[&] How do behavior-based detection rules identify potential threats?
- By counting failed login attempts
- By detecting deviations from statistical baselines of system performance
- By using historical data to find known issues
- By observing deviations from predefined baselines

[&] What is the primary objective of detection engineering in the context of incident response?
- To ensure alerts are generated for every system event to maximize coverage
- To develop and refine detection rules that accurately identify malicious behavior
- To automatically remediate all detected threats without analyst intervention
- To prioritize log storage efficiency over detection accuracy

[&] Why is it important for incident responders to understand detection engineering?
- It allows them to write code for new software applications
- It ensures they can install the most recent security patches
- It helps them understand alert logic and minimize false positives
- To create high-level executive reports for compliance audits

[&] Which detection rule type uses statistical methods or machine learning to identify threats?
- Signature-based detection
- Threshold-based detection
- Behavior-based detection
- Heuristic or anomaly-based detection

[&] What is a common use case for correlation rules in detection engineering?
- To detect single-stage malware infections
- To identify credential theft through phishing
- To analyze network performance metrics
- To match known threat actor TTPs

[&] How do signature-based detection rules typically function?
- By combining multiple detections over time
- By triggering alerts based on statistical anomalies
- By matching known indicators of compromise against observed data
- By monitoring unusual behavior sequences