Students · Glossary
Glossary
A quick reference for the terms used across these guides. Each definition is kept to a sentence or two and matches exactly how the word is used in the labs.
| Term | Meaning |
|---|---|
| SOC | Security Operations Center — the team and tooling responsible for watching an environment and responding to security threats. |
| SOC analyst | The person who investigates alerts, decides whether each is a real threat, and acts on that decision. The role you're training for. |
| Telemetry / logs | The raw records of activity in an environment — login attempts, connections, and other events. The evidence an analyst works from. |
| Detection (rule) | An automated rule that watches telemetry and raises an alert when it sees a pattern worth a human's attention. |
| Threshold | The count a detection rule requires before it fires. The brute-force rule, for example, fires above 20 matching events. |
| Window | The span of time a detection rule looks across when counting events — e.g. a 5-minute window for the brute-force rule. |
| Incident | An alert raised when a detection fires — your case file, opened automatically for you to investigate. |
| Triage | The act of examining an incident to decide what it is and what it needs — the first thing you do when one opens. |
| Disposition | Your verdict on an incident: exactly one of true positive, false positive, benign, or duplicate, with a written rationale. |
| True positive | A disposition meaning the evidence confirms a real threat. |
| False positive | A disposition meaning the detection fired but the activity is harmless — the rule was wrong. |
| Benign | A disposition meaning the activity is real but expected and legitimate, such as routine admin work. |
| Duplicate | A disposition meaning the incident is the same issue as another incident already open. |
| MITRE ATT&CK | An industry-wide catalogue of how attackers operate, used to tag incidents with the technique they appear to involve. |
| Technique (T-number) | A specific entry in MITRE ATT&CK, identified by a code like T1110, describing one category of attacker behaviour. |
| Brute force | An attack that tries to guess a password by hammering an account with attempt after attempt. Mapped to technique T1110 · Brute Force. |
| Source IP | The network address that activity came from — what tells you whether events share one origin (e.g. 203.0.113.66) or many. |
| Sandbox | Your own private, isolated environment where lab telemetry is generated and you work the incident, separate from every other student. |
| Cohort | A group of students provisioned together by an instructor to work the same lab scenario. |
| AI analyst | The platform's automated analyst, which records its own verdict on an incident beside yours — a second opinion to compare against, not a crutch. |
| Ground truth | The scenario's pre-defined correct answer, used to grade whether your disposition matches. |
✓
The fastest way to make these terms stick is to use them. Pick an incident and narrate it out loud: "the detection crossed its threshold inside the window, so an incident opened, and I triaged it to a disposition."
Ready to put the vocabulary to work? Read Investigating incidents for the method, then follow the brute-force walkthrough to see every one of these terms in action.