With SecOps Enterprise Plus but no threat intelligence feeds ingested, which approach should you take to quickly alert on an IOC of an active breach?

• A. Write, enable, and alert on a custom multi-event rule.
• B. Write, enable, and alert on a custom single-event rule.
• C. Enable and configure alerting for relevant curated detection rule sets.
• D. Create and schedule a dashboard for periodic IOC summaries.

Answer: (C)

Relying on the platform’s curated detection rule sets with alerting enabled provides the fastest, most reliable surface for IOC matches when no threat intelligence feeds are ingested. These built-in rules are designed to detect common IOC indicators and associated activity across your data, so they can generate real-time alerts as soon as a match occurs. Crafting custom rules—whether single-event or multi-event—takes time to design, test, and tune, and can miss signals during the tuning process. A dashboard offers visibility but does not automatically alert you in real time, making it unsuitable for rapid breach response. Using curated rules gives immediate, actionable alerts to drive quick containment and investigation.