Practice SOC incident triage vocabulary: true positives, escalation levels, alert fatigue, suppression rules, and triage decision trees.
0 / 5 completed
1 / 5
An analyst says 'the alert is a true positive — escalating to SEV-2'. What does 'true positive' mean?
A true positive means the detection rule fired AND a real threat or malicious activity is confirmed. The analyst then escalates based on severity — SEV-2 indicates a serious incident requiring prompt response.
2 / 5
What is 'alert fatigue' in a SOC context?
Alert fatigue occurs when analysts are overwhelmed by large volumes of low-quality or false-positive alerts. Over time they may start ignoring or quickly closing alerts without proper investigation, increasing risk of missing real threats.
3 / 5
A team lead says 'we suppressed the noisy rule'. What did they do?
Suppressing a noisy rule means adding an exclusion or tuning condition so that known benign events matching the rule no longer generate alerts. This reduces noise without deleting the rule entirely.
4 / 5
'The analyst triages 50 alerts per shift.' In this context, what does triage mean?
Triage in a SOC means rapidly assessing incoming alerts to classify them (true positive, false positive, benign) and decide the appropriate response — escalate, close, investigate further, or suppress.
5 / 5
What is a 'triage decision tree' in SOC operations?
A triage decision tree is a structured guide — often a flowchart — that walks an analyst through a series of yes/no questions to consistently classify alerts and determine the correct response action, reducing analyst-to-analyst variability.