ir.mlab.sh ir.mlab.sh
Overview
Features
Workflow
Pricing
Docs
Changelog
  Sign in
Docs / Operate

Glossary

Terms used across mlab IR.

Alert

The atomic unit of ingestion. Comes from a security tool, has a source, severity, observables and a raw payload. Lives in the triage queue until dismissed or escalated.

Case

A structured investigation. Created by escalating one or more alerts. Holds the timeline, observables, evidence, comments, ATT&CK mapping and resolution.

Observable

An indicator of compromise (IOC): an IP, domain, hash, URL, email address, user account, registry key, etc. Tracked across alerts and cases, with cross-case correlation surfaced automatically.

Suppression rule

A rule that prevents alerts matching a pattern from reaching the triage queue. Scoped globally or per source. Time-bound — reviewed when the expiry hits.

Triage queue

The analyst's main inbox. Saved filters and bulk actions live here. The platform's job is to keep this shallow.

Verdict

The final classification of a resolved case: true positive, false positive, benign, or duplicate. Drives metrics and feeds the suppression-rule suggestions.

SLA

Service-level agreement. Per-severity targets for acknowledge / triage / resolve times. Breaches generate timeline events and (if configured) webhooks.

Timeline

An immutable, append-only log of everything that happens to an alert or case. Status transitions, comments, evidence, mentions, observable additions, ATT&CK tags.

Evidence

Files attached to a case: screenshots, PCAPs, log exports. Stored on your uploads volume, never on a third-party.

MITRE ATT&CK

The community knowledge base of adversary tactics, techniques and procedures. ir.mlab.sh lets you tag cases with techniques and view your coverage as a heat-map.

RBAC

Role-based access control. Admin, Analyst, Viewer plus custom roles. Permissions can be scoped per case for sensitive investigations.

Webhook

Outbound HTTP POST fired on case state transitions. Used to integrate with ticketing, chat, runbooks. Signed with HMAC-SHA256; retried with exponential backoff up to 24 h.

Grace period

The 48-hour window during which a cached license keeps the instance running if mlab.sh is unreachable. See Licensing.

MTTA / MTTR

Mean Time To Acknowledge / Mean Time To Resolve. Built-in dashboard metrics, sliced by source, severity and analyst.