learn-cyber · reference

Glossary

The shared vocabulary for the course. Every lesson uses these terms exactly as defined here.

This is a living document. When a lesson introduces a new core term, it gets added here. Tags: core general security · wazuh product-specific · hotel hospitality context.

A – C

Agent wazuh

A lightweight program installed on a monitored endpoint (server, laptop, POS terminal). It collects logs and security data and ships them to the Wazuh server. In your MSSP, every hotel device you watch runs an agent.

Agent group wazuh

A named collection of agents that share one configuration. The core multi-tenancy primitive: one group per hotel client keeps their config — and your sanity — separate.

Alert core

The output of a rule that matched an event. The thing a human analyst actually looks at. Most events never become alerts.

CIA triad core

The three goals of security: Confidentiality (only the right people see data), Integrity (data isn't tampered with), Availability (systems stay up). Every control exists to protect one of these.

Correlation core

Connecting multiple events into one meaningful signal — e.g. 50 failed logins then one success = likely a brute-force break-in.

D – I

Decoder wazuh

A definition that tells Wazuh how to read a raw log line and pull out fields (user, source IP, action). Decoding happens before rules run.

Endpoint core

Any device that can be monitored: a server, workstation, POS terminal, or virtual machine. At a hotel: front-desk PCs, the PMS server, payment terminals, back-office machines.

Event core

A single recorded thing that happened — one log line. A login, a file change, a firewall block. The raw material a SIEM works on.

False positive core

An alert that looked bad but was actually benign. Tuning these down is most of an analyst's craft — too many and real alerts get ignored.

Indexer wazuh

The Wazuh component that stores and searches alert data (built on OpenSearch). It's what makes "show me every failed login last week" fast.

J – R

Manager / Server wazuh

The brain. Receives data from all agents, runs decoders and rules, generates alerts, and manages the agents. One manager can serve many hotels.

MITRE ATT&CK core

A free, industry-standard catalog of attacker tactics (goals) and techniques (methods). Wazuh maps its rules to ATT&CK technique IDs so you can speak the common language of defenders.

MSSP core

Managed Security Service Provider — a company that runs security monitoring for other businesses. That's you, and hotels are your clients.

PCI DSS hotel

Payment Card Industry Data Security Standard — the mandatory rulebook for anyone who handles credit-card data. Hotels are in scope; good logging and monitoring are explicit requirements you can help satisfy.

PMS hotel

Property Management System — the core hotel software for reservations, check-in, and folios (e.g. Oracle OPERA). Holds guest PII and links to payments — a crown-jewel asset to monitor.

POS hotel

Point of Sale — the terminals/software that take payments (restaurant, bar, front desk). A classic target for card-skimming malware.

RBAC wazuh

Role-Based Access Control — rules deciding who can see/do what. Lets you scope a login so a client (or a junior analyst) sees only one hotel's agents.

Rule wazuh

Logic that inspects decoded events and decides whether to raise an alert, and at what severity (level). Wazuh ships thousands; you'll add custom ones.

S – Z

SIEM core

Security Information and Event Management — a system that collects logs from everywhere, analyzes them for signs of trouble, and raises alerts. Wazuh is an open-source SIEM (plus XDR).

SOC core

Security Operations Center — the team (and process) that watches alerts and responds. Your MSSP is a SOC sold as a service.

Triage core

The analyst's first decision on an alert: real threat, false positive, or needs investigation — and how urgently.

XDR core

Extended Detection and Response — detection that can also act (e.g. block an IP, kill a process). Wazuh includes "active response" for this.