ABAC
Identity & AccessAttribute-Based Access Control; an access control model that grants permissions based on attributes such as user role, location, device, or resource type.
A practical A-Z glossary for SIEM, SOAR, XDR, CSPM, ServiceNow SecOps, connector development, detection engineering, SIEM data pipelines, AI security, cloud security, AppSec, compliance, GRC, identity, vulnerability management, and incident response.
Attribute-Based Access Control; an access control model that grants permissions based on attributes such as user role, location, device, or resource type.
A periodic review of who has access to systems, applications, data, and privileged roles.
Access Control List; a rule that controls what users or roles can read, create, update, or delete in a system.
AI that can plan, use tools, take steps, and execute workflows with varying levels of autonomy.
A workflow where AI agents help decide, route, summarize, execute, or recommend actions across business or security processes.
A software system that uses AI to reason over context, call tools, and complete tasks toward a goal.
Policies, controls, reviews, and accountability mechanisms used to manage AI risks and responsible AI usage.
Controls that restrict, validate, monitor, or guide AI behavior to reduce unsafe or unintended outcomes.
The coordination of AI agents, prompts, tools, data sources, approvals, and workflow steps to complete a process.
The practice of protecting AI systems, workflows, prompts, models, data, and tool integrations from misuse, abuse, or failure.
A process that uses AI to assist or automate one or more workflow steps such as triage, summarization, classification, or routing.
Using AI to summarize, classify, enrich, or prioritize alerts, incidents, vulnerabilities, or cases for human review.
A condition where security teams receive too many alerts, making it harder to identify and respond to real threats.
The process of reviewing, prioritizing, and assigning security alerts for investigation or response.
A connection between two systems using APIs to exchange data, trigger actions, or automate workflows.
A unique token used to authenticate access to an API, usually for a specific application, connector, or integration.
The practice of protecting APIs from unauthorized access, abuse, data exposure, injection, and business logic attacks.
The practice of finding and reducing security risks in applications across code, dependencies, configuration, and deployment pipelines.
A process or platform capability used to track, prioritize, assign, and remediate vulnerabilities found in applications.
A shorter term for application security, focused on securing software before and after it reaches production.
A measure of how important an asset is to business operations, security, compliance, or customer impact.
A rule that automatically assigns incidents, tasks, or records to the right team based on defined conditions.
The process of mapping detections, alerts, logs, or controls to MITRE ATT&CK tactics and techniques to understand security coverage.
A sequence of weaknesses, permissions, misconfigurations, or exposures that an attacker could combine to reach a target.
Records, screenshots, logs, tickets, approvals, or reports used to prove that a security control was performed.
A chronological record of actions, changes, approvals, or events that helps prove what happened and when.
A weakness where identity verification is missing, broken, bypassable, or implemented insecurely.
A weakness where a user or system can access data or actions beyond what they should be allowed to access.
A remediation action performed automatically by a system or AI workflow without manual execution.
An AWS service that centralizes security findings and compliance checks across AWS accounts and integrated tools.
A retry pattern that increases wait time between failed requests to reduce load and improve integration reliability.
An application security risk where users can perform actions or access resources outside their intended permissions.
An automated process that compiles, tests, scans, and packages software before release.
A server-side rule in ServiceNow that runs logic when records are inserted, updated, deleted, or queried.
The process of managing security cases, investigations, evidence, tasks, ownership, and resolution steps in a structured workflow.
A controlled process for reviewing, approving, implementing, and documenting changes to systems or applications.
Saving the last successfully processed point in a data sync so the integration can continue without duplicates or data loss.
Security controls built into continuous integration and continuous delivery pipelines to catch risks before release.
Cloud Infrastructure Entitlement Management; a security category focused on identifying and reducing risky cloud permissions.
Common Information Model; a normalized data model commonly used to make security data easier to search and correlate.
A reliability pattern that temporarily stops requests to a failing system so an integration can recover safely.
A prioritized set of cybersecurity safeguards used by organizations to improve security hygiene and reduce common risks.
A structured list of cloud resources such as virtual machines, databases, storage buckets, identities, networks, and workloads.
The process of meeting regulatory, industry, and internal security requirements across cloud environments.
A security, compliance, or operational requirement used to manage risk in a cloud environment.
An insecure cloud setting, such as public storage access, weak permissions, exposed services, or missing encryption.
The likelihood and impact of a security issue in a cloud environment, often based on exposure, permissions, vulnerabilities, and business context.
Configuration Management Database; a system that stores information about IT assets, services, ownership, and relationships.
Cloud-Native Application Protection Platform; a broader cloud security category that combines posture, workload, identity, and application protection.
A semantic code analysis engine commonly used to find security vulnerabilities and coding issues in source code.
Lower-cost storage used for older security data that is retained for compliance, investigation, or historical analysis.
An alternative security measure used to reduce risk when a primary control or remediation cannot be implemented immediately.
The practice of meeting required security, privacy, regulatory, or industry standards.
The process of producing reports that show whether systems, processes, or controls meet required standards.
An identity security approach that allows or blocks access based on conditions such as user, device, location, risk, or application.
The accumulated risk and effort caused by outdated connectors, broken mappings, API changes, missing tests, or undocumented integration behavior.
The process of scanning container images for vulnerabilities, secrets, malware, and risky packages before deployment.
The practice of securing container images, runtimes, registries, orchestration platforms, and deployment pipelines.
An approach where compliance checks run continuously instead of only during periodic audits.
The process of linking technical controls, policies, or evidence to specific requirements in a framework or regulation.
The person or team accountable for implementing, operating, and providing evidence for a security or compliance control.
The process of evaluating whether a security or compliance control is designed and operating effectively.
A rule that connects multiple events or signals to detect a larger security pattern or possible attack.
Security weaknesses caused by missing, weak, or incorrectly implemented encryption, hashing, key management, or data protection.
Cloud Security Posture Management; a system used to identify cloud misconfigurations, risky assets, and compliance gaps.
A connector that exchanges cloud security findings, asset data, compliance status, or risk signals with other platforms.
Common Vulnerabilities and Exposures; a public identifier assigned to a known cybersecurity vulnerability.
Common Vulnerability Scoring System; a scoring method used to rate the severity of vulnerabilities.
Cloud Workload Protection Platform; a security category focused on protecting cloud workloads such as virtual machines, containers, and serverless functions.
Dynamic Application Security Testing; testing a running application for security issues from the outside.
A specific type of security data described within a broader data source, often used to plan detection coverage.
The process of adding extra context to security data, such as asset details, identity information, or threat intelligence.
Converting data from different sources into a consistent structure so it can be searched, correlated, and analyzed reliably.
The process of adding a new log source, parser, schema, enrichment, and validation workflow to a SIEM or analytics platform.
A requirement that data must be stored or processed in a specific country, region, or jurisdiction.
A policy that defines how long logs, records, evidence, or business data should be stored before deletion or archival.
A system, sensor, application, or telemetry source that provides security data for detection, investigation, or response.
The amount of security data generated, transferred, stored, or indexed over a period of time.
A queue used to hold failed or unprocessed messages so they can be investigated without blocking the main data pipeline.
The process of removing duplicate events so analytics, alerts, and storage are not inflated by repeated data.
Security or compliance risk introduced by third-party libraries, packages, frameworks, or open-source components.
A measure of how well existing detections cover relevant threats, tactics, techniques, assets, and data sources.
The discipline of designing, testing, tuning, and maintaining threat detections across SIEM, XDR, cloud, identity, and endpoint data.
A missing or weak detection area where available logs, rules, or response workflows do not adequately cover a relevant threat.
The conditions, queries, thresholds, or behavioral patterns used to identify suspicious activity in a security platform.
A rule that tells a security platform when to generate an alert based on suspicious activity or known attack patterns.
The process of adjusting detection rules to reduce noise, improve accuracy, and maintain useful alerts over time.
A practice that integrates security into development and operations workflows so risks are found earlier and fixed faster.
Digital Operational Resilience Act; a European Union regulation focused on ICT risk management and operational resilience in the financial sector.
Repeated copies of the same security event that can increase costs, create noise, and distort investigations.
Elastic Common Schema; a standard field structure used for logs and events in Elastic environments.
Endpoint Detection and Response; a security tool used to detect, investigate, and respond to threats on endpoints such as laptops, servers, and workstations.
Security data collected from endpoint devices such as laptops, desktops, servers, or workstations.
Exploit Prediction Scoring System; a scoring model that estimates how likely a vulnerability is to be exploited.
Event Query Language; a query language used to search and correlate event sequences in security and observability platforms.
The process of connecting related security events to identify a larger pattern, suspicious sequence, or possible attack.
The number of events generated or ingested by security tools over a defined time period.
The process of gathering screenshots, logs, tickets, approvals, reports, and records to support audits or compliance reviews.
A workflow for documenting, approving, reviewing, and tracking exceptions to security or compliance requirements.
Code, technique, or activity that takes advantage of a vulnerability to affect a system.
The likelihood or ease with which a vulnerability can be exploited in a real environment.
The continuous process of identifying, prioritizing, and reducing exploitable risks across assets, identities, cloud resources, and applications.
An alert or finding that appears suspicious but is not actually a real security threat or vulnerability.
Matching fields from one system to the correct fields in another system so security data remains meaningful after integration.
A reusable ServiceNow automation step that performs a specific task inside a workflow or integration.
A ServiceNow tool used to create workflows and automations with visual flow logic.
General Data Protection Regulation; a European privacy regulation that affects how organizations collect, process, store, and protect personal data.
A set of GitHub security features for code scanning, secret scanning, dependency review, and developer security workflows.
The policies, ownership, processes, and accountability structures used to manage security and compliance programs.
A United States healthcare privacy and security law focused on protecting sensitive health information.
High-performance storage used for recent security data that needs fast search, detection, and investigation.
A workflow checkpoint where a person must review and approve an action before automation continues.
A workflow design where automation or AI pauses for human review, approval, or judgment before continuing.
Identity and Access Management; the discipline of managing digital identities and their access to systems, applications, and data.
Security risk caused by excessive, misused, or poorly managed identity permissions.
Interactive Application Security Testing; testing that analyzes application behavior while the application is running and being exercised.
A property where repeating the same operation produces the same result, helping integrations avoid duplicates during retries.
The process of defining, reviewing, approving, and auditing access across users, roles, applications, and systems.
Adding context such as asset details, user identity, threat intelligence, geolocation, or vulnerability information to an incident.
The process of identifying, containing, investigating, and resolving a security incident.
Organizing ingested data so it can be searched, queried, and retrieved efficiently.
The practice of scanning and governing IaC templates to prevent insecure infrastructure from being deployed.
Rules and processes used to manage what data is ingested, filtered, sampled, normalized, or retained in a security platform.
The level of risk that exists before controls, mitigations, or remediation activities are applied.
An application security flaw where untrusted input is interpreted as commands, queries, or code by a system.
A vulnerability where unsafe handling of serialized data allows attackers to tamper with objects, execute code, or alter application logic.
A security weakness caused by flawed architecture, missing controls, or unsafe business logic rather than a coding bug alone.
A risk where AI-generated output is trusted or passed into systems without proper validation, sanitization, or review.
A packaged set of ServiceNow actions and connectors used to integrate workflows with external applications or services.
Indicator of Compromise; a piece of evidence such as an IP address, domain, file hash, or URL that may indicate malicious activity.
An international standard for establishing, operating, maintaining, and improving an information security management system.
An access model where privileged access is granted only when needed and usually for a limited time.
JSON Web Token; a compact token format often used to represent identity claims and authorize access between systems.
Known Exploited Vulnerabilities; a list or category of vulnerabilities that are confirmed to have been exploited in the wild.
A vulnerability with evidence of active exploitation, making it a high-priority input for remediation decisions.
Kusto Query Language; a query language commonly used to search, analyze, and build detections on telemetry in Microsoft security platforms.
The practice of securing Kubernetes clusters, workloads, identities, networking, secrets, and admission controls.
A security principle where users, applications, and services receive only the access they need to perform their tasks.
Legal or operational risk caused by using open-source or third-party software with incompatible or unmanaged licenses.
Operational practices for deploying, monitoring, evaluating, securing, and maintaining large language model applications.
The process of bringing logs, alerts, events, or telemetry into a SIEM or security analytics platform.
The flow of logs from source systems through collection, parsing, enrichment, normalization, storage, and analytics.
A digital identity used by a machine, workload, service, device, container, or application rather than a human user.
Multi-Factor Authentication; an authentication method requiring more than one proof of identity before granting access.
A Microsoft cloud security posture capability used to assess, prioritize, and improve security posture across cloud environments.
A ServiceNow component that securely connects a ServiceNow instance to internal systems, networks, or data sources.
A risk-reduction action that limits impact or likelihood when full remediation is not yet possible.
A knowledge base of adversary tactics, techniques, and procedures used by security teams to model threats and evaluate detection coverage.
The possibility that an AI or analytical model may produce incorrect, biased, unsafe, or unreliable outcomes.
Mean Time to Detect; the average time it takes to identify that a security incident or threat is occurring.
Mean Time to Respond or Mean Time to Remediate; the average time it takes to respond to or resolve an incident or issue.
A European Union cybersecurity directive that expands security and incident reporting obligations for essential and important entities.
National Institute of Standards and Technology Cybersecurity Framework; a widely used framework for organizing cybersecurity risk management practices.
An identity used by workloads, services, applications, bots, APIs, scripts, or machines instead of people.
ServiceNowโs AI-assisted capability used to support workflows, productivity, summarization, and service operations use cases.
An authorization framework that allows systems to grant secure API access without sharing user passwords.
Open Cybersecurity Schema Framework; a vendor-neutral schema used to organize cybersecurity data consistently.
OpenID Connect; an identity layer built on OAuth 2.0 that helps applications verify user identity.
Security, license, maintenance, or supply-chain risk introduced by open-source packages and dependencies.
A user, service, role, or workload identity that has more permissions than it needs.
Application Security Verification Standard; a framework of security requirements used to test and verify application security controls.
A widely used awareness list of critical web application security risks.
A method APIs use to return large data sets in smaller pages or batches instead of sending everything in one response.
Privileged Access Management; a security discipline focused on controlling, monitoring, and protecting high-risk privileged accounts and sessions.
A component that converts raw logs into structured fields that security tools can understand and analyze.
A secure system used to store, rotate, and control access to privileged credentials and secrets.
The process of identifying, testing, deploying, and verifying software updates that fix vulnerabilities or defects.
Payment Card Industry Data Security Standard; a security standard for organizations that store, process, or transmit payment card data.
A predefined workflow that tells a SOAR platform what actions to take during a specific security scenario.
A documented approval to temporarily or permanently deviate from a required security policy or control.
The practice of writing security, compliance, or operational policies as machine-readable rules that can be tested automatically.
A method where one system repeatedly checks another system for new data at defined intervals.
A cloud security platform commonly used for cloud posture, workload, network, and application security use cases.
Access that allows a user, account, service, or process to perform high-impact administrative or sensitive actions.
An account with elevated permissions that can modify systems, access sensitive data, or perform administrative actions.
An attack where a user or input attempts to manipulate an AI systemโs instructions, behavior, or tool usage.
A condition where a cloud asset is accessible from the internet when it should not be.
Security checks, reviews, and guardrails applied during the pull request process before code is merged.
The compute, storage, or licensing cost associated with running searches or analytics on security data.
Retrieval-Augmented Generation; an AI pattern where a model uses retrieved documents or data to generate more grounded responses.
A restriction on how many API requests can be made within a specific time period.
Role-Based Access Control; an access control model where permissions are assigned to roles rather than individual users.
Cybersecurity expectations and directions issued by the Reserve Bank of India for regulated financial institutions and related entities.
A defined timeline for fixing a security finding, vulnerability, or policy violation based on risk or severity.
A task assigned to a team or owner to fix a vulnerability, control failure, misconfiguration, or security issue.
The expected timeframe within which a vulnerability, finding, or risk should be fixed based on severity and priority.
The risk that remains after controls, mitigations, or remediation activities have been applied.
Code that automatically retries a failed request after a temporary error, timeout, or rate-limit response.
The amount and type of risk an organization is willing to accept while pursuing business objectives.
A structured process for identifying risks, estimating likelihood and impact, and deciding how those risks should be managed.
A structured record of security risks, owners, severity, treatment plans, exceptions, and status.
A vulnerability management approach that prioritizes remediation based on business risk, exploitability, asset criticality, and exposure.
The process of identifying the original source, weakness, or reason behind a security incident.
A configuration that prevents selected alerts from firing under known, acceptable, or noisy conditions.
The ongoing refinement of security rules to make detections more accurate, relevant, and actionable.
A documented step-by-step process for handling a recurring security task, investigation, or incident.
An insecure Amazon S3 storage configuration, such as public access, weak bucket policies, missing encryption, or poor logging.
Security Assertion Markup Language; a standard used to exchange authentication and authorization data, commonly for enterprise SSO.
Static Application Security Testing; scanning source code or compiled code for security issues without running the application.
Software Bill of Materials; an inventory of software components, dependencies, and libraries used in an application.
Software Composition Analysis; scanning third-party and open-source components for vulnerabilities, license issues, and supply-chain risk.
A situation where incoming data changes over time and no longer matches the expected structure.
Converting one data schema into another schema so information can move correctly between systems.
A ServiceNow application built within its own scope to separate code, data, permissions, and configuration from other applications.
A reusable server-side script in ServiceNow used to define functions or logic that can be called from other scripts.
Security Operations; the function responsible for monitoring, detecting, investigating, and responding to security threats.
The practice of securely storing, rotating, and controlling access to sensitive values such as API keys, tokens, passwords, and certificates.
The process of detecting exposed secrets such as API keys, tokens, passwords, certificates, or private keys in code and repositories.
The secure storage, rotation, access control, and audit of sensitive credentials, keys, tokens, and certificates.
A software development lifecycle that includes security practices from design and development through testing, release, and operations.
Using technology to perform repetitive security tasks without manual effort.
A baseline set of recommended security configurations or controls used to assess systems, cloud resources, or workloads.
An integration that connects a security product with another platform such as SIEM, SOAR, XDR, CSPM, or ServiceNow.
A safeguard, process, configuration, or technology used to reduce security risk or meet compliance requirements.
A decision point in a pipeline or workflow that blocks progress when security criteria are not met.
A suspected or confirmed security event that requires investigation, response, containment, or remediation.
A structured process or platform capability used to manage, investigate, and respond to security incidents.
A security weakness caused by unsafe default settings, exposed services, missing hardening, or incorrect configuration.
Connecting multiple security tools so they can work together in one coordinated workflow.
A defined security monitoring scenario that describes what threat or risk should be detected, why it matters, and what response should follow.
A control that separates sensitive responsibilities so one person cannot complete a high-risk process without oversight.
The practice of securing serverless functions, event triggers, permissions, secrets, dependencies, and runtime behavior.
A non-human account used by applications, services, scripts, or workloads to access systems and APIs.
ServiceNowโs security operations suite for managing security incidents, vulnerabilities, and security workflows.
An application packaged and published for distribution through the ServiceNow Store.
The recording of privileged or sensitive user sessions to support monitoring, forensics, accountability, and compliance.
Security Information and Event Management; a platform that collects, analyzes, and correlates security data to detect threats.
A connector that sends logs, alerts, events, or telemetry from a source system into a SIEM platform.
A vendor-neutral rule format used to describe log-based detections that can be converted into platform-specific query languages.
Security Orchestration, Automation, and Response; a system used to automate and coordinate security workflows.
A connector that allows a SOAR platform to trigger actions in another tool through APIs or workflows.
Security Operations Center; a team or facility responsible for monitoring and responding to cybersecurity threats.
A compliance framework for service organizations focused on controls related to security, availability, processing integrity, confidentiality, and privacy.
A SOC 2 report that evaluates whether controls operated effectively over a period of time.
Filtering data close to the source so unnecessary, duplicate, or low-value logs are not sent downstream.
Search Processing Language; the search and analysis language used in Splunk environments.
Single Sign-On; an authentication method that lets users access multiple applications through one trusted identity provider.
Server-Side Request Forgery; a vulnerability where an attacker causes a server to make unintended requests to internal or external systems.
A controlled approach to ingesting a representative subset of high-volume data while preserving useful security visibility.
A more specific behavior under a broader MITRE ATT&CK technique.
A condition where an integration fails to transfer, transform, or process data as expected.
A ServiceNow design approach where one table extends another table to reuse fields, logic, and relationships.
The high-level objective behind an attacker behavior, such as persistence, privilege escalation, or exfiltration.
A specific method an attacker may use to achieve a tactical objective.
The practice of reviewing and scanning Terraform code to prevent insecure cloud infrastructure configurations.
Risk introduced by vendors, suppliers, partners, service providers, or external technology dependencies.
Context about threats, indicators, adversary behavior, and attack patterns used to improve detection and response.
A structured process for identifying potential threats, attack paths, security gaps, and controls for an application or system.
A connected narrative of related security events that helps analysts understand how an attack may have unfolded.
A retention approach that keeps recent data in faster storage and older data in lower-cost storage based on investigation and compliance needs.
The process of obtaining a new access token after the previous token expires so an integration can continue securely.
An AI capability where a model invokes external tools, APIs, or functions to complete tasks.
Tactics, Techniques, and Procedures; a way to describe attacker behavior and operational patterns.
The process of designing security monitoring use cases, including required data, detection logic, alert context, and response steps.
The process of assessing, monitoring, and managing cybersecurity, compliance, and operational risks from third-party vendors.
An approved decision to temporarily accept or defer remediation for a vulnerability under defined conditions.
The process of identifying, prioritizing, and fixing security vulnerabilities across systems, applications, and assets.
A ServiceNow capability used to prioritize, assign, track, and manage vulnerability remediation.
A tool that scans systems, applications, images, or cloud resources to identify known vulnerabilities or risky configurations.
The process of reviewing vulnerability findings to determine severity, exploitability, ownership, and remediation priority.
A specific asset, application, or system record that is affected by a vulnerability and needs review, remediation, or exception handling.
Mid-tier storage used for security data that is less recent but still needs reasonably fast access for investigation or reporting.
A method where one system automatically sends data to another system when an event happens.
A cloud security platform commonly used for cloud posture, exposure management, workload visibility, and cloud risk prioritization.
Automating a sequence of tasks across security tools, ticketing systems, and communication channels.
Extended Detection and Response; a platform that detects and responds to threats across multiple security layers.
A connector that brings external telemetry, alerts, or response actions into an XDR ecosystem.
A rule format commonly used to identify malware families, suspicious files, or patterns in binaries and text.
ForshTec Systems can help design, build, test, and maintain SIEM connectors, SOAR playbooks, XDR connectors, CSPM integrations, ServiceNow SecOps workflows, AI-assisted security workflows, cloud security integrations, AppSec workflows, compliance automation, detection engineering programs, and normalized security data pipelines.