Reference
Glossary
Key terms and definitions for Guardian Ops and abuse management concepts
This glossary defines key terms and concepts used throughout Guardian Ops and related abuse management workflows. Many of these concepts are also used in AbuseHQ and other Abusix products.
One of the three core concepts of Guardian Ops. The process of combining multiple related abuse reports or events into meaningful groups (customers / cases) for easier management and response. API Resolver
A powerful resolver type that sends queries to a specified endpoint to identify customers and contracts. Can integrate with external APIs to link abuse reports to identifiers and data from your customer relationship management. Automation
One of the three core concepts of Guardian Ops. The use of playbooks and workflows to automatically handle routine tasks and responses in abuse management.
A structured container that groups related abuse events for investigation and resolution. Cases are created based on configurable rules and can aggregate multiple reports affecting the same customer or contract. Case Group
A collection mechanism that organizes cases based on specific rulesets. Case groups act as buckets where cases are categorized depending on attributes like abuse type, customer, or contract. Case Rule
Logic that defines how cases are created or associated with events. The default rule creates one case per customer, but this can be customized for different workflows. Contract
A customer’s specific resources or services (e.g., mobile vs. DSL connections, servers, domains). Multiple contracts can belong to a single customer. Contract ID
A unique identifier for contracts. Customer
An individual or company entity with a unique identifier. In Guardian Ops, customers represent the parties responsible for IP addresses or resources generating abuse reports. Customer ID
A unique identifier to identify your customers. Can be a real customer ID or pseudonymized. Customer Resolving
The process of linking abuse reports to the correct customers, contracts, and tenants.
A single instance of reported abuse activity, typically parsed from an abuse report email or submitted via API (e.g., XARF). Events contain details about the abuse incident and are processed through inbound processing flows. Event Type
A classification assigned to events during inbound processing to categorize the nature of the abuse (e.g., spam, malware, copyright, phishing). Guardian Ops supports 43 distinct event types, some with additional subtypes for granular classification.
The configurable workflow that determines which events reach Guardian Ops and how those events are enriched. It includes filtering, resolver application, and routing to appropriate case groups. Incident IP Resolver
A resolver type that sets the subscriber ID to the IP address if available in the event data. If no IP is found, the event remains unresolved.
Individual components in inbound processing flows or playbooks that perform specific functions like filtering, resolving, or routing events and cases.
One of the three core concepts of Guardian Ops. The coordination and management of abuse response workflows across different teams, systems, and processes.
Automated or semi-automated workflows that define how cases should be handled. Playbooks can include tasks like sending notifications, waiting for conditions, making API calls, or resolving cases.
A component that identifies and enriches events with customer and contract information. Types include Static, API-based, Domain, Header-based, and others. Resolver Data
Additional metadata attached to events during the resolution process, providing context about customers, contracts, or other relevant information.
A resolver type that assigns a predefined static ID to all events passing through it.
Individual actions within playbooks, such as delays, API calls, notifications, or conditional logic operations. Tenant
A way to distinguish between subsidiaries or divisions that might have overlapping customer identifiers. Tenants help organize customers in multi-organizational environments.
An event that couldn’t be matched to a customer or contract during inbound processing. These events require manual review or configuration updates to the active inbound processing flow.
A
AggregationOne of the three core concepts of Guardian Ops. The process of combining multiple related abuse reports or events into meaningful groups (customers / cases) for easier management and response. API Resolver
A powerful resolver type that sends queries to a specified endpoint to identify customers and contracts. Can integrate with external APIs to link abuse reports to identifiers and data from your customer relationship management. Automation
One of the three core concepts of Guardian Ops. The use of playbooks and workflows to automatically handle routine tasks and responses in abuse management.
C
CaseA structured container that groups related abuse events for investigation and resolution. Cases are created based on configurable rules and can aggregate multiple reports affecting the same customer or contract. Case Group
A collection mechanism that organizes cases based on specific rulesets. Case groups act as buckets where cases are categorized depending on attributes like abuse type, customer, or contract. Case Rule
Logic that defines how cases are created or associated with events. The default rule creates one case per customer, but this can be customized for different workflows. Contract
A customer’s specific resources or services (e.g., mobile vs. DSL connections, servers, domains). Multiple contracts can belong to a single customer. Contract ID
A unique identifier for contracts. Customer
An individual or company entity with a unique identifier. In Guardian Ops, customers represent the parties responsible for IP addresses or resources generating abuse reports. Customer ID
A unique identifier to identify your customers. Can be a real customer ID or pseudonymized. Customer Resolving
The process of linking abuse reports to the correct customers, contracts, and tenants.
E
EventA single instance of reported abuse activity, typically parsed from an abuse report email or submitted via API (e.g., XARF). Events contain details about the abuse incident and are processed through inbound processing flows. Event Type
A classification assigned to events during inbound processing to categorize the nature of the abuse (e.g., spam, malware, copyright, phishing). Guardian Ops supports 43 distinct event types, some with additional subtypes for granular classification.
I
Inbound ProcessingThe configurable workflow that determines which events reach Guardian Ops and how those events are enriched. It includes filtering, resolver application, and routing to appropriate case groups. Incident IP Resolver
A resolver type that sets the subscriber ID to the IP address if available in the event data. If no IP is found, the event remains unresolved.
N
NodeIndividual components in inbound processing flows or playbooks that perform specific functions like filtering, resolving, or routing events and cases.
O
OrchestrationOne of the three core concepts of Guardian Ops. The coordination and management of abuse response workflows across different teams, systems, and processes.
P
PlaybookAutomated or semi-automated workflows that define how cases should be handled. Playbooks can include tasks like sending notifications, waiting for conditions, making API calls, or resolving cases.
R
ResolverA component that identifies and enriches events with customer and contract information. Types include Static, API-based, Domain, Header-based, and others. Resolver Data
Additional metadata attached to events during the resolution process, providing context about customers, contracts, or other relevant information.
S
Static String ResolverA resolver type that assigns a predefined static ID to all events passing through it.
T
TaskIndividual actions within playbooks, such as delays, API calls, notifications, or conditional logic operations. Tenant
A way to distinguish between subsidiaries or divisions that might have overlapping customer identifiers. Tenants help organize customers in multi-organizational environments.
U
Unresolved EventAn event that couldn’t be matched to a customer or contract during inbound processing. These events require manual review or configuration updates to the active inbound processing flow.