Alert Triage
1. The SOC receives 500 alerts per shift. Analysts first categorise each as true positive, false positive, or benign true positive. What is this process called?
2. Before investigating, the analyst automatically enriches the alert with the IP reputation score, the user's recent activity, and the asset's business criticality. What is this enrichment called?
3. An analyst reviews an alert, determines it is a real attack, and escalates it to the Tier 2 team for deeper investigation. What did the analyst determine the alert was?
4. An analyst needs to prioritise 10 open alerts. They consider the severity of the potential attack, the criticality of the affected asset, and the confidence level of the detection. What framework are they applying?
5. An analyst determines that an alert fired on legitimate admin activity (a sysadmin running a scheduled backup). The alert is accurate but not malicious. How is this classified?
Exercise complete!
out of 5 questions