Glossary

Alert

An incoming event delivered to Energy SOAR from a connected source such as a SIEM, EDR, or email gateway. Alerts appear in the Alerts list and must be triaged by an analyst before they enter the case workflow. An alert can be imported into a new or existing case, ignored, or deleted. See Alerts.

Analyzer

An Automation plugin that queries an external service (threat intelligence feed, sandbox, DNS resolver, etc.) against a single observable and returns a verdict: malicious, suspicious, safe, or info. Analyzers run asynchronously; results appear in the observable row once complete. See Analyzers.

ATT&CK

The MITRE ATT&CK framework — a knowledge base of adversary tactics, techniques, and procedures (TTPs). Energy SOAR lets analysts tag cases with ATT&CK procedures through the TTPs tab, and administrators manage the ATT&CK pattern library under Admin > ATT&CK Patterns.

Automation

The analysis and response engine that runs analyzers and responders. Energy SOAR connects to one or more Automation instances. Automation handles job queuing, execution, and result storage; Energy SOAR displays results and lets analysts trigger new jobs.

Case

The primary investigation object in Energy SOAR. A case groups all artefacts (tasks, observables, TTPs, timeline events) related to a single incident. Cases are created from alerts or manually, and progress through statuses: OpenResolved / Closed. See Cases.

Case Template

A pre-configured set of tasks, tags, custom fields, title prefix, severity, TLP, and PAP that is applied to a new case at creation time. Templates appear in the Import alert as dropdown and in the new case dialog. Administrators manage templates under Organisation > Case Templates.

Custom Field

An administrator-defined field that extends the case or alert data model. Custom fields can be of type string, integer, float, boolean, or date. They appear in the Additional Information section of a case and can be set via API or case templates. See Administration.

Dashboard

A configurable page of charts and metrics that visualise case and alert data for the current organisation. Dashboards can be Private (visible only to the creator) or Shared (visible to all organisation members). See Dashboard.

Flag (observable)

One of four boolean attributes on an observable:

  • Is IOC — marks the observable as a confirmed indicator of compromise; only IOC-flagged observables are exported to MISP.

  • Has been sighted — indicates the observable was observed in the environment.

  • Ignore for similarity — disables cross-case matching for this observable.

  • Linked — similarity check is active (set automatically).

IOC

Indicator of Compromise. An observable flagged as Is IOC in Energy SOAR. Only IOC-flagged observables are exported to MISP.

MISP

Malware Information Sharing Platform. Energy SOAR can export IOC-flagged observables to a connected MISP instance and import MISP events as alerts. See MISP Integration.

Observable

An artifact attached to a case or alert — for example an IP address, domain, URL, file hash, email address, or filename. Observables can be analysed by Automation analyzers and acted on by responders. See Working with Observables.

Observable Type

A named data type that classifies observables — for example ip, domain, url, hash, or filename. Each observable must belong to exactly one type. Types marked isAttachment store a file rather than a plain string. Administrators manage observable types under Admin > Observable Types.

Organisation

A tenant within the Energy SOAR instance. Each organisation has its own users, cases, alerts, and settings. Data is fully isolated between organisations by default. A single user account can belong to multiple organisations with different profiles in each. See Organisation.

PAP

Permissible Actions Protocol — a colour-coded classification that indicates what actions are permitted with the information in a case or observable:

  • WHITE — no restrictions.

  • GREEN — recipients can share within their community.

  • AMBER — limited sharing with members who need to know.

  • RED — no sharing; for named recipients only.

Profile

A named set of permissions assigned to a user within an organisation. The same user can hold different profiles in different organisations. Energy SOAR ships with four built-in profiles: admin, analyst, org-admin, and read-only. See Administration.

Responder

An Automation plugin that performs an automated action against an observable, task, case, or alert — for example blocking an IP on a firewall, sending an email notification, or creating a ticket in an external system. Responders run asynchronously. See Responders.

Severity

A four-level classification of case or alert urgency: Low, Medium, High, and Critical. Severity is displayed as a coloured badge and controls sort order in some views.

Tag

A free-form label attached to a case, alert, or observable. Tags can come from taxonomy libraries (e.g. MISP taxonomies) or be created manually as custom tags. Administrators manage custom tags under Organisation > Custom Tags.

Task

A unit of work within a case. Tasks have a Group (category), a Title, an optional assignee, and a status: WaitingIn ProgressCompleted. Tasks can require a task log before closing. See Tasks.

Task Group

A label that categorises tasks within a case, such as Communication, Identification, or Containment. Groups are defined in case templates and used to organise the task list.

TLP

Traffic Light Protocol — a classification scheme for sharing sensitive information:

  • TLP:WHITE — unrestricted.

  • TLP:GREEN — community-wide sharing.

  • TLP:AMBER — limited sharing.

  • TLP:RED — no sharing beyond named recipients.

TLP is set on cases and observables and controls what information can be shared with linked organisations.

TTP

Tactic, Technique, and Procedure — a reference to a specific MITRE ATT&CK entry documenting adversary behaviour. Analysts add TTPs to cases on the TTPs tab to record which attack patterns were observed during an investigation.

Webhook

An HTTP callback that Energy SOAR Base fires when an audit event occurs. Each webhook sends a JSON payload to a configured URL. Webhooks are activated per organisation via the API and configured in the notifications system. See Notifications.

Workflow

An automated playbook built in the integrated n8n workflow engine. Workflows can trigger on Energy SOAR events (new case, new alert, observable added) and perform automated enrichment, notification, or response actions. See Workflows.