Security Monitoring and Analytics Terminology
Terminology used throughout the SMA's documentation and the user interface.
SMA Terms and Concepts
| General Terminology | UI and SMA Concepts | Machine Learning |
| Security Event Format | Actor | Asset | Destination | Source | User |
| SEF Field Properties | Commonly Used SEF Fields |
UI and SMA Concepts
| Security Alert rule |
Defines detection conditions that generate alerts, and notifies recipients when alerts are triggered. |
| Data Enrichment |
Adding additional information or context to the data present in the raw logs as they are ingested to increase the analytical value. |
| Watchlist |
A named list of elements of the same type (account, user, IP address / Cidr notation, or string) that can be leveraged by correlation rules to look for matches against specifically defined OSEF fields. These lists can be populated by adding individual elements, uploading from a file, or by setting up a feed. |
| Whitelist |
A list that contains known and trusted entities that will not be considered during threat evaluations, providing detection results less prone to false positives. |
Machine Learning
| Machine learning |
Ingests activity data (collected through Log Analytics) and uses learning models to understand typical user and asset behavior. Therefore, it’s capable of detecting anomalies and making predictions based on learned behavioral patterns. |
| Analysis model |
User-defined learning model that is implemented in machine learning as a building block. |
| Peer Group Analysis model |
A model type that learns typical behavior of users based on what organizations they belong to. |
| SQL Analysis model |
A model type that learns typical SQL execution, in terms of statements executed and the order of their execution, for a single database. Databases must have auditing enabled, and the audit logs must be collected by Log Analytics before learning models can be created. |