24observe SOC Labs

Students · Dispositions & grading

Dispositions & grading

Every lab ends the same way: you call the incident, and you justify your call. That verdict is your disposition, and it's graded out of 100. Here's exactly what the four choices mean and how the score breaks down.

The four dispositions

A disposition is your verdict on an incident. You pick exactly one of four, then write a rationale. Each has a clear, concrete meaning:

True positive — a real threat

The detection fired and the evidence confirms a genuine threat. The brute-force lab is the classic example: 25 failed root logins from a single source IP inside five minutes is an attack, full stop. When the activity is hostile and the alert is right, it's a true positive.

False positive — the rule was wrong

The detection fired, but the activity is harmless. The rule was too eager or matched on something that only resembles an attack — say, a monitoring probe that retries a connection and trips a "repeated failed attempt" rule without any malicious intent. The behaviour isn't a threat; the detection made the mistake.

Benign — expected, legitimate activity

The activity is real and entirely allowed. An administrator running a maintenance script, a nightly backup, or a scheduled task that happens to trip a rule. Nothing is wrong — this is normal operations that the detection simply noticed.

Duplicate — already being handled

The incident describes the same issue as another incident that's already open. There's no new threat to work; it's the same event surfacing twice. You mark it a duplicate so the team isn't investigating the same thing in two places.

i

False positive and benign both mean "no threat", but they're not the same: a false positive is the rule being wrong, while benign is real activity that's expected. Naming the right one shows you understood the evidence.

How grading works

The moment you submit, you're graded automatically out of 100, in two parts:

ComponentPointsHow you earn it
Disposition match70Your verdict matches the scenario's ground truth.
Rationale specificity30Your written rationale is specific and cites real evidence.
Total100

The split is deliberate. Getting the disposition right is most of the grade — but in a real SOC, an unjustified verdict is worthless. The 30 points for your rationale exist because the reasoning is the skill being trained. A correct call with a one-word rationale leaves a lot of points on the table.

What makes a strong rationale

A strong rationale reads like a handoff to a teammate: someone could pick up your incident and understand your call without re-investigating. Cite the concrete evidence — the four questions are your checklist:

  • The source IP — where it came from.
  • The counts — how much, relative to the threshold.
  • The timing — how fast, inside the window.
  • The technique — the ATT&CK id that frames it.

Here's a rationale that earns the full 30:

25 failed root logins from a single source IP (203.0.113.66) inside a five-minute window — well over the brute-force threshold of 20, and far faster than any human could type. This is a credential brute-force attempt (T1110), not benign noise.

Compare a weak one: "attack". It might be the right verdict, but it cites nothing — no source, no count, no timing, no technique. It scores low on the rationale half because it shows no evidence of an investigation. The fix is never longer prose; it's specific prose.

!

A correct disposition with a one-word rationale still loses most of the 30 rationale points. Always back your verdict with the evidence you gathered — it's half the lesson.

The AI analyst's verdict, beside yours

After you submit, you'll see the platform's AI analyst's verdict on the same incident, shown right next to yours. It investigated independently — treat it as a second opinion to compare against, never a crutch. When you and the AI agree, that's confirmation your reasoning held up. When you disagree, that's the most useful moment in the whole lab: go back to the evidence and work out who's right and why. Sometimes you'll find a detail you missed; sometimes you'll realise your call was the stronger one. Either way, you learn more from the disagreement than from the score.

That's the verdict and the grade. To sharpen the reasoning that earns both halves of the score, revisit Investigating incidents. If any term here is unfamiliar, the glossary has plain-language definitions.