Practise vocabulary for SIEM alerts, threat hunting, IOCs, MITRE ATT&CK, and SOC analyst communication.
0 / 6 completed
1 / 6
An Indicator of Compromise (IOC) is:
IOC examples: a known malware file hash, a C2 domain in DNS logs, a suspicious IP in firewall logs, a registry persistence key. SOC analysts use IOCs to search for evidence of intrusion across the environment.
2 / 6
SIEM in a SOC context stands for and means:
A SIEM (e.g. Splunk, Microsoft Sentinel, IBM QRadar) ingests logs from firewalls, endpoints, servers, and cloud — correlating events against detection rules to generate alerts SOC analysts investigate.
3 / 6
Alert triage in a SOC means:
Triage is the initial assessment: is this alert a real threat? SOC analysts examine context (user, asset, time, behaviour baseline) to make a disposition: close as false positive, escalate for incident response, or continue investigation.
4 / 6
The MITRE ATT&CK framework is used to:
MITRE ATT&CK is a knowledge base of adversary behaviour: Tactics (why) → Techniques (how) → Sub-techniques (specific method). Example: Tactic: Credential Access, Technique: OS Credential Dumping, Sub-technique: LSASS Memory.
5 / 6
Threat hunting in a SOC differs from alert triage in that threat hunters:
Threat hunting is proactive: 'If an attacker used living-off-the-land techniques, I would expect to see PowerShell downloading payloads from unusual domains. Let me query DNS logs for that pattern.' It finds what detection rules miss.
6 / 6
Dwell time in a security incident refers to:
Industry reports often cite dwell times of weeks to months — meaning attackers operated undetected for extended periods. Reducing dwell time is a key SOC effectiveness metric: shorter dwell = less damage before containment.