Glossary
A quick reference for the terminology used in Seliq and across the security operations discipline.
Alert A raw event generated by a security tool (SIEM, EDR, cloud platform) indicating a potentially suspicious condition. In Seliq, alerts are ingested, normalised, and queued for AI triage. An alert is not the same as an incident — multiple alerts are often grouped into a single incident.
Asset inventory A catalogue of the hosts, users, and services in a client environment. Seliq uses asset inventory data to enrich alerts — for example, flagging that an affected host is a domain controller rather than a workstation.
C2 (Command and Control) Infrastructure controlled by a threat actor that malware communicates with after infecting a host. C2 communication is a common indicator of active compromise.
CVE (Common Vulnerabilities and Exposures)
A standardised identifier for a known security vulnerability (e.g. CVE-2024-3094). Seliq extracts and indexes CVE references from alert data.
EDR (Endpoint Detection and Response) Security software running on endpoints (laptops, servers) that detects and responds to malicious behaviour. Examples: CrowdStrike Falcon, SentinelOne, Microsoft Defender for Endpoint.
False positive An alert that indicates a threat that isn’t actually present. A high false positive rate wastes analyst time and leads to alert fatigue.
Incident In Seliq, an incident is the container for a complete security event — one or more correlated alerts, AI analysis, analyst notes, evidence, and the final disposition. The incident is what your analysts work on; alerts are the raw inputs.
IOC (Indicator of Compromise) A forensic artefact observed on a host or in network traffic that indicates a likely intrusion — for example, a known-malicious IP address, file hash, or domain name.
Lateral movement A technique used by attackers to progressively move through a network after an initial compromise, often seeking higher-privilege accounts or sensitive data.
MSSP (Managed Security Service Provider) A company that provides outsourced security monitoring and management to other organisations. MSSPs typically serve multiple clients simultaneously from a shared analyst team, using multi-tenant tooling like Seliq.
MTTR (Mean Time to Resolve) The average time from when an incident is created to when it is closed. A key SLA and performance metric.
MTTA (Mean Time to Acknowledge) The average time from incident creation to the first analyst action. Measures initial response speed.
OCSF (Open Cybersecurity Schema Framework) An open standard for normalising security event data across different vendor formats. Seliq’s internal normalisation pipeline is based on OCSF.
PIR (Post-Incident Report) A written summary of a security incident, how it was handled, and what changes are recommended to prevent recurrence. Seliq auto-drafts PIRs from incident data.
Playbook A defined set of response steps for a specific incident type. In Seliq, playbooks appear as checklists in the investigation view.
SIEM (Security Information and Event Management) A platform that aggregates logs from across an IT environment, detects anomalies, and generates alerts. Examples: Microsoft Sentinel, Splunk, Elastic SIEM.
SLA (Service Level Agreement) A commitment to respond to or resolve an incident within a defined time window. Seliq tracks TTA and TTR against per-client, per-severity SLA targets.
SOC (Security Operations Centre) The team (and often the physical or virtual space) responsible for monitoring, detecting, and responding to security threats.
Triage The process of reviewing an incoming alert, assessing its severity and relevance, and deciding what to do next. In Seliq, AI handles the initial triage automatically.
True positive An alert that correctly identifies a real threat.
Workspace In Seliq, a workspace is an isolated environment for a single client. It contains all of that client’s integrations, incidents, SLA configuration, and report settings. See Setting Up Client Workspaces.