🔥 3-day streak
Professional Security Operations Engineer29 / 241
Question 29 of 241
Your SOC has deployed 40 YARA-L detection rules in Google SecOps over the past quarter. Leadership asks you to evaluate which rules are effective versus which are creating noise before the next tuning cycle. You pull metrics showing, per rule: alert volume, analyst dispositions (true positive / false positive / benign), and mean time to triage. Rule 'susp-oauth-grant' generated 900 alerts with a 2% true-positive rate, while rule 'admin-priv-escalation' generated 12 alerts with a 92% true-positive rate. Which approach best evaluates tool/rule effectiveness and identifies where coverage or tuning effort should go?
Reviewed for accuracy · Report an issueNext question