Back to the course
Test yourself

Detection engineering

Final exam · 60 questions · answers explained as you pick
Detection-as-code & Sigma
12 questions
01Detection as code means treating detection rules as…
Incorrect — Ad hoc console rules are exactly what detection-as-code replaces.
Correct — Detections become software: reviewable, testable, and reproducible.
Incorrect — Not a code-managed, testable form.
Incorrect — Detections analyze events; they are not network filters.
02The main benefit of detection as code is…
Correct — You see who changed what, when — and revert a bad rule.
Incorrect — Speed is not the primary benefit.
Incorrect — It manages the rules a SIEM runs.
Incorrect — Unrelated to detection-as-code.
03Sigma is…
Incorrect — It is a rule format, not a SIEM.
Correct — Write once, target Splunk, Elastic, Sentinel, etc.
Incorrect — That is Fluentd/Vector; Sigma is the rule format.
Incorrect — Unrelated to encryption.
04A Sigma rule’s core parts are…
Correct — It says which logs, and what pattern constitutes a match.
Incorrect — Not Sigma structure.
Incorrect — Unrelated.
Incorrect — Networking, not detection.
05Converting a Sigma rule to a specific SIEM query is done by…
Incorrect — It must be compiled to the target query language.
Correct — One rule compiles to Splunk SPL, Elastic DSL, KQL, etc.
Incorrect — Not a conversion step.
Incorrect — Sigma targets log platforms, not firewalls.
06The portability value of Sigma is that…
Correct — Community rule sets and tool independence.
Incorrect — It needs the log data it queries.
Incorrect — Complementary, not a replacement.
Incorrect — Unrelated.
07Detection rules should be tested by…
Incorrect — Untested detections often silently fail to fire.
Correct — Validate against real telemetry, plus unit tests on sample logs.
Incorrect — Review is necessary but not sufficient.
Incorrect — That is not testing.
08Atomic Red Team is used to…
Correct — Safe, ATT&CK-mapped tests exercise your detection coverage.
Incorrect — Unrelated to encryption.
Incorrect — It generates activity to detect, not collects logs.
Incorrect — Not its purpose.
09A CI pipeline for detections typically…
Incorrect — The point is review and validation before deploy.
Correct — Detections ship like software, gated by checks.
Incorrect — Linting is one step; testing/validation matter more.
Incorrect — Unrelated to detection CI.
10A "detection" that never fires and one that always fires are both…
Correct — Prove it fires on the bad and stays quiet on the good.
Incorrect — Existence is not effectiveness.
Incorrect — The opposite.
Incorrect — They are common failure modes.
11Version-controlling detections in git gives you…
Incorrect — It enables safe, reviewable deployments.
Correct — You can answer who changed a rule and revert regressions.
Incorrect — Not a git feature.
Incorrect — Unrelated.
12Reusing community Sigma rules should be balanced with…
Correct — A generic rule may be noisy or silent against your specific logs.
Incorrect — Untuned bulk import causes noise and gaps.
Incorrect — They are a valuable starting point when tuned.
Incorrect — Irrelevant.
12 questions · explanations appear as you answer
Pipelines & SIEM
12 questions
01A log pipeline’s first stage is…
Correct — Fluentd/Fluent Bit, Vector, Beats, cloud log exports.
Incorrect — Alerting comes after collection, parsing, and correlation.
Incorrect — That is incident response, downstream of pipelines.
Incorrect — Not a pipeline stage.
02Normalizing logs to a common schema (e.g. OCSF or ECS) matters because…
Incorrect — Size reduction is not the goal.
Correct — One rule can span AWS, K8s, and endpoint logs when fields align.
Incorrect — Normalization is not encryption.
Incorrect — Not what normalization does.
03Enrichment in a pipeline adds…
Correct — Enriched events let responders triage without pivoting everywhere.
Incorrect — It adds context, not just volume.
Incorrect — Unrelated.
Incorrect — Not a pipeline function.
04A SIEM primarily…
Incorrect — Unrelated to a SIEM.
Correct — The central platform for detection and investigation.
Incorrect — That is networking gear.
Incorrect — That is a secrets manager.
05Correlation in a SIEM lets you…
Correct — e.g. a failed-then-successful login plus a new IAM grant = one incident.
Incorrect — Not a correlation function.
Incorrect — Cost is not the point.
Incorrect — Correlation runs on collected data.
06The tradeoff of ingesting everything into the SIEM is…
Incorrect — Cost and noise are real constraints.
Correct — Deliberately choose what to index vs cheaply store.
Incorrect — SIEM ingestion is a major cost driver.
Incorrect — You still need detections on the data.
07SOAR complements a SIEM by…
Correct — Isolate a host, disable a user, open a case — automatically.
Incorrect — It acts on alerts, not generates raw logs.
Incorrect — It sits alongside, driving response.
Incorrect — Unrelated.
08A SOAR playbook is…
Incorrect — A dashboard visualizes; a playbook automates a response workflow.
Correct — Turns a runbook into automated, consistent action.
Incorrect — That is a pipeline component.
Incorrect — Not a SOAR artifact.
09Detection-as-code integrates with the SIEM by…
Correct — The pipeline pushes validated detections to the SIEM.
Incorrect — That is what it replaces.
Incorrect — It manages the SIEM’s rules.
Incorrect — They live in version control.
10Data residency/retention policy in the pipeline matters for…
Incorrect — Retention underpins investigation and compliance.
Correct — You cannot investigate what you did not retain.
Incorrect — Not the concern.
Incorrect — Unrelated.
11Parsing failures in the pipeline are dangerous because…
Correct — A field a rule needs may be missing, so the rule never matches.
Incorrect — They create blind spots, not speed.
Incorrect — Unrelated.
Incorrect — They create detection gaps.
12Monitoring the pipeline itself (log source health) matters because…
Incorrect — It is a real detection-integrity control.
Correct — Alert when an expected source stops reporting.
Incorrect — Not the primary reason.
Incorrect — Unrelated.
12 questions · explanations appear as you answer
Threat hunting
12 questions
01Threat hunting is…
Incorrect — That is alert-driven monitoring, not hunting.
Correct — Hypothesis-driven investigation beyond what alerts catch.
Incorrect — Scanning finds vulns, not active intrusions.
Incorrect — Not hunting.
02A good hunt starts from…
Correct — Hunts are structured around a testable idea, often ATT&CK-derived.
Incorrect — Aimless searching rarely finds intrusions.
Incorrect — Not a hunting starting point.
Incorrect — Not the methodology.
03The Pyramid of Pain says the most valuable (and hardest for attackers to change) indicators are…
Incorrect — Those sit at the bottom — trivial for attackers to change.
Correct — Detecting behavior forces attackers to change how they operate.
Incorrect — More painful than hashes but far less than TTPs.
Incorrect — Low-value, easily changed.
04Hunting for TTPs rather than atomic IOCs is stronger because…
Correct — Detect the "how", not just the disposable "what".
Incorrect — They change trivially per build.
Incorrect — Attackers rotate infrastructure constantly.
Incorrect — They are the hardest to change.
05A successful hunt should produce…
Incorrect — The lasting value is a repeatable detection.
Correct — Hunts feed the detection pipeline; findings become code.
Incorrect — Not the primary output.
Incorrect — You preserve evidence, not delete it.
06ATT&CK supports hunting by…
Correct — Hunt the techniques you cannot yet detect.
Incorrect — ATT&CK is a knowledge base, not an enforcement tool.
Incorrect — Unrelated.
Incorrect — Not its purpose.
07Behavioral analytics / UEBA helps hunting by…
Incorrect — That is IOC matching, not behavioral analytics.
Correct — Statistical deviation flags subtle compromise static rules miss.
Incorrect — Unrelated.
Incorrect — Not analytics.
08A hunt that finds nothing is…
Correct — You may discover you lack the telemetry to prove/disprove it.
Incorrect — Negative results and gap findings are useful.
Incorrect — Absence of evidence is not evidence of absence.
Incorrect — Hunting is continuous.
09Threat hunting relies on having…
Incorrect — Hunting goes beyond alerts into raw telemetry.
Correct — You cannot hunt in data you did not collect or kept.
Incorrect — Data is the substrate of hunting.
Incorrect — Insufficient telemetry for hunting.
10Hunting complements automated detection by…
Correct — Humans find the unknown; the pipeline then automates it.
Incorrect — They are complementary, not exclusive.
Incorrect — Hunting uses the SIEM’s data.
Incorrect — Unrelated.
11Documenting hunts matters because…
Incorrect — Documentation drives repeatability and coverage tracking.
Correct — A hunt library becomes a program, not a one-off.
Incorrect — Unrelated.
Incorrect — It feeds them.
12The output loop of mature detection engineering is…
Correct — Hunting continuously feeds new, tested detections into the pipeline.
Incorrect — That is alert fatigue, the failure mode.
Incorrect — That is vuln management, not detection engineering.
Incorrect — You retain and analyze, not delete.
12 questions · explanations appear as you answer
Cloud DFIR & forensics
12 questions
01DFIR stands for and covers…
Correct — Acquire evidence, analyze, contain, and remediate.
Incorrect — Unrelated acronym.
Incorrect — Not a log format.
Incorrect — Not a pipeline stage.
02The order of volatility says you acquire…
Incorrect — Memory is more volatile and is captured first.
Correct — Volatile data vanishes on power-off/termination.
Incorrect — Order of volatility guides prioritization.
Incorrect — Live volatile state matters most early.
03In cloud forensics, capturing a compromised instance means…
Correct — Preserve evidence; termination discards it.
Incorrect — Deletion destroys the investigation.
Incorrect — A reboot wipes volatile memory.
Incorrect — That worsens exposure.
04Chain of custody is important because…
Incorrect — Its purpose is integrity, not speed.
Correct — Untracked evidence can be challenged or worthless.
Incorrect — Not what chain of custody is.
Incorrect — The opposite — it preserves them.
05Cloud audit logs (CloudTrail / Cloud Audit Logs / Activity Log) are central to DFIR because…
Correct — The primary timeline source for a cloud intrusion.
Incorrect — They record; they do not encrypt.
Incorrect — They are detective, not preventive.
Incorrect — They are essential evidence.
06Isolating a compromised cloud resource for forensics uses…
Incorrect — That destroys evidence.
Correct — Contain the resource while preserving its state.
Incorrect — Increases exposure.
Incorrect — Wipes volatile evidence.
07Timeline analysis (e.g. a super timeline) helps by…
Correct — You see the sequence: initial access → escalation → persistence → impact.
Incorrect — Not its function.
Incorrect — It aggregates, not deletes.
Incorrect — Not an enforcement tool.
08A key cloud-DFIR challenge vs on-prem is…
Incorrect — The cloud is rich in logs when configured.
Correct — A terminated instance and its volatile state are gone in seconds.
Incorrect — Snapshots are a core cloud-forensics capability.
Incorrect — Identity is central to cloud IR.
09After containment, hunting persistence in a cloud intrusion means checking for…
Correct — Attackers persist in the control plane, not just one host.
Incorrect — Not persistence indicators.
Incorrect — A weak signal, not the hunt.
Incorrect — A competent attacker plants more footholds.
10Pre-built IR automation (capture-and-isolate) matters in cloud because…
Incorrect — Its value is speed and consistency, not optics.
Correct — Manual response is often too slow before resources disappear.
Incorrect — It uses the audit log.
Incorrect — Not the purpose.
11Detection engineering and DFIR connect because…
Correct — A closed loop: each incident improves future detection.
Incorrect — They are tightly coupled.
Incorrect — They complement each other.
Incorrect — You need both.
12Immutable, centralized log storage supports DFIR by…
Incorrect — The opposite — immutability preserves integrity.
Correct — Evidence integrity is an architecture decision.
Incorrect — Not the purpose.
Incorrect — It supports investigation.
12 questions · explanations appear as you answer
Deception & alert quality
12 questions
01A honeytoken (canary) is…
Correct — A high-confidence tripwire with near-zero false positives.
Incorrect — It is a decoy, not a working credential.
Incorrect — Not a network control.
Incorrect — Unrelated.
02The signal quality of a honeytoken is high because…
Incorrect — It should almost never fire — that is why a hit matters.
Correct — Extremely low false-positive rate.
Incorrect — It grants nothing.
Incorrect — It is a decoy, not crypto.
03Where honeytokens are effective includes…
Correct — Placed where an attacker rummaging for credentials would find them.
Incorrect — They are placed across the environment.
Incorrect — They are broadly useful, high-signal traps.
Incorrect — They live in the environment, alerting the SIEM on use.
04Alert fatigue is caused by…
Incorrect — It is caused by too many low-value ones.
Correct — The real alert drowns in noise.
Incorrect — Unrelated.
Incorrect — Unrelated.
05Improving alert quality means optimizing for…
Correct — Tune, dedupe, enrich, and prioritize.
Incorrect — Volume is the problem, not the goal.
Incorrect — You still need real alerts.
Incorrect — That is maximal noise.
06Deduplication and grouping of alerts help by…
Incorrect — They surface incidents by reducing repetition.
Correct — Less noise, clearer signal.
Incorrect — Unrelated.
Incorrect — They aggregate, not delete.
07Enriching an alert with context (asset, user, severity) matters because…
Correct — Context turns an alert into an actionable one.
Incorrect — It improves quality, not quantity.
Incorrect — Unrelated.
Incorrect — It speeds triage.
08Detection coverage is best measured against…
Incorrect — Rule count is not coverage.
Correct — A structured map of prevent/detect gaps.
Incorrect — Cost is not coverage.
Incorrect — Dashboards are not coverage.
09MTTD (mean time to detect) is…
Correct — A core measure of detection program effectiveness.
Incorrect — It is a metric, not a format.
Incorrect — Unrelated.
Incorrect — Not a metric of detection.
10A false positive rate that is too high leads to…
Incorrect — It degrades the program via fatigue.
Correct — Precision is essential to a usable detection program.
Incorrect — It slows response by burying signal.
Incorrect — Noise is not coverage.
11Tuning a noisy detection should…
Correct — Precision improvements, not blanket disabling.
Incorrect — That loses coverage.
Incorrect — That is fatigue, not tuning.
Incorrect — Irrelevant.
12A mature detection program measures itself by…
Incorrect — Volume is not effectiveness.
Correct — Outcomes and coverage, not raw activity.
Incorrect — Scale is not maturity.
Incorrect — Tools are not a maturity measure.
12 questions · explanations appear as you answer