Practice SIEM query vocabulary: SPL, KQL, correlation rules, false positive rates, and log retention queries used in SOC environments.
0 / 5 completed
1 / 5
An analyst says 'we wrote a SPL query to find failed logins'. What platform uses SPL?
SPL stands for Search Processing Language and is the query language native to Splunk. It allows analysts to search, filter, and visualise events stored in Splunk indexes, for example: index=auth action=failure | stats count by user.
2 / 5
'The KQL query returns all events from this IP.' What SIEM platform uses KQL?
KQL (Kusto Query Language) is used by Microsoft Sentinel and Azure Monitor Logs. Analysts use KQL to query log analytics workspaces, for example: SigninLogs | where IPAddress == '1.2.3.4'.
3 / 5
A detection engineer says 'the correlation rule triggers when there are 5 failed logins followed by a success within 10 minutes from the same user'. What does this correlation rule detect?
This correlation rule describes a classic brute force pattern — multiple failed authentication attempts followed by a success suggests an attacker eventually guessed the correct credentials. Correlation rules combine multiple events over a time window to detect multi-step attack patterns.
4 / 5
'The detection rule has a 2% false positive rate.' What does this mean?
A 2% false positive rate means that 2 out of every 100 alerts generated by this rule turn out to be benign — not a real threat. Lower false positive rates mean higher-quality detections and less analyst time wasted on noise.
5 / 5
'The query runs against 7 days of logs.' Why is log retention period important for SIEM queries?
Log retention defines how far back analysts can investigate. If the retention window is 7 days, analysts cannot query events older than that. Shorter retention limits threat hunting and forensic investigation capability — many organisations retain 30-90 days of hot data and archive the rest.