are typically things like IP addresses, host names, file hashes, etc.

Flow

A data pipeline inside Raven, defined by connecting several functional bricks together.

Source

The base the data is coming from.

Alert

Something that requires human attention. True positive alerts mean that something suspicious is going on in your organisation, requiring action. False positive alerts mean that you’ll need to optimise your detection setup in order to lower its noise. Alerts are basically a high-risk state that is added to one or more events.

Query

A precise request for information. Data inside a brick or a table can be indexed and then queried. Find out more about queries here.

Trigger

Action when a certain condition is met.

Data Retention

Policy for what happens with data. A Data Retention Policy describes rules about how to store data, how to remove data, who is responsible, and how long the data is stored.

Apps

When working on the Raven Portal the user has a column on the left with all the different items configured that we can use, for example: Activity, Vulnerability Discovery, Audit, Crawl, Santa, Osquery, Cases, etc. These are what we call Apps.

PostgreSQL

Is a powerful, open source object-relational database system with over 35 years of active development that has earned it a strong reputation for reliability, feature robustness, and performance.

Vault

offers identity-based security for organizations, enabling the automatic authentication and authorization of access to secrets and other confidential data.

ETL

Extract, Transform, Load is the process where events are extracted from different sources, transformed to the desired format and then loaded into a destination system.

Block id

Serves as a unique identifier for the Brick, offering a unique reference point that facilitates the communication of information to the Brick itself and other interconnected components.

Topic

Topics play a crucial role in categorizing and organizing information within a messaging system. They act as channels or labels that define the subject matter of the data being communicated.

End-point

An endpoint is a URI or Uniform Resource Identifier that an application or service exposes for performing certain operations.

Cron

In Python a cron is a way to schedule and automate tasks.

URL

A URL or Uniform Resource Locator, is a reference or address used to access resources on the internet. It is a string of characters that provides the means to locate and retrieve a specific resource

API

An API, or Application Programming Interface, is a set of rules and tools that allows different software applications to communicate with each other.

Metadata

Metadata refers to data that provides information about other data. Metadata helps describe, explain, locate, and manage data, making it easier to organize, understand, and retrieve information.

Payload

The payload is the actual data or information that is being sent in a message.

JSON

JSON or JavaScript Object Notation, is a widely used format for representing structured data. It provides a lightweight and human-readable way to organize information in key-value pairs.

Webhook

A webhook is a mechanism that allows one system to send real-time data to another system as soon as an event occurs. It is a way for web applications or services to communicate with each other automatically.

Objects

An object is an instance of a class. It is a self-contained unit that contains both data (attributes) and the procedures or functions (methods) that operate on that data.

Array

An array is a data structure in computer programming that stores a collection of elements, each identified by an index or a key.

Schema

A schema describes the structure and organization of the data.

Logs

Logged details covering various activities and occurrences within a system. These records serve as a account of the events taking place, providing a historical perspective on the system's operations.

Honeypots

Honeypots are security mechanisms designed to detect, deflect, or counteract unauthorized access or attacks on computer systems. These are intentionally deployed decoy systems or resources that mimic legitimate targets, enticing attackers to interact with them.

Event​

Brick​

Observable​

Flow​

Source​

Alert​

Query​

Trigger​

Data Retention​

Apps​

PostgreSQL​

Vault​

ETL​

Block id​

Topic​

End-point​

Cron​

URL​

API​

Metadata​

Payload​

JSON​

Webhook​

Objects​

Array​

Schema​

Logs​

Honeypots​