Practice vocabulary for SOC threat detection: detection rules, UEBA baselines, detection gaps, detection engineering, and rule tuning.
0 / 5 completed
1 / 5
When a SIEM detection rule generates an alert because specific log conditions were met, you say:
The detection rule fires when X conditions are met — for example, 'fires when login failures exceed 10 in 5 minutes from a single IP'.
2 / 5
When a user behavior analytics system learns normal activity patterns and alerts on unusual deviations, this is called:
The UEBA baseline detects anomalous behavior — UEBA (User and Entity Behavior Analytics) builds behavioral baselines and flags statistical outliers.
3 / 5
When a specific attack technique has no detection rule covering it in the SIEM, this is called:
The detection gap — we have no coverage for this TTP — TTPs (Tactics, Techniques, Procedures) from MITRE ATT&CK are often used to map detection coverage.
4 / 5
The SOC team role responsible for writing, testing, and maintaining detection rules is called:
The detection engineer creates the rule — detection engineers translate threat intelligence and adversary TTPs into working SIEM queries and correlation rules.
5 / 5
When a detection rule generates too many false positives and is adjusted to be more specific, this process is called:
The rule is tuned to reduce false positives — tuning may involve adding exclusions, raising thresholds, or adding corroborating conditions to reduce noise.