Security Programs • Room 3

Defining SOPs

A Standard Operating Procedure (SOP) ensures analysts handle specific alerts consistently.

When an engineer builds a new Correlation Search, they must define the "Next Steps" or link an SOP playbook directly in the Notable Event Details panel.

Knowledge Check

Prove your understanding to clear the room (Rewards XP)

❤️❤️❤️

Question 1 of 1

Why is it functionally required for a Detection Engineer to provide an SOP or investigation steps when deploying a new correlation search?

ATo increase the splunk license volume.

BTo ensure the ES UI loads correctly.

CBecause if analysts don't understand how to investigate or validate the alert, they will close it as a false positive, rendering the detection useless.

DTo comply with GDPR.