Alert chapter quiz
Quiz: did the chapter stick?
No grades. The point is to push your thinking. Some questions are harder than they look.
An EDR fires a behavioral alert at 02:14 with 64% confidence. The user's baseline shows they routinely work overnight. What is the right next step?
Baseline comparison is one of three strategies, and one of four dimensions. A single dimension agreeing is not the same as validation. The environmental dimension says the timing is consistent; technical fidelity, threat intelligence, and business impact have not been checked yet. Validate across all four, then decide.
Two alerts fire with identical content. Alert A is on a contractor's sandbox laptop. Alert B is on a service account with administrative access to a HIPAA-bound database. The analyst can only investigate one in the next 15 minutes. Which strategy makes the prioritization defensible?
Need a nudge?
The two alerts are identical in shape. What differs is the entity each one affects.
Criticality validation is exactly the strategy designed for this trade-off. Alert B affects a high-criticality asset and a privileged identity, so it is the immediate-action alert. Months later, the criticality data attached to the queue order is what makes the choice reviewable in a post-mortem.
Which detection family is most likely to fire when an adversary uses living-off-the-land binaries with no custom malware?
Need a nudge?
Think about what each family is naturally good at and what each one is naturally blind to.
Signature engines see only signed, trusted binaries. Anomaly engines may not flag because the individual events fall within tolerance. Rule engines can fire if a rule is well-written for the pattern, but they require someone to have written that rule. Behavioral analytics is the family designed for multi-step adversary patterns built from legitimate-looking pieces.
An alert reports an outbound TLS connection to a domain registered three days ago. The process is signed certutil.exe. The user is a developer. Which combination of signals would raise the confidence that this is malicious?
Single signals get tuned out as noise. The combination is what changes the verdict. New domain + an unusual process for the user + no documented business reason maps to the classic certutil-as-LOLBin pattern. None of the signals on its own is decisive. The combination is.
What is the Alert phase's deliverable to the rest of the methodology?
Alert produces three things: a structured record of what the engine saw, a validation result that says whether the signal is real, and a parsed metadata set that the next phases can query. Verdicts and containment are downstream phases. Reports are documentation. The Alert phase's job is to make the next analyst's work fast and accurate, not to draw conclusions.
Next up
Continue to Subject
With Alert mastered, the next chapter turns to identifying every entity involved in the activity: who acted, with what credentials, in what context.
Begin Subject