In this section
Check My Knowledge
Scenario 1. Your hybrid SOC uses a managed partner for after-hours L1 triage. An alert fires at 23:15 for a Finance team user — suspicious sign-in from an unfamiliar IP. MFA succeeded. The managed SOC follows the standard credential compromise playbook: check MFA (present), check impossible travel (none), close as Benign Positive. The next morning, your internal L2 discovers the account was compromised through AiTM where the attacker captured the MFA token. What is the root cause of the detection gap?
The managed SOC lacks the technical skill to detect AiTM attacks and should be replaced with a more capable MDR provider. a
The issue isn't analyst skill — it's the playbook. The standard credential compromise runbook checks MFA presence, not MFA method. An MDR provider using the same playbook would make the same decision. The fix is a custom runbook with AiTM-specific enrichment steps (Section 1.1), not a provider replacement.
The analytics rule should be configured as Severity Critical for all Finance team users so it automatically escalates to the internal team. b
Elevating all Finance alerts to Critical would produce alert fatigue on the internal team. The classification framework (Section 1.10) handles VIP entity elevation, but the root cause is the missing enrichment step, not the severity level.
The managed SOC runbook lacks an AiTM-specific decision path that checks the MFA method field — interactive vs satisfied-by-claim — rather than just MFA presence. c
Correct. The handoff gap (Section 1.1) and the triage enrichment gap (Section 1.5) are operating model problems. The managed SOC followed the playbook correctly — the playbook didn't include the MFA method check that distinguishes AiTM from legitimate authentication. The fix is a custom runbook with the identity-specific enrichment steps from Section 1.5.
The SOC should switch to a fully internal 24/7 model to eliminate the managed SOC context gap entirely. d
A 24/7 internal SOC requires 8-10 FTEs at $100K+ each (Section 1.1). The hybrid model's failure was a missing enrichment step in the runbook. Spending $800K+ to avoid writing a custom runbook is disproportionate.
Scenario 2. Your L1 analyst has been working on an alert for 12 minutes. The alert is a medium-severity suspicious sign-in. The analyst checked sign-in history (IP is unfamiliar), MFA method (interactive — user responded to a push notification), related alerts (none in 24 hours), and user group membership (standard user). The enrichment doesn't clearly indicate malicious activity, but the IP geolocates to a residential proxy in a country the user has never signed in from. What should the analyst do?
Close as False Positive — MFA was interactive and there are no related alerts, which indicates legitimate access from a new location. a
Interactive MFA is a positive signal but doesn't rule out compromise — the user could have been socially engineered into approving the prompt. Closing as FP discards the investigation without addressing the residential proxy anomaly.
Escalate using the instinct trigger — the residential proxy is suspicious even though no enrichment criterion definitively indicates compromise. Document what was checked and the specific question for L2. b
Correct. The instinct trigger (Section 1.4) exists for this situation — the analyst can't classify with confidence, and the residential proxy is anomalous enough to warrant L2 investigation. The structured escalation includes the specific question: "Is this residential proxy consistent with the user's known VPN usage?"
Continue investigating for another 10-15 minutes — check MailItemsAccessed, CloudAppEvents, and device compliance to gather more evidence before deciding. c
This is L2 investigation work on L1 time. The analyst is at 12 minutes against a 15-minute boundary (Section 1.2). Extending triage delays every alert behind this one in the queue. Escalate with evidence gathered so far and let L2 run the deeper queries.
Close as Benign True Positive — the rule correctly detected an unusual sign-in, the sign-in is real, but interactive MFA confirms the user's identity. d
BTP classification requires confidence that the activity is legitimate (Section 1.5). The residential proxy plus unfamiliar country is the ambiguous zone where the instinct trigger should fire, not a confident BTP classification.
Scenario 3. Your SOC reports MTTT 5 minutes, SLA compliance 97%, and alerts closed 2,800 monthly. The CISO asks whether the SOC is effective. You've just implemented the quality metrics framework. What's your first action?
The current metrics show strong performance — 5-minute triage time and 97% SLA compliance indicate the SOC is operating effectively. a
MTTT and SLA measure speed, not effectiveness (Section 1.6). A SOC can achieve 5-minute MTTT by closing alerts without adequate investigation.
Hire an external assessor to benchmark the SOC against industry peers. b
An external assessment can be valuable but is unnecessary as a first step. The quality metrics queries from Section 1.6 run against existing Sentinel data today.
Add MTTD tracking by requiring analysts to record the earliest evidence timestamp for every True Positive. c
MTTD tracking is important but requires investigation data from confirmed incidents over time. The immediate action should be measuring what's available now — false positive rate from existing disposition data.
Run the false positive rate query against existing SecurityIncident data — get the FP rate, classification distribution, and top noisy rules today. d
Correct. The FP rate query runs against existing data and produces actionable numbers immediately (Section 1.6). These numbers reframe the CISO conversation from "we're fast" to "34% of our work is dismissing noise, and these three rules account for most of it."
Scenario 4. Two analysts are on leave and the alert queue is at 150% normal volume. The remaining L1 analyst asks the SOC lead to cover queue overflow during the weekly L3 protected time block. What should the SOC lead do?
Maintain the L3 block unless a declared Severity 1 incident requires involvement — the queue delay is a temporary staffing problem, not a justification for canceling the feedback loop. a
Correct. L3 time protection (Section 1.2) is structural, not aspirational. The queue has an SLA. The feedback loop has no SLA — which is why it always loses. Canceling L3 for queue overflow means detection tuning and program improvement don't happen this week. The exception is a declared Severity 1 incident.
Split the L3 block — cover 5 hours of queue overflow and preserve 5 hours of L3 work as a compromise. b
Once L3 time is negotiable, it gets negotiated every week. The 10 hours become 5, then 3, then zero. The feedback loop stops because the queue always has more immediate urgency.
Cancel this week and add 10 extra L3 hours next week. c
The "make it up next week" approach never works. Next week has its own queue pressure. The hours never get made up. The monthly tuning review slips indefinitely.
Triage the overflow alerts using Informational severity only to maintain SLA compliance while keeping the L3 block. d
Reclassifying alerts to lower severity to meet SLAs is metrics manipulation (Section 1.10). The classification framework exists to ensure response priority matches business impact — not to game SLA numbers.
Scenario 5. Your maturity assessment shows: Detection L2, Triage L2, Escalation L1, Documentation L2, Metrics L1, Automation L1, Improvement L1, People L2. Your CISO asks for the single highest-impact improvement. What do you recommend?
Upgrade Automation from Level 1 to Level 2 by implementing SOAR playbooks — this reduces analyst workload. a
Automation makes existing processes faster, but if escalation has no path for ambiguous alerts (Level 1), making triage faster doesn't fix the ambiguity gap. Fix the constraint first (Section 1.9).
Upgrade Detection from Level 2 to Level 3 by implementing ATT&CK coverage measurement. b
Detection is already at Level 2. The constraint-first approach targets the weakest capabilities. Escalation at Level 1 is the binding constraint — ambiguous alerts get closed without investigation.
Upgrade Escalation from Level 1 to Level 2 — document three trigger types (capability, pattern, instinct). Zero budget, two weeks, closes the gap where attacks hide. c
Correct. Escalation at Level 1 is the binding constraint (Section 1.9). When analysts can't determine intent, they close the alert. The instinct trigger alone would have changed the outcome of an AiTM incident. The fix costs zero budget and takes two weeks.
Upgrade all Level 1 capabilities simultaneously — four capabilities at Level 1 requires parallel improvement. d
Parallel improvement dilutes effort. The constraint-first approach concentrates on the single capability that produces the most impact, delivers improvement in 2-3 weeks, then moves to the next constraint. Sequential is faster than parallel.
Scenario 6. Your shift ends in 15 minutes. You're investigating a potential credential compromise — unfamiliar IP confirmed, MFA interactive, no MailItemsAccessed anomaly yet. Investigation isn't complete. The overnight managed SOC takes over. What do you do?
Continue until complete — investigation continuity is more important than shift end times. a
Working past shift contributes to the burnout that 71% of SOC analysts report. The handover procedure (Section 1.3) exists precisely for this situation. Staying late is unsustainable.
Write the four-field handover: active state, findings so far, specific next step (check CloudAppEvents for OAuth consent), and urgency level. b
Correct. The four-field handover (Section 1.3) transfers investigation state so the incoming analyst picks up from your exact position. The "next step" field is critical — it tells them exactly what to check next, preventing duplicated work.
Close as Undetermined and reopen when you return — the managed SOC lacks context to continue. c
Closing and reopening creates a gap in the timeline. The handover note keeps the incident open with full context. Section 1.3 addresses this: the internal team retains ownership, the managed SOC monitors for new related alerts.
Escalate to Severity 2 to ensure the managed SOC prioritizes it overnight. d
Escalating severity to force attention is severity manipulation (Section 1.10). Classify at actual severity and use the handover — not an artificial severity bump — to ensure continuity.
Scenario 7. You're building the SOC charter. The CISO wants to include "AI-powered threat detection" and "machine learning anomaly analysis" in the mission statement. Your SOC uses Sentinel with 30 analytics rules, no UEBA enabled, and no custom ML models. What do you recommend?
Include the AI language — it positions the SOC favorably for board presentations. a
The charter describes current operational state (Section 1.7). Including capabilities the SOC doesn't have makes it aspirational rather than operational. Aspirational charters sit in SharePoint.
Include it with a footnote noting these are planned capabilities. b
Footnoted aspirations are still aspirations. Future capabilities belong in the improvement roadmap, not the mission statement.
Include it — Sentinel's built-in Fusion rules qualify as AI-powered detection. c
If the SOC hasn't enabled UEBA and relies on 30 scheduled rules, the AI capability is nominal. The charter should describe what the SOC operationally uses, not what the platform theoretically supports.
Document current state accurately and add AI/ML to the improvement roadmap's known gaps section with a target date. d
Correct. The charter describes current reality (Section 1.7). The known gaps section documents what the SOC doesn't yet do and the plan to get there. "AI/ML detection: not yet implemented. Target: enable UEBA in Q3" is honest, actionable, and gives the CISO a concrete timeline.
How was this module?
Your feedback helps us improve the course. One click is enough — comments are optional.
Thank you — your feedback has been received.
© 2026 Ridgeline Cyber Defence™ Ltd. Content may not be reproduced or redistributed. Worked artifacts may be adapted for use within your organization.