Investigation & ES • Room 1

Event Dispositions

When a Notable Event appears in Incident Review, an analyst must investigate it and assign a disposition before closing it.

Common dispositions include: True Positive (a real threat), False Positive (benign activity mistaken for a threat), and Benign (known good activity that should be suppressed in the future).

Accurate dispositions drive measurable SOC improvement. If 90% of your alerts are False Positives, the correlation search needs tuning.

Knowledge Check

Prove your understanding to clear the room (Rewards XP)

Drag items to their correct zone (or tap item then tap zone on mobile)

Known service account triggering "brute force" alert

Attacker lateral movement confirmed via RDP

Scheduled vulnerability scan flagged as port scan

Malware hash match from Threat Intel feed

True Positive

False Positive

Benign